• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question ModSecurity - How to build a IP block list?

A

alvesjc

Basic Pleskian
Hello all,

Since I've moved to cloudflare, I've lost the ability to block malicious IP sources from known lists with ubuntu iptables.

I've found this info about adding IP's to block.

https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity

Is this possible to integrate with WAF provided in plesk?

For now I've it running with comodo account, but would be great to restore the ability to block bad IP sources from my site again.

Help apreciated.

my system info:

  • OS: ‪Ubuntu 16.04.3 LTS‬
  • Product: Plesk Onyx 17.5.3 Update #39 , last updated at Feb 4, 2018 11:23 PM
  • Checked at Feb 4, 2018 07:29 AM.
 
alvesjc said:
Hello all,

Since I've moved to cloudflare, I've lost the ability to block malicious IP sources from known lists with ubuntu iptables.

I've found this info about adding IP's to block.

https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity

Is this possible to integrate with WAF provided in plesk?

For now I've it running with comodo account, but would be great to restore the ability to block bad IP sources from my site again.

Help apreciated.

my system info:

  • OS: ‪Ubuntu 16.04.3 LTS‬
  • Product: Plesk Onyx 17.5.3 Update #39 , last updated at Feb 4, 2018 11:23 PM
  • Checked at Feb 4, 2018 07:29 AM.
Click to expand...

Hello, you can still block malicious IPs with fail2ban and Cloudflare : Can I still use fail2ban while using Cloudflare?
You just have to create a file /etc/nginx/conf.d/cloudflare.conf with the following content to restore visitors real IP :

Code: 
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;

Additionally there is an fail2ban action available to automatically block an IP with iptables and Cloudflare at the same time : Adding Cloudflare support to fail2ban | Le Blog
 
Hi Virtubox.

Thank you for your inputs.

That is very nice, I'll setup the API also.

But cloudflare limits the CIDR to /16 or /24 subnets.
In my list I have a lot /11 subnets to block and many others diferent subnets.

Is it possible to block this address list with 66k entries in nginx reliable and without much impact in performance?
 
alvesjc said:
Hi Virtubox.

Thank you for your inputs.

That is very nice, I'll setup the API also.

But cloudflare limits the CIDR to /16 or /24 subnets.
In my list I have a lot /11 subnets to block and many others diferent subnets.

Is it possible to block this address list with 66k entries in nginx reliable and without much impact in performance?
Click to expand...

Block those IPs directly with fail2ban on your server, it will set all iptables properly. But even if you block them only with Nginx, it should not impact your server performance because nginx will directly display a 403 forbidden for blocked IP.

You can also add some jails to ban IPs by checking nginx access logs (for example, too much 404 error mean directory bruteforce). There is a nice tutorial available here : How to Secure an nginx Server with Fail2Ban
 
You must log in or register to reply here.

Similar threads

majdi draouil
Question How to Block Direct IP Access and Ensure All Traffic Routes Through Cloudflare
Replies
1
Views
597
Raul A.
R
S
Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk
Replies
1
Views
274
alvarezcruz
alvarezcruz
michaeljoseph01
Question How to block non-mail traffic to certain ip?
Replies
1
Views
1K
MarkM
MarkM
F
Issue Issue with modsecurity
Replies
3
Views
10K
payday
P
A
Issue From past 3 days, getting a lot of Spam Traffic from US, How to Block?
Replies
2
Views
2K
AntonM@Parallels
AntonM@Parallels
Back
Top