Resolved No access to Plesk, ssh and sftp

[RaHa]

Big mistake – I changed to cable provider with dynamic IP address and forgot to change the IP Access Restriction Management - now I have no access to Plesk, ssh and stfp. I have access to Power Panel and via PHP-file and mysql commands I changed the psa DB, but access is further blocked. What can/must I do more?

PHP-file:
$ShellCmd="mysql -uadmin -p`cat psa.shadow` psa -e \"DELETE from psa.cp_access\" 2>&1 >> mylog &";
$ShellFlag=shell_exec($ShellCmd);

$ShellCmd="mysql -uadmin -p`cat psa.shadow` psa -e \"UPDATE psa.misc set val='allow' where param='access_policy'\" 2>&1 >> mylog &";
$ShellFlag=shell_exec($ShellCmd);

$ShellCmd="mysql -uadmin -p`cat psa.shadow` -e \"SELECT * from psa.cp_access\" 2>&1 >> mylog &";
$ShellFlag=shell_exec($ShellCmd);
$ShellCmd="mysql -uadmin -p`cat psa.shadow` -e \"SELECT * from psa.misc\" 2>&1 >> mylog &";
$ShellFlag=shell_exec($ShellCmd);

content mylog:
param val
access_policy allow
...

Thanks!

 

[MarkM]

Have you tried just inserting your new IP via MySQL?

Bottom of this KB has the command;

Unable to log in to Plesk: Access for administrator from address 203.0.113.2 is restricted in accordance with IP Access restriction policy currently applied

 

[RaHa]

SSH is also blocked to send plesk admin --add-allowed-ip xxx.xxx.x.x

PHP is not possible, why sh: plesk: command not found
$ShellCmd="plesk admin --add-allowed-ip xxx.xxx.x.x 2>&1 >> mylog &";
$ShellFlag=shell_exec($ShellCmd);

psa.cp_access is empty
access_policy in psa.misc is allow

psa is restarted, it should works, but I get no access.
My current remote ip address is blocked. How is the ip address blocked, where can I modify this (access via Power Panel)?

 

[RaHa]

The problem is that tcp,ssh an so on is blocked in iptables.
I can modify /usr/local/psa/var/modules/firewall/firewall-active.sh, but how to start "/etc/init.d/psa-firewall restart" in PowerShell?

Thanks!

 

[MarkM]

Could you modify like a cron to kick it off?

 

[RaHa]

Only modified the iptables helps.

I do it via PHP because I have no other access (ports 12443, 11443, 11444, 8443, 8447, 8080, 21, 22, 110, 995, 106, 3306 was only allowed for old ip address)

Logon in Power Panel - FileManager

Goto /var/www/vhost/domain/ where you have access via PHP
Greate a file doscript.php, content:
<?php
$errstr=exec ("sudo /var/www/vhost/domain/doroot.sh");
echo $errstr."<br>";
?>

Goto /etc and download sudoers
Put at the end of the file: ALL ALL=NOPASSWD: /var/www/vhost/domain/doroot.sh
upload sudoers
(/var/www/vhost/domain/doroot.sh works now as user root, started from PHP/Apache with other user)

Goto /var/www/vhost/domain/ and create a script doroot.sh with content: /sbin/iptables -L --line-numbers 2>&1 > mylog &
Go in browser and load url: http://domain/doscript.php
Have a look to url: http://domain/mylog and find the line where you must input the new-ip-address

Modify file doroot.sh for example:
#
/sbin/iptables -I INPUT 33 -p tcp --dport 8443 -s new-ip-address -j ACCEPT
#/sbin/iptables -L --line-numbers 2>&1 > mylog &

Reload in browser - url: http://domain/doscript.php

Modify file doroot.sh to:
#
#/sbin/iptables -I INPUT 33 -p tcp --dport 8443 -s newipaddress -j ACCEPT
/sbin/iptables -L --line-numbers 2>&1 > mylog &

Reload in browser - url: http://domain/doscript.php
Reload in browser - http://domain/mylog and look for input is do

Modify file doroot.sh to:
#
#/sbin/iptables -I INPUT 33 -p tcp --dport 8443 -s newipaddress -j ACCEPT
#/sbin/iptables -L --line-numbers 2>&1 > mylog &
mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "DELETE from psa.cp_access;"
mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "UPDATE psa.misc set val='allow' where param='access_policy'"
mysql -uadmin -p`cat /etc/psa/.psa.shadow` -e "SELECT * from psa.cp_access" 2>&1 > mylog &
mysql -uadmin -p`cat /etc/psa/.psa.shadow` -e "SELECT * from psa.misc" 2>&1 >> mylog &

Reload in browser - url: http://domain/doscript.php
Reload in browser - http://domain/mylog and look for psa.cp_access isempty and if param 'access_policy'" val is set to 'allow'

Start in browser https://domain:8443 and modify the firewall