Plesk 11 firewall problem

[SauliusZ]

I`m using default Plesk 11 firewall on CentOS 6. At first it was ok, but I can`t apply new configuration now. It takes about 15 minutes and all I get is "Unable to connect" page.
Could it be that I have added too much IPs? Because the more I have added the longer time it would take to apply configuration. Now I think I have more than half a thousand IPs...

 

[Dmitriy S]

All other world incur a deficiency of real IP addresses and you added more than 500. Where did you get so many dedicated IP addresses? )

Anyway it looks like timeout issue. So you need to find what kind of 3-rd party software cannot connect.
First of all check /var/log/sw-cp-server/error.log

Others Plesk logs you can find in KB "Parallels Plesk Panel for Linux services logs and configuration files" http://kb.parallels.com/en/111283

 

[SauliusZ]

Well, that`s not so much I think, when you block some bots, crawlers, spiders, spammers, hackers and other unwanted types. Or is it posible to block by user agent for whole server? I mean not going throw all websites htaccess files and making changes everytime it is needed.

In the /var/log/sw-cp-server/error.log I`ve got this:

2013-03-04 13:58:32: (server.c.1543) server stopped by UID = 0 PID = 20831
2013-03-04 13:58:57: (log.c.166) server started

And there is no log for firewall...

 

[DogDontHunt]

I just acquired a server with Plesk 11 firewall on CentOS 6 and the firewall fails to update, fails to apply a new configuration right out of the box! It won't even apply 1 simple change from allow to deny. After putting in numerous rules, I reverted back to the existing configuration, then attempted to change the "Mail password change service", from allow to deny. But when I click "apply the new configuration", nothing happens, it acts like the page is going to change, but instead stays eternally stuck on stupid. It seems that a bug like this would have been found in testing prior to release, if there was testing???

 

[Faris Raouf]

SauliusZ: You want to use Mod_security to do what you want to do, not a firewall. Too many rules can cause serious problems.

With mod_security, you can block various things server wide or domain wide or server minus list of domains or only certain domains or any combination you care to imagine.

Various things include contents of user agent or even an IP address or list of IP addresses.

Note that the more rules you have in mod_security, the more memory EACH apache process takes. An alternative to having a huge list of IP addresses is to set up a dnsbl with your bad IPs listed in it, and have mod_security do a lookup on each connection. In this way you use almost no extra memory.

Unfortunately, creating *sensible* mod_security rules is not that easy. It comes with a core set that you can look at and experiment with, but keep in mind that the default core rules may cause problems with various applications because mod_security is meant to be used for much, much more than just what I've described.

As an alternative, you can look at ASL from www.atomicorp.com. This is a subscription-based service that provides everything you need to get up and running with mod_security.

You would need to manually set up a dnsbl (very easy though) and populate it with data. Or you can add a big file containing all the IPs you want to block. Or one line containing a user agent you want to block (though it is probably already in the rules).

Do keep in mind what I said before though -- using a full set of good rules uses a lot of memory per apache process.

DogDon'tHunt: The Plesk firewall works fine under normal circumstances. Things only go wrong when you have "too many" rules. If you have no significant number of rules then the cause of your problem is different to the OPs and you should really create a new thread to discuss it and see if anyone has any ideas. I'm afraid I don't have any ideas I've not come across it myself. It could be a bug, but it isn't one that I've read about or seen personally, so it could equally be something unusual about the configuration of your system, or a misconfiguration of something or other.

 

[Paules]

Here i got the following problems

When is want to create 1 extra rule on default firewall (Open port 2525udp/tcp for all ip's) i got also timeout error. After 5+ retry's he wil reactivate but after a server reboot. The firewall turn into panic mode and will block all connections and ports. The only thing i can do is a server re-installation. It only happens on this server with a clean plesk 11 installation. I also got a older server that's updated from 10 to 11 but that one has no problems with this.

Server:
Ubuntu 12.04 x64
Plesk 11
Host: Strato

 

[MultiServer]

The same here!
Update from 9.5.4 to Plesk 11 on Ubuntu 10.04 LTS

Logfile
/var/log/sw-cp-server/error.log

2013-05-09 06:32:35: (mod_fastcgi.c.2746) FastCGI-stderr: PleskFatalException: Unable to connect to database: mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: No such file or directory
file: /opt/psa/admin/plib/common_func.php3
line: 153
code: 0
trace: #0 /opt/psa/admin/auto_prepend/auth.php3(112): psaerror('Unable to conne...')
#1 {main}

PHP Warning: mysql_errno() expects parameter 1 to be resource, boolean given in /opt/psa/admin/plib/common_func.php3 on line 209
PHP Warning: mysql_error() expects parameter 1 to be resource, boolean given in /opt/psa/admin/plib/common_func.php3 on line 222
PHP Warning: mysql_errno() expects parameter 1 to be resource, boolean given in /opt/psa/admin/plib/common_func.php3 on line 222
PHP Warning: Cannot modify header information - headers already sent by (output started at /opt/psa/admin/plib/PleskException.php:44) in /opt/psa/admin/plib/PleskException.php on line 27

2013-05-09 06:32:35: (mod_fastcgi.c.2746) FastCGI-stderr: PleskFatalException: Unable to connect to database: mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: No such file or directory
file: /opt/psa/admin/plib/common_func.php3
line: 153
code: 0
trace: #0 /opt/psa/admin/auto_prepend/auth.php3(112): psaerror('Unable to conne...')
#1 {main}

 

[DogDontHunt]

@ Faris, There is a whole lot of speculation going on by you, why would there be a Plesk firewall in the control panel if it is not capable of taking on rules? I am not looking for excuses, I am looking for resolve. As this turned out, Parallels offered to look into this issue, (kindly enough), but needed my host to request it. MY host, HETZNER, declined to request it, saying it was out of the scope of their "support". Imagine that, Hetzner would not assist with a simple request! So I thanked Hetzner for their unwilliness and closed the account, and have since obtained a server from another host. If the dog don't hunt, either teach it to hunt or find another dog!