Question Plesk firewall - CrowdSec iptables interaction

[andg]

Server operating system version

Debian 10

Plesk version and microupdate number

Plesk Obsidian 18.0.68 Update #2

Hi,
after successfully configuring crowdsec in a bare metal server I tested it with Plesk.
Turned off fail2ban, installed crowdsec with iptables bouncer and created a few custom rules.
All seem good except that if I update Plesk firewall rules and apply the update CrowdSec rules in iptables are no longer enforced.
Listing iptables rules
Before:

Chain CROWDSEC_CHAIN (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set crowdsec-blacklists-1 src
DROP       all  --  anywhere             anywhere             match-set crowdsec-blacklists-0 src

After a plesk firewall rule got updated

Chain CROWDSEC_CHAIN (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set crowdsec-blacklists-1 src
DROP       all  --  anywhere             anywhere             match-set crowdsec-blacklists-0 src

So as you can see it gets 0 references. Doing a systemctl restart crowdsec-firewall-bouncer fixes the problem.
Would it be possible to trigger a script after the firewall is updated? Or to integrate them better in other ways?
Also I've yet to test what happens after a server restart but think should be ok. Will update about it!
Thanks!

 

[Kaspar]

Would it be possible to trigger a script after the firewall is updated?

See: Question - Disable FTP on single ip address

 

[rhall]

A quick note on triggering scripts after the firewall is updated:

First a caveat - I am still stuck on an older release of Obsidian 18.0.31, and the newer versions of Plesk Obsidian, the firewall UI and controls are much improved, and I'm actually not 100% certain if iptables is still updated in the same way or if it has been improved speed wise, but this should give you some ideas that may help fire things off when you need them.

I had a need to leverage the event manager to trigger a script when the firewall is updated - and it does fire, but it fires immediately after creating the new firewall rules and creating the updated firewall-active.sh script that actually updates iptables, when you hit apply, but this is well before that script has actually completed depending on the speed of your system and the amount of rules. So you might run into issues if you want to fire events immediately after that event is triggered, especially if you are going to manipulate iptables further, and if you have a large number of entries in your firewall and fail2ban already, given that there is a sleep 1, in between each execution if you are using a version of iptables <1.4.20, and the native sleep in newer versions is not much faster - you might not be triggering things when you actually want them to be triggered.

To work around this, as I wanted an update when the full script had finished and iptables was fully updated. So, I wrote a script that watches for the completion of the firewall-new.sh script, so you can call this script from the event manager and then have it fire off whatever you really want to happen once the firewall-new.sh has actually completed updating. Unclear if newer versions of Obsidian are triggered the same way or if they might have moved to a method that fires once everything is complete, not just the kickoff of the firewall-new.sh script.

So this does exactly that, monitors firewall-new.sh for completion, and also updates your shell with status info with some nice coloring and the overall execution time which can be helpful to gauge things. I typically trigger this by hand from an ssh session, but you can easily strip out the output/echo's or route it to /dev/null/ and just keep the loop that watches for completion of the firewall-new.sh script, but it may be useful for your use case or a good starting point to get you going.

fin="false"
start=`date +%s%N`
RED='\033[0;31m'
YEL='\033[1;33m'
ORNG='\033[0;33m'
CYN='\033[0;36m'
WHT='\033[1;37m'
NC='\033[0m' # No Color

echo -ne "${ORNG}$(date)${NC}\n";
echo -ne "${RED}Plesk Firewall/IPtables updating${NC}";

while [ $fin = "false" ]
do
ret=$(ps auxf | grep -i 'firewall-new.sh' | grep -v grep)
if [[ -z "$ret" ]]; then
    echo -en "\n${WHT}Update complete - ";  
    fin="true"
    end=`date +%s%N`
    nanos=`expr $end - $start`
    minutes=`expr $nanos / 60000000000`
    echo -e "Execution time:${NC}\n ${CYN}$nanos nanoseconds - $minutes minutes${NC}"
    exit 1
else
    echo -ne "${YEL}.${NC}";
fi
sleep 5
done

 

[andg]

Thanks to both!
I've had little time to test this week but using event manager with event "Firewall rules activated" and systemctl restart crowdsec-firewall-bouncer as command seems to do the work.
Using systemctl reload crowdsec-firewall-bouncer instead is not working.

Will update further when I will test with other servers.