• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk Firewall & IP Range ?

W

WarBirD

Guest
Hi,

I wonder why I can´t put an IP Range in the Firewall Rules without it saying that the IP I put there is not right. I mean, there is this extra field behind the / so I suppose its ment to use it like this for example:

11.11.11.0/255

Right ? I need to ban a few IP ranges from my Server. Any Idea how to succeed in this ? Please, i am far away from beeing an expert in these things. Please, if you do know how it works, try to explain it simple if possible. ;)

Thx.
 
You want to use the bitmask at the end, heres a quick cheat sheet:

11.11.11.11/32 <- just the host 11.11.11.11

11.11.11.0/24 <- the whole 11.11.11.0 network (254 ips)

11.11.0.0/16 <- the 11.11.0.0 network (64k ips)


11.0.0.0/8 <- the 11.0.0.0 network (16million ips)
 
Originally posted by atomicturtle
You want to use the bitmask at the end, heres a quick cheat sheet:

11.11.11.11/32 <- just the host 11.11.11.11

11.11.11.0/24 <- the whole 11.11.11.0 network (254 ips)

11.11.0.0/16 <- the 11.11.0.0 network (64k ips)


11.0.0.0/8 <- the 11.0.0.0 network (16million ips)

Hi, dont get me wrong but maybe i am just too stupid to get it. ;)

Why is

11.11.11.0/24 <- the whole 11.11.11.0 network (254 ips)

the whole network. Since as far as I know its 0-255 for a whole network. Or maybe i just can´t think straight because I have the flue atm, would you please explain. ;)

Thx m8.
 
Another question, when I would like to ban this IP Range.

89.145.16.0 - 89.145.63.255

How would I have to put that ?
Since I am not very good at these things, I dont know how to would do this in IPtables as well. It might is easier to do it there, but I know that too many changes at the wrong place and just one little error, and my Server is not accessible anymore by myself possibly. Thats why I ask, I dont want to risk anything.

I appreciate any help.
 
Ahh taking out germany huh. So netmasks can be kind of daunting if you don't understand the guts of tcp/ip. Short version, the bitmask is a binary representation of a network block.

So what that means is that in binary this:

255.255.255.0

looks like
11111111.11111111.11111111.00000000

and if you add all those 1's up you get:

24

It helps if you can do math in binary. Which is probably one of the least useful skills a person can have. Its actually my 2nd least useful skill, my first is I can also read heiroglyphics. But I digress, the answer for your firewall netblocks question is you need 2 networks:

89.145.16.0/20 (89.145.16.1 - 89.145.31.254)
89.145.32.0/19 (89.145.32.1 - 89.145.63.254)

This is because TCP/IP is base 8, dividing each section of an IP address into an octet. We're dealing with subdividing a 16 bit network (2nd position), so we start all calculations from there. Cheat sheet:

bits 0 = 256
bits 1 = 128
bits 2 = 64
bits 3 = 32
bits 4 = 16
bits 5 = 8
bits 6 = 4
bits 7 = 2
bits 8 = 1



Forget about networks for a moment, and just do the math using into the largest group that fits into the above, in your case 89.145.16.0 - 89.145.64.0 is a total of 48 networks. So you need a block of 16 (4 bits) and a block of 32(3 bits) to get (16 + 32) 48. We're chopping up a class B (16 bit) network into smaller pieces so we start our math problem at 16. Using the network 89.145.16.0 as a jumping point, if we add 16 networks (or 4 bits) to our class B (16 bits) we get 16 + 4 = 20:
89.145.16.0/20 (89.145.16.1 - 89.145.31.254)

If you started at 89.145.32.0/20, you would be covering the network space from: 89.145.32.1 - 89.145.47.254


Another way to look at it is a 4 bit netmask breaks the network up into 16 pieces:
0-15
16-31
32-47
48-63
64-79
80-95
96-111
112-127
128-143
144-159
160-175
176-191
192-207
208-223
224-239
240-255



For the 2nd net block, I start at the IP 89.145.32.0, and add 32 networks to it. Again since we're playing in Class B (16 bit) network space, we start at 16, and add 3 bits (32 networks) to it: 16 + 3 = 19:
89.145.32.0/19 (89.145.32.1 - 89.145.63.254)

a 3 bit netmask breaks the network up into 8 pieces:
0-31
32-63
64-95
96-127
128-159
160-191
192-223
224-255

Confused yet? Oh and for your first question, while you can use .0 or .255 as IP addresses, it's not a good idea to use the starting or ending IP's for a netblock. This is because they are used for either defining the network (IE, 10.10.10.0/24 uses 10.10.10.0 to define the network) or for broadcasts on the network (10.10.10.255 is the broadcast IP).
 
Wow, i am impressed. You really do a great deal about this. Still have to swallow all this to actually understand it. I never saw IP´s this way.

For me IP range´s is like how i posted them, with the actual IP´s and not put them into bits like you did. Never saw this before that close. Guess that makes me a n00b but well, I don´t have time to learn that while work & family.

Just want to get some people I know off my Site because I know they cause trouble. Problem is, since in Europe most countrys still have dynamic IP´s, you can´t just ban 1 IP, because at the next connection break, we get a new IP and so the ban for someone wouldn´t work. And when you ban IP ranges you always risk banning too many people which aren´t responsible for anyone. But sometimes you just have to make the choice for the greater good.

I will look into this, put your both IP things into my Firewall. I am happy that you wrote them down, instead of only telling me the math. I have to admit, for now I have to rely on the numbers you told me.

I am not that far yet to understand it. Still trying to find out what all that means. ;)

Thx m8.
 
Thats something else we worked into ASL, a real-time black list (RBL) in apache. We have the same problem with dynamic IP's, and frequent abusers. The way we've got it in place right now is the IDS will add people to the blacklist if they are detected doing something bad, which can be shared among multiple servers, and/or you can configure it to use an external blacklist, like XBL etc.
 
Can I ask you one last time, for another Range I have to limit to my Server. ;)

In the RIPE Database, the Provider I am intending to ban, writes this in its Information:

Route: 194.166.0.0/16

Is this the complete Range of IP he is using, and so the one I have to Ban in the Firewall ? It seems to be the same format than you wrote above. Its only one Provider I intend to ban.

In addition to that, is it possible to make it possible to prevent a certain Website from accessing my Server/Website?

Hope you can help me.
WarBirD
 
OK so if you look back in our netmask math , you'll see that a 16 bit netmask means the whole 194.166.*.* network address space.

11111111.11111111.00000000.00000000

add those 1's up and you get 16. We also call that a "Class B" network.


Firewall rules are not exactly name based, you can block a system by its hostname, ie www.example.com, but whats happening internally is when the rule is run, it does a lookup on the name, grabs the IP, and uses that IP in the rule. So if the dns record changes, its not going to automatically block that new IP. A better way to do this would be to use a userspace IDS like snort, or mod_security, to key in on some signature in the payload portion of the packet, like an HTTP Referrer for example (we use this in mod_security to stop spam). Another option is to use an RBL inside of apache with either mod_security, or mod_access.
 
Please excuse a little spam, but really, atomicturtle deserves a round of applause! \o/

Thanks for the ip/binary/octet/hostmask refresher. Very nice of you.

PS. I'll not be registering at the fora just yet. ;)
 
1. Thanks atomicturtle for the lesson above. I still find it really difficult. I did find http://www.subnet-calculator.com/ which I find useful in working out the bitmask, and the boxes allows you to adjust any one of the component parts.

2. Could someone let me know which IP address in the headers is the IP address that I should be blocking in the firewall, because you can see that there are 2 IP addresses shown (58.185.94.161 and 118.68.50.175. From what I understand, it is the first one from the bottom e.g. 58.185.94.161, but I do not seem to :

Return-Path: <[email protected]>
Delivered-To: [email protected]
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
plesk.xxx.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.8 required=5.0 tests=BAYES_00,NO_REAL_NAME,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL autolearn=no version=3.1.0
Received: (qmail 30859 invoked from network); 14 Nov 2007 03:41:35 +0000
Received: from adsl-dynamic-pool-xxx.hcm.fpt.vn (HELO onex) (118.68.50.175)
by plesk.xxx.com with SMTP; 14 Nov 2007 03:41:31 +0000
Received-SPF: fail (plesk.xxx.com: SPF record at alfabank.ru does not designate 118.68.50.175 as permitted sender)
Received: from [58.185.94.161] (helo=varp)
by onex with smtp (Exim 4.62 (FreeBSD))
id 1JdC¢-0001SV-8d; Wed, 14 Nov 2007 10:45:10 +0700
Message-ID: <001b01c82670$2bfddff0$a15eb93a@varp>
From: <[email protected]>
To: <[email protected]>
Subject: Gold Report Docs
Date: Wed, 14 Nov 2007 10:40:59 +0700
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2499
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499
 
yeah netmasks certainly not are intuitive unless you understand the guts behind the scene, or do a lot of math in octal.

The short answer is that the sender is: 118.68.50.175 (host in Vietnam). This host is listed in the sbl-xbl.spamhaus.org RBL.


What you look for in the headers is the first occurrence of a Received: from ... by line that references your server. It will not always be the first Received: from line if the message is going through other servers to get to yours. Example from your headers:

Received: from adsl-dynamic-pool-xxx.hcm.fpt.vn (HELO onex) (118.68.50.175)
by plesk.xxx.com with SMTP; 14 Nov 2007 03:41:31 +0000


The other Received from line is from the mail server sending the spam, apparently a FreeBSD server running exim. That server is probably an open relay, however it was nice enough to capture the IP address from the original spammer, who is 58.185.94.161 (host in Singapore).

58.185.94.161 however is *not* connecting to your server.

It wouldn't hurt to blacklist both IP's.
 
THANK YOU for the advice atomicturtle. I have banned both as you recommend.
Kind regards
 
Thank you so much for this excellent tutorial. May I please ask: is it more efficient (in terms of resource usage) to use these IP range blocks at the firewall level in Plesk, or at the .htaccess level in the root directory? Thanks again.
 
That is a very good question, the most efficient place to do this would be in the firewall. While you could block an IP in an .htaccess file, it would only apply to the web server. This would not have any impact on mail, and in general is a much more expensive operation in terms of CPU.
 
Many, many thanks to you. One last question if I may: there are probably several dozen IP ranges (i.e., of the XX.0.0.0/8 variety) that I want to block. At what point do you think it becomes a burden at the firewall, in terms of resources? Are there country codes that are available? Again, my sincere appreciation for your time.
 
Once again great question, netfilter is the underlying firewall system in Linux. The plesk firewall and its CLI counterpart, iptables are interfaces to netfilter. Netfilter itself can handle millions of entries. The front ends to netfilter on the other hand can be effected by all sorts of external issues that can limit this. In general, you probably wont have any problems with those front ends loading up to 100,000 rules (ram is usually what matters here). Rules can effect performance on the network when they are put together poorly. They can also not work at all if you put them in the wrong order.

Firewall policies are just like programming in any other language, there are shortcuts, arrays, loops, escapes, etc. For example, in ASL we created a geo-ip blocking capability by generating a large firewall policy (180k entries) and then loading it with iptables-restore. If you tried to do that with iptables by itself, it would take hours just to load. Another way to do that is with the 3rd party xtables extension that gives you the geo-ip match type, so when we replace our current code with this our 180k ruleset drops down to a single line per country.
 
Enabling Plesk Firewall

Enabling Plesk Firewall


Firewall is a protection measure aimed at prohibiting specific incoming network connections that may be used to compromise your server.

Plesk Firewall operates on the base of rules, which specify parameters of connections, which are to be blocked or passed through.

It filters only incoming IP connections for TCP and UDP protocols. All outcoming connections are allowed. Each rule controls filtering only for one specific network interface (adapter).

Some rules for widespread protocols are predefined, and you can only enable or disable them.

Note, that if some protocol is not controlled by some rule, its messages are filtered too. For example, if you do not have a rule for protocol XYZ, all incoming messages sent via this protocol will not be passed by Plesk Firewall.

This behavior has an exception, Plesk Firewall does not filter both incoming and outcoming messages of ICMP protocol, regardless of message's type.

To start setting up the firewall, click the Server > IP Addresses > Firewall icon.The page allows seeing and changing status of firewall protection for the network interfaces installed on the server.

This page has a list of all network interfaces on server accompanied by icons symbolizing status of firewall protection (F column), status of network interface connection activity (I column), and textual fields for name and type of network interface.

Click the icon in the F column to switch the status of firewall protection for the corresponding network interface.

Click the interface name for opening a page, which gives you precise control over firewall rules for this interface.

A rule has a symbolic name and consists of port number and protocol name for the connection to be filtered or passed through.

The Default button restores the original Plesk Firewall configuration by deleting all user-defined rules and setting all predefined rules in pass-through state.

The Panic button enables special mode to protect the server from unknown worms, etc. It closes the server as tightly as possible, disabling all incoming and outgoing connections except for accessing Plesk Control Panel and Remote Desktop administering. Note that the panic mode disables access to the client's sites; it is only recommended to use it when there are no other options left, e.g. if the server was compromised.

The Enable/Disable button allows controlling firewall activity on the network interface you selected before entering this page.

The list at the bottom of the page contains all firewall rules, registered for use on the selected network interface. Each rule has an icon in the S column, which indicates the state of this rule, whether it is enabled or disabled. When the icon is green, Plesk Firewall does not filter messages of the protocol, corresponding to the rule, passing them through to concrete programs using this protocol for communication. When it is red, firewall rule is 'active', prohibiting messages matching the rule to pass through. To edit parameters of an existing rule, click on its name.

To add your own rule, click the Add Firewall Rule button. A page will open where you have to specify rule's properties. To edit properties of an existing rule, click on its name. The screen of editing an existing rule is very similar to the screen of adding a new rule, except that it does not allow renaming the rule.

Business VoIP Providers
 
This post should be used to make a KB article for ip range firewall rules explanations...thanks for this useful post.
 
Back
Top