Issue Plesk firewall rule

[bulent]

Hi,
I have set a plesk firewall rule like below which blocks all connections to ports.
Deny incoming from all on ports 6379/tcp, 6379/udp, 9200/tcp, 9200/udp, 9300/tcp, 9300/udp
and have another rule which allows same ports for 127.0.0.1.
But it seems like these ports are accessible outside. The problem is from a week or two.
Before it was working correctly, only on system restart I had to reapply firewall rules.

Regards,
Bulent

PS:
these are used for docker containers for elasticsearch and redis

 

[bulent]

Hı Plesk Team

is this behavior normal condition?
Plesk firewall doesn't block docker ports?

 

[IgorG]

I see the following here. When applying the rules, you can look at the script that will be executed. Please do it. In this case, you either find an error in your configuration, or Plesk firewall has nothing to do with it, or Plesk automatically inserts some additional rules.

 

[bulent]

I have tried to make it more simple, added 2 rules
Deny incoming from all on port 6379/tcp
Deny incoming from all on port 9200/tcp
One for Redis and one for Elastic, the script which is generated is like below and it seems like it runs correctly.
Is there anything odd in that script?


#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
iptables_bin="$1"
shift

iptables_version=`/sbin/iptables --version | awk -F '.' '{print $2$3}'`

# Use the native --wait option since v1.4.20
if [ $iptables_version -gt 420 ]; then
$iptables_bin -w $@ 2>/dev/null
return $?
fi

# Emulate --wait for elderly versions
for i in `seq 10`; do
$iptables_bin $@ 2>&1 | grep -q xtable || return 0
sleep 1
done

return 1
}

/sbin/iptables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/iptables -D#g" | xargs -0 echo -e "`declare -f apply_rule`\n" | /bin/bash

apply_rule /sbin/iptables -F FORWARD
apply_rule /sbin/iptables -F OUTPUT
apply_rule /sbin/iptables -Z FORWARD
apply_rule /sbin/iptables -Z OUTPUT

apply_rule /sbin/iptables -P INPUT DROP
apply_rule /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P OUTPUT DROP
apply_rule /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P FORWARD DROP
apply_rule /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A FORWARD -m state --state INVALID -j DROP

apply_rule /sbin/iptables -A INPUT -i lo -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /sbin/iptables -t mangle -F
apply_rule /sbin/iptables -t mangle -Z
apply_rule /sbin/iptables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P INPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/iptables -t mangle -P POSTROUTING ACCEPT

/sbin/ip6tables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/ip6tables -D#g" | xargs -0 echo -e "`declare -f apply_rule`\n" | /bin/bash

apply_rule /sbin/ip6tables -F FORWARD
apply_rule /sbin/ip6tables -F OUTPUT
apply_rule /sbin/ip6tables -Z FORWARD
apply_rule /sbin/ip6tables -Z OUTPUT

apply_rule /sbin/ip6tables -P INPUT DROP
apply_rule /sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/ip6tables -P OUTPUT DROP
apply_rule /sbin/ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/ip6tables -P FORWARD DROP
apply_rule /sbin/ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A FORWARD -m state --state INVALID -j DROP

apply_rule /sbin/ip6tables -A INPUT -i lo -j ACCEPT
apply_rule /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/ip6tables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /sbin/ip6tables -t mangle -F
apply_rule /sbin/ip6tables -t mangle -Z
apply_rule /sbin/ip6tables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/ip6tables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/ip6tables -t mangle -P INPUT ACCEPT
apply_rule /sbin/ip6tables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/ip6tables -t mangle -P POSTROUTING ACCEPT


apply_rule /sbin/iptables -t nat -F
apply_rule /sbin/iptables -t nat -Z
apply_rule /sbin/iptables -t nat -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t nat -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t nat -P POSTROUTING ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 9200 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 9200 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 6379 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 6379 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 49152:65535 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 49152:65535 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 12443 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 12443 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 11443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 11444 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 11443 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 11444 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -s 46.253.6.216 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -s 83.222.177.139 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -s ::ffff:46.253.6.216 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -s ::ffff:83.222.177.139 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 110 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 995 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 106 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 3306 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 5432 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 445 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 1194 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -j DROP
apply_rule /sbin/ip6tables -A INPUT -j DROP

apply_rule /sbin/iptables -A OUTPUT -j ACCEPT
apply_rule /sbin/ip6tables -A OUTPUT -j ACCEPT

apply_rule /sbin/iptables -A FORWARD -j DROP
apply_rule /sbin/ip6tables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
#
# End of script
#

 

[trialotto]

@bulent,

You will find that Plesk Firewall extension will behave (on the one hand) differently in time, in the sense that previous (proper) firewall rules will not work as expected anymore and (on the other hand) differently across servers, in the sense that identical servers with identical firewall setups can have different issues.

In essence, it is not the Plesk Firewall extension that is the root cause of the problem, it is only contributing to an already existing problem.

In most cases, a simple reboot (from the command line) is required to get a "clean slate and proper starting point" for further analysis of iptables firewall rules.

However, this is not the best approach to start with.

As @IgorG tried to explain, it is a process of elimination to find the proper root cause of the problem.

On a VPS, it is quite common that iptables is "overworked" and, as a result, does not add iptables rulesets properly: if this is the case, than it is almost certain that the Plesk Firewall extension is (also) not able to add the intended firewall rules properly.

On a dedicated server, the number of rules in iptables can be huge, so there often is not a problem when adding firewall rules, unless your machine has to work very hard due to a hack attempt (which in most cases is brute forcing and/or mail server related attacks).

On a cloud based VM............well, that is an entire different story.

In almost every case, there is Fail2Ban filling up iptables...........and that is the first thing to start with, by simply (in chronological order of execution)

1 - blocking bad IPs via Nginx, as opposed to adding them into iptables: create a custom action in /etc/fail2ban/action.d,
2 - adding bad IPs to the /etc/hosts.deny file, as opposed to adding them into iptables: create a custom action in /etc/fail2ban/action.d,
3 - creating whitelists for nginx (to be placed in /etc/nginx/conf.d) and the entire server (to be placed in /etc/hosts.allow),
4 - (optionally) creating blacklists for postfix, as opposed to adding them into iptables,

and the result will be that the iptables chains associated with f2b are reduced, allowing you to (safely) take a second step: deactivating fail2ban jails.

After these two steps, you will have a fairly clean iptables ruleset, without too much f2b-<name> chains.

You can inspect the iptables before and after the before mentioned steps with the command: iptables -L -n --line-numbers

A check before you apply the two steps is desirable, since the before mentioned command gives you an idea which of the Fail2Ban jails and iptables are pretty useless.

After that, you can proceed with the third step: just translate simple Fail2Ban rules and other intended firewall rules to Plesk Firewall extension.

This way, you have more control and a more simple iptables ruleset.

At this moment, I am pretty convinced that all of the above will help you with your issue.

However, there is one thing to notice: it can be the case that you have to refresh the rules added with Plesk Firewall extension.

Simply stated, it is my personal experience that Plesk Firewall extension has been behaving a bit odd in the last couple of weeks, but a simple change is often enough to get the whole thing working properly again: adding an IP, saving the changes, removing the IP again, saving the changes.........this seems to work.

Nevertheless, you can be pretty sure that you have to clean up iptables, as commonly filled up improperly by Fail2Ban.

I hope the above helps a (tiny) bit......

Regards........

 

[bulent]

Thanks @trialotto
I will check what I can do. The server is dedicated. It was working fine until week or two ago. The only issue was that after server restart I had to reload plesk firewall rules, but that doesn't help anymore.

 

[Brujo]

1 - blocking bad IPs via Nginx, as opposed to adding them into iptables: create a custom action in /etc/fail2ban/action.d,
2 - adding bad IPs to the /etc/hosts.deny file, as opposed to adding them into iptables: create a custom action in /etc/fail2ban/action.d,
3 - creating whitelists for nginx (to be placed in /etc/nginx/conf.d) and the entire server (to be placed in /etc/hosts.allow),
4 - (optionally) creating blacklists for postfix, as opposed to adding them into iptables,

In addition, I would like to suggest for fail2ban as an action method to use IPSET, which is useful in jails where a lot of blocked IPs are incurred such as plesk-apache-badbot. I hope Plesk integrates this out of the box.

 

[trialotto]

In addition, I would like to suggest for fail2ban as an action method to use IPSET, which is useful in jails where a lot of blocked IPs are incurred such as plesk-apache-badbot. I hope Plesk integrates this out of the box.

@Brujo,

I am not a fan of IPset, certainly not for the simple reason that it is often a solution for a problem that is not being solved, in the sense that the solution is a dirty fix.

In your post, you provide a clear example of what I mean with the above statement.

Sure, IPset can help "organize" bad IPs being blocked by the firewall, but that is not a solution to the problem of "huge sets and/or IPs being put into iptables".

Moreover, most attack scripts are sophisticated as trees ......... but that does not prevent them to (often accidentally) bypass Fail2Ban, making IPset less valuable.

In general, it is valuable to monitor IPs via Fail2Ban and use specific jails in Fail2Ban to identify which IPs are bad.

However, that does not imply that Fail2Ban, in conjunction with iptables or iptables + ipset, is the best method to ban those bad IPs.

In essence, banning IPs should be involving a "identify bad IPs, identify ports and applications affected, identify best tool to prevent connections beforehand" method.

In the case of Fail2Ban, the whole plesk-apache-badbot jail and associated Fail2Ban rules in iptables are a bit useless.

A pre-emptive block in Nginx would be more able and more effective to prevent any bad bot (with associated bad IP) to connect to specific or all domains.

This pre-emptive block also has the associated advantages that

- it can be applied server-wide, just as is the case with Fail2Ban,
- it can be used to apply a permanent block, as opposed to Fail2Ban,
- the permanent block can be incremented with minor sets of bad IPs associated with bad bots,
- the permanent block can be based upon user-agents, as opposed to IPs alone,

and, as a final result, you are probably able to deactivate the entire plesk-apache-badbot jail entirely and hence remove all Fail2Ban mockup in iptables.

But why not use iptables + ipset, given the fact that it intercepts bad bots earlier in the connection process?

Simply because we have to rely on Fail2Ban to fill iptables and/or ipsets in order to disallow specific bad bots........

........... and Fail2Ban is a memory hungry process, a process that is even known to overload iptables and hence make any iptables based firewall ineffective.

In short, the less you can do with Fail2Ban, the better........... and blocking bad traffic at the Nginx level is a good idea: it is essentially an interception of bad traffic, before the bad traffic reaches the Apache web server.

Hope the above helps a bit.

Regards.......

PS Have a bit of inspiration for using Nginx to block bad bots, by looking at this Nginx based bot blocker: mitchellkrogza/nginx-ultimate-bad-bot-blocker. Note that it might not be a good idea to install this bot blocker, just use it as a form of inspiration.

 

[learning_curve]

@Brujo....A pre-emptive block in Nginx would be more able and more effective to prevent any bad bot (with associated bad IP) to connect to specific or all domains....

This previous, helpful POST is along those lines...

 

[trialotto]

This previous, helpful POST is along those lines...

@learning_curve

The mentioned post is helpful, but at the same time...... it is not: the method suggested in that post is rather "odd".

After all, Nginx

- is better off without any regex pattern, since that will result in a (small) performance penalty that will increase if the list grows larger,
- is commonly best configured by simply creating a separate file, stored in and included from /etc/nginx/conf.d,
- is not really liking if statements: if is bad, for many reasons, amongst others (again) a performance penalty,
- is better off with a mapping method for identifying bots to be blocked: not all bots are equally bad and certainly not equivalently bad for all (server-wide) domains

and note that the argument of mapping is of particular interest.

Consider a server with multiple domains, each of them requiring a different set of bad bots.

First of all, user agents are not the equivalent of bad bots or good bots: this becomes clear when bad traffic is often disguised as coming from a good user agent and/or if good traffic is originating from some old system with poor user agents or even (sometimes good) bots that do not declare an user agent.

Second, a domain with Russian language might require other crawlers, when compared to an English domain.

In short, the if statement is

- being bad already: if is bad, at least in Nginx configs,
- not a good approach, unless one defines the if statement separately on each domain: this is often necessary,

and, as an endresult, (noticeable) performance penalties can be associated with the if statement method.

In contrast, the mapping method is

- allowing to define some general set of bad bots in /etc/nginx/conf.d, as such a server-wide list that will apply to all domains and that is easy to maintain,
- provides the possibility to override the server-wide list (or other global settings) by a simple (couple of) lines in the specific domain that requires adjustments,

and, as an endresult, the mapping method is providing efficiency AND performance neutrality to a high degree.

In my humble opinion, the mapping method is the recommended thing to do.

Hope the above explains a bit (and also expains why I chose to refer to a specific link).

Regards..........

 

[bulent]

I am not expert in the field, but tried to troubleshoot.
First removed the f2b from plesk add remove components, the idea was to clean the ip tables, nothing happened.
If I modify any existing plesk rule in the firewall like allowing only my ip for ssh connections, it works correctly.
I think the issue is related to Docker update in 18 Oct, because before that it was working correctly and it seems affect only ports related to docker services.

 

[learning_curve]

@learning_curve...The mentioned post is helpful, but at the same time...... it is not: the method suggested in that post is rather "odd"...

The mentioned post was posted by @IgorG A man, like yourself, who frequently helps people here on the forum.

Sooooooooo Perhaps... if there's a Method disagrement within Plesk, Plesk themselves could go pro-active, combine ALL (sensible) Nginx related different methods, test them (within Plesk) verify them and then issue a #BodBotBlocking Official Post ?? Sounds good to us

 

[trialotto]

I am not expert in the field, but tried to troubleshoot.
First removed the f2b from plesk add remove components, the idea was to clean the ip tables, nothing happened.
If I modify any existing plesk rule in the firewall like allowing only my ip for ssh connections, it works correctly.
I think the issue is related to Docker update in 18 Oct, because before that it was working correctly and it seems affect only ports related to docker services.

@bulent,

I cannot be sure about the root cause of this problem, but I am certain that has nothing to do with Docker related updates.

When reading back, I (again) noticed this particular line

The only issue was that after server restart I had to reload plesk firewall rules, but that doesn't help anymore.

and my question is: was this already present before (let's say four weeks ago)?

Regards.........

 

[bulent]

@trialotto yes, after server restart I had to manually reload firewall settings. What I mean is after restart, I have to click firewall, modify/add firewall rule and without any change click apply rules.

I have read about such behavior somewhere else on this forum too. As far as I remember, again it was about redis on docker container again.

Regards

 

[trialotto]

@trialotto yes, after server restart I had to manually reload firewall settings. What I mean is after restart, I have to click firewall, modify/add firewall rule and without any change click apply rules.

I have read about such behavior somewhere else on this forum too. As far as I remember, again it was about redis on docker container again.

Regards

@bulent,

If you encountered such an issue before you encountered the current issue (as reported in this thread), then you probably have some issues with the firewall scripts.

The Plesk Firewall extension actually obtains a form of persistence by running the firewall-active.sh script in /opt/psa/var/modules/firewall.

The particular script is nothing more than a "storage" of firewall rules, combined with iptables commands to restate those rules if that is required (for instance, at reboot).

First of all, I suggest that you make a thorough comparison of the various versions of the script, when taking the following steps (in chronological order)

1 - make a backup of the current firewall-active.sh script (for the sake of comparison)
2 - add a non-offending rule to the firewall, via Plesk Firewall GUI (read: just add an IP to an existent, non-problematic firewall rule): compare afterwards
3 - add an (almost certain to be) offending rule to the firewall, via Plesk Firewall GUI (read: just add a custom firewall rule, with "allow, deny others" settings activated),

and compare the individual scripts resulting from steps 1 to 3 (read: you should have 3 scripts, which scripts can be compared).

I am pretty sure that you either find nothing remarkable or get an error notification that you "are blocking specific connections" (something similar, from the back of my head).

In case you got the error notification during one of the steps and presumably step 3, your firewall settings are not saved properly (and I am not sure whether this is reflected in the firewall scripts, but it should) and iptables should be reverted.

However, I have found out that there is a discrepancy between what is shown in the Plesk Firewall GUI and what is actually present when making a change afterwards, in case you get the before mentioned error notification.

I do not know what happens there, but I think that it is (Plesk firewall) script related.

A quick and dirty work-around to fix this minor issue is to change a firewall rule (for instance, add or remove an IP) and save the changes: the firewall will be proper again.

Second and final, note that the first step is only involving Plesk Firewall extension and the associated (firewall) script.

As such, you can rule out any problems related to Plesk Firewall, due to the fact that the firewall script does not contain any F2B related entries.

Simply stated, if your Plesk Firewall extension does not yield surprises or problems, than the iptables related problems are due to Fail2Ban entries.

A process of elimination is hence possible.

This process of elimination is quite important, because the Plesk Firewall extension (running on top of iptables) is not working properly if Fail2Ban causes iptables mayhem.

Another alternative AND a rock-solid method to double check potential causes for your firewall related issues is to shutdown Fail2Ban temporarily.

However, I would strongly recommend that you first do a thorough inspection (read: comparison) of Plesk Firewall under different settings, since it is really not an option to shutdown Fail2Ban completely, not even for a small amount of time.

In summary, just do a checkup of the Plesk Firewall extension first and test or double check results by shutting down Fail2Ban (very very) briefly afterwards (!).

Hope the above helps a bit in your quest to find the answer to the unexpected behavior of Plesk Firewall extension and/or (the underlying) iptables.

Regards..........

 

[bulent]

I have found this article
https://support.plesk.com/hc/en-us/...to-bind-a-docker-container-to-localhost-only-
Is someone can tell me how I can do that with redis and elastic container without any password.
That can help me to some sort fix my issue.

 

[WebHostingAce]

Hi,

I'm having the same exact issue as @bulent. I'm unable to block incoming on Redis Port 6379 via Plesk Firewall.

This was working fine about a month ago(Last time I checked). Only issue was, had to disabled and re-enable the firewall every time the server restart to block port 6379 come to affect. This was reported to Plesk and they accepted as a Bug.

@bulent, You can add 0.0.0.0 to Source on Redis rule. You will get a warning when you applying this. but for me it seems to be working at the moment.

 

[bulent]

Yepp @AusWeb ,
exactly the same issue and your solution seems to work. Thanks!

I will not mark it as solved and @plesk Team should investigate the cause of the issue.

 

[WebHostingAce]

Hi @bulent

Plesk Support confirmed this as a Bug. Please follow the KB they just created for this.

Plesk Firewall deny rules do not block connections to Docker container