Resolved Plesk Firewalll specifies wrong port for SSH-firewalll rule

[Kurt Ludikovsky]

Username:

TITLE

Plesk Firewalll specifies wrong port for SSH-firewalll rule

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Version 18.0.50 Update #1, zuletzt aktualisiert: 9. Febr. 2023 06:26:32
LINUX
Debian 11.6

PROBLEM DESCRIPTION

Plesk firewall generates iptables rules for port 25 instead port 22 when one specifies a rule for SSH.
This not only has a consequence not effect on port 22 but also denies any mails servers to connect to the server.

STEPS TO REPRODUCE

1) Enter IP-adresses to the

SSH-Server (Secure-Shell-Server) rule
2) Check the generated iptables output with iptables -L INPUT

ACTUAL RESULT

Generated rules block port 25 for the specified IP
No effect on port 22 blocking

EXPECTED RESULT

inhibit port 22 access
No action on port 25

ANY ADDITIONAL INFORMATION

I can provide two images demonstrating the effect.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Help with sorting out

 

[Kurt Ludikovsky]

Attached are two files which shows the FW-rules and the resulting iptables rules.

 

[Kaspar]

I am unable to replicate the issue on a fresh Ubuntu 22.04 server. Are you able to replicate the issue again if you re-install the Plesk Firewall and apply the same steps again?

 

[Kurt Ludikovsky]

I am unable to replicate the issue on a fresh Ubuntu 22.04 server. Are you able to replicate the issue again if you re-install the Plesk Firewall and apply the same steps again?

Will the settings be preserved, or do I need to set them again.
I have hundreds of IP's and CIDRs.

 

[Peter Debik]

I cannot reproduce it either.

When you update a firewall rule and before you finally set the new rule(s), Plesk displays a page where the commands for setting new rules are displayed. There you should see the "ACCEPT" lines with port 22 and your IP address ranges.

If you see ACCEPT lines with port 25: Did you check that you have not also a rule regarding SMTP service?

 

[Kaspar]

@Kurt Ludikovsky, no settings won't be preserved when you re-install the Plesk Firewall. Make a copy of your settings to apply them again after re-installation.

 

[Kurt Ludikovsky]

See Conversation.

 

[Peter Debik]

@Kurt Ludikovsky , as agreed in PM, forwarded to developers including your attachments for further analyzing and handling, ID [PPS-13968].

 

[Kurt Ludikovsky]

@Kurt Ludikovsky , as agreed in PM, forwarded to developers including your attachments for further analyzing and handling, ID [PPS-13968].

Thanks.

 

[Peter Debik]

Developers have replied to the case:

Rules with "incorrectly blocked IP":

# plesk db show module_firewall_rules | grep 95.143.80.0 | less -S
| id  | configuration_id | direction | priority | object
| 750 |                2 |         0 |       12 | a:8:{s:4:"type";s:7:"service";s:5:"class";s:3:"ssh";s:9:"direction";s:5:"input";s:5:"ports";a:1:{i:0;s:6:"25/tcp";}s:6:"action";s:5:"allow";s:10:"originalId";s:3:"722";s:4:"name";s:32:"SSH-Server (Secure-Shell-Server)";...
| 764 |                2 |         0 |       28 | a:7:{s:4:"type";s:6:"custom";s:5:"class";s:6:"custom";s:4:"name";s:25:"My allowed SSH 2023-02-12";s:9:"direction";s:5:"input";s:6:"action";s:5:"allow";s:5:"ports";a:1:{i:0;s:6:"22/tcp";}...
| 809 |                1 |         0 |       12 | a:8:{s:4:"type";s:7:"service";s:5:"class";s:3:"ssh";s:9:"direction";s:5:"input";s:5:"ports";a:1:{i:0;s:6:"25/tcp";}s:6:"action";s:5:"allow";s:10:"originalId";s:3:"750";s:4:"name";s:32:"SSH-Server (Secure-Shell-Server)";...
| 823 |                1 |         0 |       28 | a:8:{s:4:"type";s:6:"custom";s:5:"class";s:6:"custom";s:4:"name";s:25:"My allowed SSH 2023-02-12";s:9:"direction";s:5:"input";s:6:"action";s:5:"allow";s:5:"ports";a:1:{i:0;s:6:"22/tcp";}...

Note that the "SSH-Server (Secure-Shell-Server)" rule actually has port 25/tcp set instead of expected 22/tcp (as with "My allowed SSH 2023-02-12"). Most likely this was incorrectly changed by the customer when manually transferring the rules. Executing

/usr/local/psa/bin/modules/firewall/settings --set-rule -id 750 -ports 22/tcp

(assuming 2 is still the editable configuration), and applying the firewall rule changes should resolve the issue.
However I would suggest significantly cleaning up firewall rules. There are a lot of duplicates and there's no real need to export fail2ban bans into firewall extension.

 

[Peter Debik]

I think this clarifies the case. It does not seem to be a product issue.

 

[Kurt Ludikovsky]

OK, thanks a lot.
I agree that this might have happend by my transfer activities.

 

[trialotto]

OK, thanks a lot.
I agree that this might have happend by my transfer activities.

@Kurt Ludikovsky

Please inspect the following file :

/opt/psa/var/modules/firewall/firewall-active.sh

and just do the command : grep -i 22 /opt/psa/var/modules/firewall/firewall-active.sh

If there was an issue with the firewall, then that issue can also (still) be present in that specific script (or even originating from that script).

You should have no differences between the results of the aforementioned command and the input/output from the Plesk Firewall UI.

Kind regards....