Resolved Plesk Obsidian Ports

[Marcelo Mella]

In the documentation, is posible to find the list of ports to be open in the firewall for Plesk to receive conections. (Inbound Conections)
But what ports should be open for Plesk outbound conections. Closing some outbound ports may mitigate some exploits if a malware happens to infect a site

 

[Bitpalast]

All ports that are open inbound also need to be open outbound. If you are thinking about limiting outbound ports in the ephemeral port range: Don't, it won't work. Your idea is good, but in reality malware is simply creating web server requests or sending mail just as ordinary processes do.

 

[Marcelo Mella]

Thanks Peter
I'm not sure if i have a malware or something, but i received a notification with this log:

* Log Extract:

<<<
2021-11-09 06:30:50 +0000

{
"PORT HIT": "52.42.105.162:41624->31.#.#.153:60412",
"MESSAGES": "Array
(
[06:30:48+0] => Unable to parse invalid request-line
[06:30:48+1] => Accept: text/html,application/xhtml+xml,application/xml
[06:30:48+2] => Accept-Language: es,es-CL,en-US,en;q=0.8
[06:30:48+3] =>
)
"
}
>>>

Any ideas in how i can analyze and make corrective actions?

 

[Bitpalast]

That's not enough data to make a plan. Where does this notification originate and what does it claim what's wrong?

 

[Marcelo Mella]

I've Plesk installed in a EC2 instance on AWS. And thats all the info they sent me. I asked for more as soon as i received that e-mail, and waiting for they reply

 

[Nik G]

hello @Marcelo Mella ,
as I understand somebody from 52.42.105.162:41624 tries to connect to your server at 31.#.#.153 to port 60412
is that correct ?

anyway, Plesk does not use port 41624 or 60412 as destination for connect.

Ports Used by Plesk

On servers protected by a firewall, the following ports must not be blocked to ensure proper operation of Plesk and a...

docs.plesk.com

(but I guess You found it)

Plesk should be allowed to connect to ka.plesk.com for operations regarding your licenses.

all other connections not strictly required for Plesk itself.

to send outgoing mail you need to allow tcp ports 25, 465, 587

also there may be connections to firehose.us-west-2.amazonaws.com (this is for anonymized statistic collection for product improvement)
you can read more about this here


but in general I agree with Peter, that there's not enough info for analysis.

 

[Marcelo Mella]

No, my Plesk installation is on 52.#.#.162
It is connecting from port 41624 to 31.#.#.153 to port 60412

I replied to AWS, saying i have update Plesk and run Imunify360 and Sucuri Scanner and they seem to be ok with that, as corrective actions
So i'm completely lost here

 

[Bitpalast]

There is not necessarily anything wrong with such connections. For example a website might look for an update of its software on an external server or it might try to import data from somewhere. It is possible that a website is abused for attacking another server, but the traffic is difficult to sort out from regular transactions. As long as noone else complains, high loads or traffic can be seen or software like Imunify360 finds malware, you'll probably be o.k.

 

[Marcelo Mella]

Thanks Peter