• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

psa-firewall vulnerable to smurf/fraggle attacks

M

Mu-host.com

Guest
Hello,

I've had lots of problems with DOS/DDOS attacks in the past months, and I finally tore out the psa-firewall module and am now running a manually configured iptables setup and everything seems to be working OK for now. For instance, the psa-firewall module obviously allows all types of ICMP requests, including code 9/13, which can be used to bring the entire machine into a non-responsive state. It would be good with more configurable options for these things, for instance, say I would want to deny all ICMP except for echo-response and echo-reply, that's impossible with the current configuration.

What I'd like to see in the psa-firewall module is the option to add post and pre scripts to it that gets included in the generated firewall configuration file /usr/local/psa/var/modules/*

Also, it would be good to have some type of option directly in the firewall configuration screen that allows me to turn on/off settings like:

/sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

/sbin/sysctl -w net.ipv4.conf.all.forwarding=0

/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

For instance.
 
Well, yes, their default install is pretty sparse as to what it blocks....

Their limited interface has been a topic of discussion before.

Personally, I maintain my own IPTABLES files, that way I *know* what is being blocked, and since I edit the file directly, there are no limitations in what I can put into the file....
 
Is the firewall module running ipchains or iptables? I know RTFM, but I was in here anyway...
 
Originally posted by are_eye_see_kay
Is the firewall module running ipchains or iptables? I know RTFM, but I was in here anyway...
Click to expand...

iptables as far as I know, at least on Linux, dunno about what it uses for FreeBSD though.
 
Ifigured it was iptables, but I'm trying to set up remote syslog for it, because I'm a bit of a control freak, and I cant find any of the config files i need to get to to get the syslog working
 
Plesk firewall does not store it's config in files, it stores it in the database as blobs...
 
So then I guess the best Idea would be to unload the firewall module, and install and manage my own. That way plesk can blame more problems on the user. Why have the thing at all? It's barely configurable, and you cant monitor it. If I didn't host my own servers, I'd be really scared. The module is a good idea, it's just not ready for real use yet.
 
That's why I decided to dump it after only about 10 minutes of looking at it..... :)
 
Originally posted by are_eye_see_kay
So then I guess the best Idea would be to unload the firewall module, and install and manage my own. That way plesk can blame more problems on the user. Why have the thing at all? It's barely configurable, and you cant monitor it. If I didn't host my own servers, I'd be really scared. The module is a good idea, it's just not ready for real use yet.
Click to expand...

Precisely my idea. I uninstalled it about a year ago, and ever since, my firewall actually works. :) It's a sweet idea, but they've added some pretty freaky default configuration options as well as not allowing any type of custom additions to the firewall. What happens is that the firewall module saves down an actual config file, but this file is modified each time you change the firewall configuration, so it's useless to try to add an include or something to it. That's what really threw me off, so I stopped using it.
 
This is the first time i've even considered it, so I was just looking through it, and I really can't believe this is what they put out as a "value added" feature. They would have been better off writing yet another API that doesnt work, to tie iptables/ipchains, or anything else, into the interface. That way when we upgraded the firewall they could shed all resposibility for the way it works, and we would all feel at home. The reason I was looking at this is that I've way outgrown my current firewall, and I was looking for a server to server solution rather than a border firewall. My firewall does a great job, but it's getting a little tough to grow the network around it. I was looking at the "how to secure your plesk server" thread the other day( I check it for updates on a pretty regular basis), and I saw a recomended firewall in there, but I havent looked at it yet. I'm guessing now might be the time...
 
You must log in or register to reply here.

Similar threads

S
Issue Cant activate the plesk firewall
Replies
5
Views
874
martinez.marcias@gmai
M
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
704
NewGate
N
T
Resolved SECURITY - attack surface : ports 7080 and 7081
2
Replies
30
Views
19K
2dareis2do
2
Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
2K
Lenny
Lenny
H
Issue PHP-FPM - Service is not configured
Replies
2
Views
4K
Bitpalast
Bitpalast
Back
Top