1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

psa-firewall vulnerable to smurf/fraggle attacks

Discussion in 'Plesk for Linux - 8.x and Older' started by Mu-host.com, Jun 11, 2005.

  1. Mu-host.com

    Mu-host.com Guest

    0
     
    Hello,

    I've had lots of problems with DOS/DDOS attacks in the past months, and I finally tore out the psa-firewall module and am now running a manually configured iptables setup and everything seems to be working OK for now. For instance, the psa-firewall module obviously allows all types of ICMP requests, including code 9/13, which can be used to bring the entire machine into a non-responsive state. It would be good with more configurable options for these things, for instance, say I would want to deny all ICMP except for echo-response and echo-reply, that's impossible with the current configuration.

    What I'd like to see in the psa-firewall module is the option to add post and pre scripts to it that gets included in the generated firewall configuration file /usr/local/psa/var/modules/*

    Also, it would be good to have some type of option directly in the firewall configuration screen that allows me to turn on/off settings like:

    /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

    /sbin/sysctl -w net.ipv4.conf.all.forwarding=0

    /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

    For instance.
     
  2. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Well, yes, their default install is pretty sparse as to what it blocks....

    Their limited interface has been a topic of discussion before.

    Personally, I maintain my own IPTABLES files, that way I *know* what is being blocked, and since I edit the file directly, there are no limitations in what I can put into the file....
     
  3. are_eye_see_kay

    are_eye_see_kay Guest

    0
     
    Is the firewall module running ipchains or iptables? I know RTFM, but I was in here anyway...
     
  4. Mu-host.com

    Mu-host.com Guest

    0
     
    iptables as far as I know, at least on Linux, dunno about what it uses for FreeBSD though.
     
  5. are_eye_see_kay

    are_eye_see_kay Guest

    0
     
    Ifigured it was iptables, but I'm trying to set up remote syslog for it, because I'm a bit of a control freak, and I cant find any of the config files i need to get to to get the syslog working
     
  6. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Plesk firewall does not store it's config in files, it stores it in the database as blobs...
     
  7. are_eye_see_kay

    are_eye_see_kay Guest

    0
     
    So then I guess the best Idea would be to unload the firewall module, and install and manage my own. That way plesk can blame more problems on the user. Why have the thing at all? It's barely configurable, and you cant monitor it. If I didn't host my own servers, I'd be really scared. The module is a good idea, it's just not ready for real use yet.
     
  8. jamesyeeoc

    jamesyeeoc Guest

    0
     
    That's why I decided to dump it after only about 10 minutes of looking at it..... :)
     
  9. Mu-host.com

    Mu-host.com Guest

    0
     
    Precisely my idea. I uninstalled it about a year ago, and ever since, my firewall actually works. :) It's a sweet idea, but they've added some pretty freaky default configuration options as well as not allowing any type of custom additions to the firewall. What happens is that the firewall module saves down an actual config file, but this file is modified each time you change the firewall configuration, so it's useless to try to add an include or something to it. That's what really threw me off, so I stopped using it.
     
  10. are_eye_see_kay

    are_eye_see_kay Guest

    0
     
    This is the first time i've even considered it, so I was just looking through it, and I really can't believe this is what they put out as a "value added" feature. They would have been better off writing yet another API that doesnt work, to tie iptables/ipchains, or anything else, into the interface. That way when we upgraded the firewall they could shed all resposibility for the way it works, and we would all feel at home. The reason I was looking at this is that I've way outgrown my current firewall, and I was looking for a server to server solution rather than a border firewall. My firewall does a great job, but it's getting a little tough to grow the network around it. I was looking at the "how to secure your plesk server" thread the other day( I check it for updates on a pretty regular basis), and I saw a recomended firewall in there, but I havent looked at it yet. I'm guessing now might be the time...
     
Loading...