Resolved Restricting Administrative Access | What file on Apache if need to change IP?

[Chrisa]

Greetings,

If you needed to ssh into linux and change the IP address set in "Restricting Administrative Access" what file would be the target?

I understand this is accessible from Plesk I/F but, for instance, if you had to change your home router and the IP changed, you would be locked out of Plesk admin.

I checked the config files listed here but could not find anything:
https://kb.plesk.com/en/111283#plesk

Thanks

Edit: Whoops! I accidentally locked Plesk admin. I attempted to add my IP address as a network and now I have no access from several IPs from two different networks? I'm confused. Even if I got my logic backward and locked myself out, I should have been able to get in on an IP from a totally different network?

Is this recoverable from ubuntu command line ?

Any thoughts would be appreciated, I'd hate to reimage that VPS.
Thanks

Edit: Add Details
Plesk v12.5.30
Ubuntu 14.04.4 LTS

 

[IgorG]

Is this recoverable from ubuntu command line ?

This article should help you - https://kb.plesk.com/en/118626

 

[Chrisa]

Hi Igor

Thanks for your response. I followed the article but I'm still locked out of admin. Here's what I did:

I created a file called rest.xml which contains:

<?xml version="1.0" encoding="UTF-8"?>
<admin-access-restrictions>
<restriction-item ip-subnet-mask="255.255.255.255" ip-address="X.X.X.X" type="allow"/>
</admin-access-restrictions>

(where X.X.X.X is my IP address)

# /usr/local/psa/bin/admin --set-admin-access-restrictions rest.xml
# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa -e'update misc set val="allow" where param="access_policy"'
# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa -e'select * from misc where param="access_policy"'

I received the same response as in the article:

+---------------+-------+
| param         | val   |
+---------------+-------+
| access_policy | allow |
+---------------+-------+

But still:
"Error: Access for administrator from address 'X.X.X.X' is restricted in accordance with IP Access restriction policy currently applied."

Now the article is for Plesk 10/11.5, I am on the latests 12.5.30 if that makes a difference (sorry I should have indicated this at the start).


What I don't understand is if I did get my logic backwards and locked myself out instead of everyone else, why am I not able to gain access with other IP addresses? Does this feature work in 12.5.30?

Thanks

 

[UFHH01]

Hi Chrisa,

please note, that if you use Fail2Ban or/and WAF, you might be blocked over iptables. Consider to whitelist your IP there as well and check "iptables -L" over the command line.

 

[Chrisa]

Hi UFHH01,

Thanks for your response. I checked the IP tables and did not see my IP listed.
I am using Fail2Ban but not WAF/ModSecurity.

Are you suggesting that when I added my IP to the "Restrict Administrative Access" that it wrote to Fail2Ban? Also, I should add that I previously had my IP in Trusted IP Addresses of Fail2Ban, so shouldn't that be enough to rule out Fail2Ban?

This must have happened before, I can't be the 1st person in 12.5.30 to lock myself out

And the unanswered question is: If I did lock out my IP address then why do IP addresses from different networks also receive the same message?

Note: Just to clarify this message comes directly from the Plesk web admin edition I/F, I'm not being blocked by apache or anything else. If I enter the wrong password Plesk knows this and the message changes, enter the correct password and it changes to the access restriction error.

Thanks

Edit: I did a stare and compare of the "iptables -L".
In the locked out system, I see 11 entries at the start that are f2b- (Fail2Ban entries I presume).
On the unlocked system, I do see my IP under INPUT.

So I guess I just need to figure out how to readd those entries to the iptables and I should be good?

 

[UFHH01]

Hi Chrisa,

well... you seem "to play around" with some configurations/modifications/settings, which may lead to failures/issues/problems when testing it, which could be banned in one of your active jails - that's why I mentioned it.

And the unanswered question is: If I did lock out my IP address then why do IP addresses from different networks also receive the same message?

Well, they are not TESTING it, I suppose, so they don't hit the defined number of allowed attempts, until they may get banned. In test - situation, you might test a site/app not only once or twice, but as well 10-20 times in a short time, which will never happen with one of your visitors/customers.

 

[Chrisa]

Hi UFHH01,

I must not be explaining myself very well. Let me try and clarify.

If I did lock out my IP address then why do IP addresses from different networks also receive the same message?
1. I entered my IP in Plesk 'Restrict Administrative Access' (now I'm locked out plesk admin).
2. I changed my IP address so that I am no longer me, I'm on a different network altogether. I tried to connect to plesk/admin and I'm also locked out on this new IP address? (this part puzzles me)

Your comment:

Well, they are not TESTING it, I suppose, so they don't hit the defined number of allowed attempts, until they may get banned. In test - situation, you might test a site/app not only once or twice, but as well 10-20 times in a short time, which will never happen with one of your visitors/customers.

doesn't seem to apply to the above scenario so I'm really not sure what you are trying to say?


Now as far as:

you seem "to play around"

Actually what I am trying to do is secure the website environment according to plesk guidlines.
Plesk security best practices, https://kb.plesk.com/en/114620. (this is step #2)

Is it possible you are pre-judging me? Or maybe I should be asking these questions in another forum?

It's true I am learning plesk but I am not in anyway new to technology or new to learning.

I honestly do not think that this 'problem' need to be this complicated. Like I said, I can't be the 1st person to lock themselves out of plesk admin.
I would have thought it would have been a simply matter to direct me to the appropriate plesk documentation necessary to complete the task (note: I thoroughly checked the 12.5.30 admin guide and searched online before even posting).

If anyone can help my question still stands,....

 

[UFHH01]

Hi Chrisa,

sorry that you seem to misunderstand me, I had and have never intended to insult in any form, or to judge about anyone at all. If you interpret my answers in a completly wrong way, it might be better, if someone else takes the time to respond to you.

 

[Chrisa]

Hi UFHH01,
You did not offend me. In fact your iptables idea was the tip I needed to get back in.

After learning a bit about iptables. (This was quick and showed me what I needed to know) -> https://www.digitalocean.com/commun...-up-a-firewall-using-iptables-on-ubuntu-14-04
I flushed my iptable and came back in through a new IP (via hotspotshield) - that was enough to get back into admin.

So thank you for helping to provide a solution.

(When I tried to clarify the 'play around' comment it was to show that I had only changed one thing, according to the documentation, not 'play around' with many settings randomly, which is a trouble shooters nightmare.)

thanks again

 

[Chrisa]

This is how I regained access:
Flush iptables
the following link should show what you need to know about iptables
https://www.digitalocean.com/commun...-up-a-firewall-using-iptables-on-ubuntu-14-04

then use a proxy like hotspotshield to gain access with a new IP address