• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Restricting Administrative Access | What file on Apache if need to change IP?

Chrisa

Basic Pleskian
Greetings,

If you needed to ssh into linux and change the IP address set in "Restricting Administrative Access" what file would be the target?

I understand this is accessible from Plesk I/F but, for instance, if you had to change your home router and the IP changed, you would be locked out of Plesk admin.

I checked the config files listed here but could not find anything:
https://kb.plesk.com/en/111283#plesk

Thanks

Edit: Whoops! I accidentally locked Plesk admin. I attempted to add my IP address as a network and now I have no access from several IPs from two different networks? I'm confused. Even if I got my logic backward and locked myself out, I should have been able to get in on an IP from a totally different network?

Is this recoverable from ubuntu command line ?

Any thoughts would be appreciated, I'd hate to reimage that VPS.
Thanks

Edit: Add Details
Plesk v12.5.30
Ubuntu 14.04.4 LTS
 
Last edited:
Hi Igor

Thanks for your response. I followed the article but I'm still locked out of admin. Here's what I did:

I created a file called rest.xml which contains:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<admin-access-restrictions>
<restriction-item ip-subnet-mask="255.255.255.255" ip-address="X.X.X.X" type="allow"/>
</admin-access-restrictions>

(where X.X.X.X is my IP address)

Code:
# /usr/local/psa/bin/admin --set-admin-access-restrictions rest.xml
# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa -e'update misc set val="allow" where param="access_policy"'
# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa -e'select * from misc where param="access_policy"'

I received the same response as in the article:
Code:
+---------------+-------+
| param         | val   |
+---------------+-------+
| access_policy | allow |
+---------------+-------+

But still:
"Error: Access for administrator from address 'X.X.X.X' is restricted in accordance with IP Access restriction policy currently applied."

Now the article is for Plesk 10/11.5, I am on the latests 12.5.30 if that makes a difference (sorry I should have indicated this at the start).


What I don't understand is if I did get my logic backwards and locked myself out instead of everyone else, why am I not able to gain access with other IP addresses? Does this feature work in 12.5.30?

Thanks
 
Last edited:
Hi Chrisa,

please note, that if you use Fail2Ban or/and WAF, you might be blocked over iptables. Consider to whitelist your IP there as well and check "iptables -L" over the command line.
 
Hi UFHH01,

Thanks for your response. I checked the IP tables and did not see my IP listed.
I am using Fail2Ban but not WAF/ModSecurity.

Are you suggesting that when I added my IP to the "Restrict Administrative Access" that it wrote to Fail2Ban? Also, I should add that I previously had my IP in Trusted IP Addresses of Fail2Ban, so shouldn't that be enough to rule out Fail2Ban?

This must have happened before, I can't be the 1st person in 12.5.30 to lock myself out;)

And the unanswered question is: If I did lock out my IP address then why do IP addresses from different networks also receive the same message?

Note: Just to clarify this message comes directly from the Plesk web admin edition I/F, I'm not being blocked by apache or anything else. If I enter the wrong password Plesk knows this and the message changes, enter the correct password and it changes to the access restriction error.

Thanks

Edit: I did a stare and compare of the "iptables -L".
In the locked out system, I see 11 entries at the start that are f2b- (Fail2Ban entries I presume).
On the unlocked system, I do see my IP under INPUT.

So I guess I just need to figure out how to readd those entries to the iptables and I should be good?
 
Last edited:
Hi Chrisa,

well... you seem "to play around" with some configurations/modifications/settings, which may lead to failures/issues/problems when testing it, which could be banned in one of your active jails - that's why I mentioned it.

And the unanswered question is: If I did lock out my IP address then why do IP addresses from different networks also receive the same message?
Well, they are not TESTING it, I suppose, so they don't hit the defined number of allowed attempts, until they may get banned. In test - situation, you might test a site/app not only once or twice, but as well 10-20 times in a short time, which will never happen with one of your visitors/customers.
 
Hi UFHH01,

I must not be explaining myself very well. Let me try and clarify.

If I did lock out my IP address then why do IP addresses from different networks also receive the same message?
1. I entered my IP in Plesk 'Restrict Administrative Access' (now I'm locked out plesk admin).
2. I changed my IP address so that I am no longer me, I'm on a different network altogether. I tried to connect to plesk/admin and I'm also locked out on this new IP address? (this part puzzles me)

Your comment:
Well, they are not TESTING it, I suppose, so they don't hit the defined number of allowed attempts, until they may get banned. In test - situation, you might test a site/app not only once or twice, but as well 10-20 times in a short time, which will never happen with one of your visitors/customers.

doesn't seem to apply to the above scenario so I'm really not sure what you are trying to say?


Now as far as:
you seem "to play around"
Actually what I am trying to do is secure the website environment according to plesk guidlines.
Plesk security best practices, https://kb.plesk.com/en/114620. (this is step #2)

Is it possible you are pre-judging me? Or maybe I should be asking these questions in another forum?

It's true I am learning plesk but I am not in anyway new to technology or new to learning.

I honestly do not think that this 'problem' need to be this complicated. Like I said, I can't be the 1st person to lock themselves out of plesk admin.
I would have thought it would have been a simply matter to direct me to the appropriate plesk documentation necessary to complete the task (note: I thoroughly checked the 12.5.30 admin guide and searched online before even posting).

If anyone can help my question still stands,....
 
Hi Chrisa,

sorry that you seem to misunderstand me, I had and have never intended to insult in any form, or to judge about anyone at all. If you interpret my answers in a completly wrong way, it might be better, if someone else takes the time to respond to you. ;)
 
Last edited by a moderator:
Hi UFHH01,
You did not offend me. In fact your iptables idea was the tip I needed to get back in.;)

After learning a bit about iptables. (This was quick and showed me what I needed to know) -> https://www.digitalocean.com/commun...-up-a-firewall-using-iptables-on-ubuntu-14-04
I flushed my iptable and came back in through a new IP (via hotspotshield) - that was enough to get back into admin.

So thank you for helping to provide a solution.

(When I tried to clarify the 'play around' comment it was to show that I had only changed one thing, according to the documentation, not 'play around' with many settings randomly, which is a trouble shooters nightmare.)

thanks again
 
Back
Top