Resolved SECURITY - attack surface : ports 7080 and 7081

[trialotto]

Username:

TITLE

SECURITY - attack surface : ports 7080 and 7081

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Product version: Plesk Obsidian 18.0.49.2
OS version: Ubuntu 18.04 x86_64
Build date: 2023/01/10 23:00
Revision: c825df0ebc392580c3443ca51b28c6cb88be266d

PROBLEM DESCRIPTION

PROBLEM 1 : ports 7080 and 7081 open and vulnerable for external attack

PROBLEM 2 : modsecurity overload

PROBLEM 3 : WordPress XMLRPC attacks via ports 7081 (not often on 7080) over HTTP/1.0

PROBLEM 4 : default Nginx config does not include a "deny all;" directive for xmlrpc.php calls

NOTE 1 : when having Nginx as reverse proxy, the usage of the "internal" directive closes connections, but does NOT prevent that connections are established

NOTE 2 : when running 3 servers, the average of blocked IPs was 5000 to 6000 unique IP addresses per 24 hours!!!!

STEPS TO REPRODUCE

1 - install WordPress and Modsecurity
2 - inspect the modsec_audit.log and count abusive IPs : grep -i 7081 /var/log/modsec_audit.log | wc -l

ACTUAL RESULT

A lot of blocked IPs, attempting to brute force WordPress installations one way or another.

EXPECTED RESULT

SOLUTION 1 : change Nginx default config to contain

location ~* /xmlrpc.php {
deny all;
#access_log configuration is optional;
}

at the vhost level ....... and please consider solution 2, since this directive is blocking all attempts (read: depending on which port Nginx is listening and which port is used to attack) and hence makes blocking aggressive and/or makes it more challenging to log all offending IPs and create a blocklist (read: to be used by Nginx).

SOLUTION 2 : add a throttle mechanism in the location directive, for instance of the kind

limit_req_zone $binary_remote_addr zone=one:15m rate=5r/s;

and please note that this is important, since this would offer a solution to the really fast brute force hack attempts and also would enable to create a blocklist (read: to be used by Nginx).

SOLUTION 3 : use Fail2Ban WITH INCREMENTAL BAN TIME ........ see my other bug report about the Web UI of Fail2Ban

ANY ADDITIONAL INFORMATION

IMPORTANT : the scripts are not really advanced, but please note that

- when blocking access to xmlrpc.php via Nginx : other brute force methods are immediately following
- when blocking those other methods : brute force actions become more severe and faster

IMPORTANT : using Fail2Ban (or even the Plesk firewall) as the only option to combat these types of brute forcing is not at all desirable! The vast amount of offending IPs would create big problems ...... and can cause system resource overusage of such a kind that one can break all defense mechanisms.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Peter Debik]

I've tested it and on my production machines with standard Plesk installations I was unable to connect to either port 7080 or 7081 from outside the server while at the same time it was possible to connect to 80 or 443. So it is not possible drive an attack through these ports from the outside. Naturally, doing the same from localhost can work, but that is a necessity to allow Apache to communicate with Nginx.

This is not a bug as neither 7080, nor 7081 can be addressed externally.

 

[mow]

I've tested it and on my production machines with standard Plesk installations I was unable to connect to either port 7080 or 7081 from outside the server while at the same time it was possible to connect to 80 or 443. So it is not possible drive an attack through these ports from the outside. Naturally, doing the same from localhost can work, but that is a necessity to allow Apache to communicate with Nginx.

This is not a bug as neither 7080, nor 7081 can be addressed externally.

Do you have the Plesk firewall active? It is not enabled by default.
And apache2 itself binds to any IP as visible with netstat, while in /etc/apache2/plesk.conf.d/ip_default or vhosts the domains are bound to the IPs, which is completely unnecessary for domains cached by nginx. If no domain is served by apache directly, it would suffice to bind to localhost only.

 

[trialotto]

I've tested it and on my production machines with standard Plesk installations I was unable to connect to either port 7080 or 7081 from outside the server while at the same time it was possible to connect to 80 or 443. So it is not possible drive an attack through these ports from the outside. Naturally, doing the same from localhost can work, but that is a necessity to allow Apache to communicate with Nginx.

This is not a bug as neither 7080, nor 7081 can be addressed externally.

@Peter Debik

This is not the correct way or method to reproduce the issue.

External "access" is passed on by Nginx by means of the "internal" directive, hence resulting in your conclusion : no connection possible.

However, that is a "false positive" conclusion.

Please follow the STR (Steps to Reproduce) and you will see a considerable number of attacks on ports 7081 (and some on 7080) logged in modsec_audit.log.

If you would have followed the STR, then there is hard evidence in the form of 5K to 6K per 24 hours (on average) of attacks on port 7081 (and 7080).

Kind regards....


PS The command

grep -in 7081 /var/log/modsec_audit.log

results in

2:[11/Apr/2023:00:02:59.030623 +0200] ZDSHk6@57XH06NHOUvL-ggAAAAE 172.104.133.177 35908 62.138.8.191 7081
42:[11/Apr/2023:00:19:15.887031 +0200] ZDSLYyKp7FcEwdaFodSdGQAAAAA 192.46.210.234 38244 62.138.8.191 7081
82:[11/Apr/2023:01:05:46.869550 +0200] ZDSWSl1ZYr@6Z24kcLuWxgAAAAQ 172.96.191.5 44956 62.138.8.191 7081
122:[11/Apr/2023:01:31:15.931503 +0200] ZDScQ-P@tELMxvGs4mB8FwAAAAI 192.46.210.234 48506 62.138.8.191 7081
162:[11/Apr/2023:01:50:16.813232 +0200] ZDSguK@57XH06NHOUvL-nwAAAAE 192.119.74.131 51112 62.138.8.191 7081
190:[11/Apr/2023:04:09:42.655849 +0200] ZDTBZoYhmwwtW@K30ELbqAAAAAw 185.104.44.103 43690 62.138.8.191 7081
231:[11/Apr/2023:05:30:18.185683 +0200] ZDTUSvP@tELMxvGs4mB8QwAAAAI 188.127.225.2 55560 62.138.8.191 7081
272:[11/Apr/2023:06:37:38.178265 +0200] ZDTkEt5DVosvEThTJC9aPAAAAAM 192.119.74.136 37028 62.138.8.191 7081
300:[11/Apr/2023:07:15:46.831545 +0200] ZDTtApPSAe2zmo9V7HhCHAAAAAc 94.237.64.132 42982 62.138.8.191 7081
340:[11/Apr/2023:07:40:49.143169 +0200] ZDTy4d5DVosvEThTJC9aQgAAAAM 160.16.237.173 46478 62.138.8.191 7081
371:[11/Apr/2023:08:36:32.324824 +0200] ZDT-8IYhmwwtW@K30ELbxwAAAAw 167.99.232.86 54232 62.138.8.191 7081
411:[11/Apr/2023:08:48:33.376268 +0200] ZDUCwSKp7FcEwdaFodSdbQAAAAA 18.211.33.91 55940 62.138.8.191 7081
451:[11/Apr/2023:10:21:01.723749 +0200] ZDUYbd5DVosvEThTJC9aWgAAAAM 103.74.121.5 40824 62.138.8.191 7081
492:[11/Apr/2023:10:44:21.867014 +0200] ZDUd5ZPSAe2zmo9V7HhCPAAAAAc 92.204.146.118 44178 62.138.8.191 7081
532:[11/Apr/2023:10:46:11.869592 +0200] ZDUeU7Vtjjq0N6FnaQagZQAAAAY 92.118.39.109 44434 62.138.8.191 7081
561:[11/Apr/2023:11:05:57.267579 +0200] ZDUi9d5DVosvEThTJC9aYwAAAAM 64.62.197.229 47162 62.138.8.191 7081
590:[11/Apr/2023:11:38:51.656491 +0200] ZDUqqyKp7FcEwdaFodSdigAAAAA 185.25.117.82 51816 62.138.8.191 7081
631:[11/Apr/2023:12:48:20.640600 +0200] ZDU69F1ZYr@6Z24kcLuXLQAAAAQ 149.210.223.122 33358 62.138.8.191 7081
671:[11/Apr/2023:12:53:07.390366 +0200] ZDU8E95DVosvEThTJC9abQAAAAM 95.214.25.59 34012 62.138.8.191 7081
704:[11/Apr/2023:12:53:08.264119 +0200] ZDU8FPP@tELMxvGs4mB8egAAAAI 95.214.25.59 34016 62.138.8.191 7081
734:[11/Apr/2023:12:53:08.851372 +0200] ZDU8FIYhmwwtW@K30ELb7QAAAAw 95.214.25.59 34020 62.138.8.191 7081
767:[11/Apr/2023:13:13:53.335612 +0200] ZDVA8SKp7FcEwdaFodSdmAAAAAA 192.119.74.131 37044 62.138.8.191 7081
799:[11/Apr/2023:13:43:42.691719 +0200] ZDVH7iKp7FcEwdaFodSdmwAAAAA 188.127.225.2 41192 62.138.8.191 7081

EVEN after having 3299 blocked bad IPs in a separate Nginx file that denies full access for individual bad IPs.

 

[trialotto]

Do you have the Plesk firewall active? It is not enabled by default.
And apache2 itself binds to any IP as visible with netstat, while in /etc/apache2/plesk.conf.d/ip_default or vhosts the domains are bound to the IPs, which is completely unnecessary for domains cached by nginx. If no domain is served by apache directly, it would suffice to bind to localhost only.

@mow

If I am not mistaken and not reading your post wrongly, then you have a valid point : the Apache config can be simplified and more secure when Nginx is used as a full proxy with sufficient security related config.

However, that is the theory that is not really coinciding with practical reality.

The problem or challenge here is that

1 - the Apache2 config is automatically generated and, for practical reasons, the current template is more desirable (for many reasons)

2 - the Nginx config is automatically generated ...... and that Nginx config captures most (but not all) of the request to the (web) server


In essence, Nginx config is more superior to Apache config, but Nginx config is also more prone to mistakes.

From that perspective, it is good to have a "full" Apache config (including server IPs), when assuming that Nginx has been configured properly.

In my humble opinion, Plesk Team should emphasize on strengthening the Nginx config.


Kind regards.....

 

[trialotto]

I've tested it and on my production machines with standard Plesk installations I was unable to connect to either port 7080 or 7081 from outside the server while at the same time it was possible to connect to 80 or 443. So it is not possible drive an attack through these ports from the outside. Naturally, doing the same from localhost can work, but that is a necessity to allow Apache to communicate with Nginx.

This is not a bug as neither 7080, nor 7081 can be addressed externally.

@Peter Debik

I think that @mow has made some valid points and, at the same time, has urged me to compare the Apache config with Nginx config.


I was already aware of the fact that the

location ~* xmlrpc.php { deny all; }

directive is a bit flawed, given the facts that

1 - it only applies to ssl requests and/or http2 requests and/or port 443 requests : all other requests are not intercepted by Nginx (!)

2 - it gives space to "attacks" to specific renamings of the xlmrpc file : this does not seem to be an issue if the renamed file is not present, but the attempt to attack is still present and will cause a workload for Nginx (read: not desirable)

and so on.

I also am aware of the fact that Nginx should not listen to specific ports, unless they are specified.

And there is the validity of the points made by @mow : the bad requests to port 7081, as logged in modsec_audit.log, seem to be targeted at Apache.

At least, that is the reasonable assumption here.


This assumption should be tested properly and one way to test is to first follow the STR, in order to get a list of bad IPs and hence (only) part of the proof.


However, following the STR will not provide conclusive proof, that is a possibility.

In fact, I am using a Fail2Ban jail that gathers bad IPs and puts them in a Nginx config file that deny those bad IPs AND a hosts.deny file.

In theory, if the bad requests are targeting the Apache level, then the (blocking) Nginx config file would not be sufficient to stop bad requests.

Conclusive proof can hence only be found by removing the hosts.deny file from the Fail2Ban jail actions.


If that conclusive proof provides evidence that the bad requests bypass Nginx and target Apache, then Apache config is not up to standard.


In short, a lot of things to do in order to solve this bug.

This bug actually requiring a solution for both Apache (read: should not accept the requests on ports 7081 and 7080) and Nginx (read: should be used as a proper proxy and intercept bad requests from those bad IPs on specific ports).


I hope that the above helps and clarifies the matter at hand!


Kind regards.....

 

[Peter Debik]

I am a bit lost of what is claimed as a bug.

I followed your STR on several production servers, but cannot reproduce any significant counts. It's more like 0.3/day since spring 2022. But I believe you that there is something you see.

And apache2 itself binds to any IP as visible with netstat, while in /etc/apache2/plesk.conf.d/ip_default or vhosts the domains are bound to the IPs, which is completely unnecessary for domains cached by nginx. If no domain is served by apache directly, it would suffice to bind to localhost only.

Is your argument that
<VirtualHost public-ip 127.0.0.1:7081>
<VirtualHost public-ip 127.0.0.1:7080>
should instead be
<VirtualHost 127.0.0.1:7081>
<VirtualHost 127.0.0.1:7080>

Why and why should the current configuration be considered a bug? What difference in general it makes if an attack is driven against port 80 or port 7080? Let's assume that your port 7080 can be addressed directly. Why is that more problematic than sending the same attack against port 80?

Do you have the Plesk firewall active?

Yes.

 

[trialotto]

@Peter Debik

I am assuming that you are partially responding to me and partially to @mow .

The statement

I followed your STR on several production servers, but cannot reproduce any significant counts. It's more like 0.3/day since spring 2022.

is a bit biased - and that is an understatement : you should not test on a normal production server that is hardened in many ways.

The whole point of proper testing is to take an "out-of-the-box" Plesk instance with a bare minimum of customization in terms of configuration.

For instance, Plesk + ModSec (on Apache) + Fail2Ban (no bans) would result in more than 6K (on average) of attacks BEFORE this thread was posted.
In comparison, Plesk + ModSec (on Apache) + Fail2Ban (limited ban period) would result in 3K (or less) of attacks BEFORE this thread was posted.

After this thread was posted and/or after applying some basic (and very simple) countermeasures, the number of attacks will decrease dramatically.

In some of my test servers, the simplest of countermeasures were resulting in less than 50 attacks per day.

In essence, that is the natural dynamics of (attempts to) attack : it changes continuously.

All of the above is also rather dependent on various other factors determining the outcome and conclusions of testing.

For instance, using OWASP ruleset in ModSec does not give the same result as the (better) Atomicorp based ruleset.

OWASP might be more strict in many situations, but it also fails to recognize specific types of attack attempts that are intercepted by Atomicorp rulesets.

So, that is another potential explanation here, besides the (obvious) explanation that you use (hardened) production servers.

Sure, I am aware of the fact that I make assumptions about your production servers, but I can think of these as "safe assumptions".


The statement / question

Is your argument that
<VirtualHost public-ip 127.0.0.1:7081>
<VirtualHost public-ip 127.0.0.1:7080>
should instead be
<VirtualHost 127.0.0.1:7081>
<VirtualHost 127.0.0.1:7080>

is not really applicable to Ubuntu, since for both Plesk versions 18.0.49.x and 18.0.51.x the Apache template states

<VirtualHost public-ip:7081 > or <VirtualHost public-ip:7080 >

so I am not sure where the Apache config <VirtualHost public-ip 127.0.0.1:708x > comes from .......is that default on other OSes?

Nevertheless, it should not really matter, it is just a question for the sake of convenience.


The statement

Why and why should the current configuration be considered a bug? What difference in general it makes if an attack is driven against port 80 or port 7080? Let's assume that your port 7080 can be addressed directly. Why is that more problematic than sending the same attack against port 80?

is correct, from the perspective of "attacks", but not from the perspective of "attack surface".

The essence of an attack is an attack - no matter which port - and you are right about that.

However, the essence of the alleged bug here is that

1 - ports 7081 (and 7080) can be addressed directly, hence INCREASING the attack surface

2 - Plesk's Nginx based "security measure" in the form of the "internal" directive can be bypassed, hence being a BUG (read: I can only safely assume that it is the intention of Plesk Team to harden security with the Nginx native internal directive and not the intention to allow bypasses of that internal directive)

and please note that point 1 is ONLY the result of point 2.


In short and in summary, the matter at hand is related to a proper causality, consisting of a cause (Nginx security related directives can be bypassed) and a (not intended) consequence (Apache can addressed on ports 7081/7080, since Nginx does not intercept these requests).

The causality should be present and viewed in (only) the context where Apache is proxied by Nginx.

A bug? Yes and no ....... a bug is a bit of a harsh word : on the one hand, it is expected behavior of the current Nginx config and on the other hand, it is safe to assume that it is not desirable behavior as a consequence of Nginx config.

It simply is a matter that needs attention (and quick, since Fail2Ban is not appropriate countermeasure for these type of attacks : too slow and inefficient).


I hope that the above puts the whole matter into the right perspective.

Kind regards....

 

[Peter Debik]

Can we then sum it up in one or two sentences? For example:
"When Nginx and Apache are used, Apache should only listen to ports 7080 and 7081 on localhost. When Nginx is not used, Apache should only listen to ports 80 and 443."

 

[trialotto]

Can we then sum it up in one or two sentences? For example:
"When Nginx and Apache are used, Apache should only listen to ports 7080 and 7081 on localhost. When Nginx is not used, Apache should only listen to ports 80 and 443."

I can safely say that the above is (and always was) the correct summary of the "objective".

The exploits have been always present (and that has been mentioned in the past) and the objective has been partially reached by the Nginx "internal" directive.

Listening on localhost would be probably mean a 99,99% realization of the objective.

However, problem here is that Nginx can be bypassed, so it should (part of OR another) objective that Nginx cannot easily be bypassed.

Otherwise, Apache can still be reached directly and, even though Apache will not do much with the requests, it can overload Apache easily.

Just some food for thought ......

Kind regards....

 

[Peter Debik]

Interestingly in the past there have been requests to create a feature by which Nginx can be bypassed, e.g. Add the option to bind Vhost to custom Apache ports so that accessing example.com:8081 the request will bypass nginx

Anyway, I have added this new feature request When Nginx and Apache are used, Apache should only listen to ports 7080 and 7081 on localhost.

 

[trialotto]

Interestingly in the past there have been requests to create a feature by which Nginx can be bypassed, e.g. Add the option to bind Vhost to custom Apache ports so that accessing example.com:8081 the request will bypass nginx

Anyway, I have added this new feature request When Nginx and Apache are used, Apache should only listen to ports 7080 and 7081 on localhost.

@Peter Debik

Bypassing Nginx is sometimes desirable for specific applications and even necessary for certain old-skool applications.

Nevertheless, a "necessity" is less and less prominent and a "desirability" is often an answer to the wrong question : one can always add some custom Nginx config to have Nginx listen on any port and then pass it forward to a custom port on Apache - "bypasses" are therefore not really desirable or necessary.

I must admit that in 2020 (the year of the post on Plesk uservoice that you refer to) it was a bit more difficult to ascertain that any custom Nginx config would actually lead to a proper forwarding of requests, as a result of the somewhat odd default Plesk Nginx config in those days.

Times have changed for the better, I suppose.

In essence, "bypassing" Nginx when using Nginx as a proxy is a bit odd and contradictive : one should either not use Nginx as a proxy or let Apache listen to a specific port on the public IP.

Stated differently, I am not sure why that old post was posted on Plesk Uservoice.

Kind regards....

 

[mow]

Is your argument that
<VirtualHost public-ip 127.0.0.1:7081>
<VirtualHost public-ip 127.0.0.1:7080>
should instead be
<VirtualHost 127.0.0.1:7081>
<VirtualHost 127.0.0.1:7080>

Why and why should the current configuration be considered a bug? What difference in general it makes if an attack is driven against port 80 or port 7080? Let's assume that your port 7080 can be addressed directly. Why is that more problematic than sending the same attack against port 80?

1. We proxy through nginx for a reason. Apache in general is slower than nginx, so attacking apache directly puts more load on the server.
2. Best practice is that attack surface should be minimized. Services that don't need to listen on a public IP shouldn't. Apache might have different vulnerabilities than nginx, while nginx would catch most malformed requests before they reach apache.
3. Also, as @trialotto wrote, attack mitigations in the nginx config won't be effective if apache is contacted directly.

Yes.

Then the firewall would block accesses to 7080 and 7081. But the firewall is just a kludge, those ports shouldn't be publicly accessible in the first place.

 

[Anthony]

@trialotto thank you for the feedback. I've passed this topic on to our security team for review.

 

[Anthony]

Hi @trialotto, thank you for the feedback.

Our security team reviewed the issues, and we confirmed them. We planned the improvements in this area.

Below is the detailed feedback:

PROBLEM 1 : ports 7080 and 7081 open and vulnerable for external attack
It is actually. It is two additional endpoints to attack resources hosted on Plesk.

PROBLEM 2 : modsecurity overload
It is actually. ModSecurity is forced to work with to additional ports. For example, if a malicious user does a brute-force attack using these ports load load on ModSecurity will rise 3 times.

PROBLEM 3 : WordPress XMLRPC attacks via ports 7081 (not often on 7080) over HTTP/1.0
Plesk has a great "WordPress Security Measures" feature that has, among other things "Block access to xmlrpc.php" option. It options makes changes both in "httpd.conf" and "nginx.conf", so in "xmlrpc.php" case Apache is available on 7080,7081 but the endpoint is forbidden.

PROBLEM 4 : default Nginx config does not include a "deny all;" direct
It is actually but I am not sure that it needs. See the previous comment.

 

[trialotto]

@Anthony

With respect to the statement

Plesk has a great "WordPress Security Measures" feature that has, among other things "Block access to xmlrpc.php" option. It options makes changes both in "httpd.conf" and "nginx.conf", so in "xmlrpc.php" case Apache is available on 7080,7081 but the endpoint is forbidden.

it has to be emphasized that this is not true : the changes to the nginx config files are of such a nature that common and slightly altered requests are still being handled by Nginx, as opposed to blocking handling of requests (as intended by the implemented nginx config changes).

Stated differently, the nginx config has to be rewritten to a more strict config that actually blocks specific requests to xmlrpc.php

At this moment, both requests to xmlrpc.php as requests to renamed xmlrpc files (examples : xmlrpc1.php, xmlrpc.php1, xmlrpc.php? and so on) are not blocked and these requests are being passed on by Nginx.

In essence, the presence of the (secure) "internal" directive is the only thing that should prevent that these request reach Apache.

However, these requests factually do reach Apache, as follows from the fact that ModSec is dealing with and logging the malicious requests.

In short, there is a loophole in the current config of both Apache and/or Nginx ....... and that is not limited to xmlrpc related requests alone.

With respect to the the statement

It is actually but I am not sure that it needs. See the previous comment.

it can only be responded that the "deny all;" config for all requests to (internal) ports 7080 and 7081 factually is required.

There is the matter of performance : in the absence of that "deny all;" config, all requests would be dealt with by Nginx and only stopped by the "internal" directive, hence causing a very unnecessary workload on Nginx.

There is also the matter of security, as has become painfully clear in the previous section : ModSec (on Apache level) is actually dealing with requests that are being sent to the (internal) ports 7080 and 7081 and that are actually not intercepted by Nginx.

In short, it should be normal practice to block external access to (internal) ports.

That is the whole concept of internal ports : they should not be externally accessible.........


Kind regards...

 

[Maksim]

Hi @trialotto,

I want to clarify next moment,

it has to be emphasized that this is not true : the changes to the nginx config files are of such a nature that common and slightly altered requests are still being handled by Nginx, as opposed to blocking handling of requests (as intended by the implemented nginx config changes).

When you talk about altered requests you mean only rename method or do you see another bypass method that does possibly bypass the restriction on "xmlrpc.php"?

 

[trialotto]

Hi @trialotto,

I want to clarify next moment,



When you talk about altered requests you mean only rename method or do you see another bypass method that does possibly bypass the restriction on "xmlrpc.php"?

@Maksim

To be honest, the answer to your question is not straightforward, since log output and hence available information is limited to modsec_audit.log entries.

Stated differently, with ModSec being on the Apache level, any hit on xmlrpc.php or "altered" xmlrpc.php can be the result of (a) a direct request to Apache and (b) a forward by Nginx to Apache.

The direct request to Apache - situation (a) - does not seem to occur often, but I have seen that a couple of times.

As far as I can reasonably assume, this "low number" is related to the safety measures offered by the WPT (read: one can block xlmrpc.php access on the level of Apache), but that is not a certainty : I have added WP code to remove meta data (indicating the xmlrpc related data) and to block xlmrpc access, in order to get an idea of how good Nginx is blocking xmlrpc related requests - this WP code is intended to keep analysis unbiaised (as far as possible).

In my humble opinion, this should be investigated further and in more detail.

The forward by Nginx to Apache - situation (b) - is present and can be found a lot of times in the logs.

In essence, Nginx directives can be bypassed in a multitude of ways :

1 - make requests to ports that Nginx does not listen too : Nginx will then try to make the best match, which match can cause undesirable results...

SOLUTION : make Nginx explicitly listen to all internal ports, with a deny all directive ........ but this is less straightforward to implement as it sounds.

NOTE : normally, Nginx does not handle requests to ports that it does not listen too, but Ngnix config can be messed up to some extent that Nginx rules are not exhibiting that normal behavior of "not listening"

NOTE : I strongly believe that method 1 is not applying to the current Nginx config that is provided by default with Plesk

2 - make "altered" requests to specific locations or files : Nginx will try to make the best match, but that match is just as good as the regular expression used to match the Nginx config with the request

SOLUTION : make Nginx config as "tight as possible", it should be very strict

NOTE : I strongly believe that the entries in modsec_audit.log are primarily related to the regular expression used for xmlrpc purposes.

NOTE : evidence of aformentioned belief can be deemed to be present when looking at the entries in the logs - requests to ports are redirected to the Nginx "internal" directive, at least in most cases .....and this implies that the request is matched by Nginx and forwarded to "internal", without any interference

3 - make "specific" requests to specific locations or files : the nature of this method is not yet clear to me, but it seems to be the case that certain scripted requests are automated and so fast that Nginx forwards them once or twice to "internal", with the request using one connection to brute force at the level of Apache

SOLUTION : not known yet, since Fail2Ban fails miserably ........ and ModSec blocks these brute force attempts with considerable effort

NOTE : implementing a solution for method 2, preferably in combination with a solution for method 1, should suffice and stop these advanced hack attempts


In short, answering your questions is very difficult, since some steps are needed to get to the root cause of the problem ...... and only these necessary steps can allow an unbiased analysis.

In addition, answering your question becomes even more difficult when taking into consideration the fact that the nature and method of attack is changing (and even becoming more aggressive and advanced!) when making Nginx config really strict - I have tested this and it surprised me.


I suggest that we have a look at the part

location ~* xmlrpc.php { deny all; }

location block and directives.


As a final remark and request, could you be so kind as to send me a private message?

Kind regards.....

 

[Peter Debik]

Thank you again for all the details.

Since Plesk 18.0.56, published October 10th, 2023, we've limited Apache to only listen to the loopback IP address (also called localhost) when Apache runs with nginx as a reverse proxy.

This feature is turned on by default on new Plesk installations. To enable it on existing installations, run the following CLI command: plesk bin apache --listen-on-localhost true. For information on the feature, see the KB article.

 

[danami]

This feature is turned on by default on new Plesk installations. To enable it on existing installations, run the following CLI command: plesk bin apache --listen-on-localhost true. For information on the feature, see the KB article.

@Peter Debik There is no way that this should be enabled by default on new installs. This breaks all Apache modsecurity attack triggers and any Apache log statistics programs as the client address only reports 127.0.0.1 as the client address after enabling it.