• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved SECURITY - attack surface : ports 7080 and 7081

danami said:
@Peter Debik There is no way that this should be enabled by default on new installs. This breaks all Apache modsecurity attack triggers and any Apache log statistics programs as the client address only reports 127.0.0.1 as the client address after enabling it.
Click to expand...
Must be a misconfiguration of mod_remoteip.
At the end of /etc/apache2/plesk.conf.d/server.conf, there needs to be 127.0.0.1 added to the line RemoteIPInternalProxy.
@Peter Debik is that enough to forward to dev or should I open a bug?
 
@Peter Debik Unfortunately in my testing it looks like there is another big issue with this change. After enabling "plesk bin apache --listen-on-localhost true" the PHP $_SERVER["SERVER_ADDR"] reports as "127.0.0.1" instead of the real server IP address. This means that any PHP applications that previously used the $_SERVER["SERVER_ADDR"] will be broken (like WHMCS license checks for example).
 
@danami I cannot derive an internal bug report from the post as it requires a more detailed description with steps to reproduce and an example. If you want it processed fast, please use a support ticket for it, else please report it here: Issue Report | Plesk Forum
 
danami said:
@Peter Debik There is no way that this should be enabled by default on new installs. This breaks all Apache modsecurity attack triggers and any Apache log statistics programs as the client address only reports 127.0.0.1 as the client address after enabling it.
Click to expand...
Forcing apache to only listen to localhost seems like a sensible default to me.
 
Ok I realise now that the recommended fix also has undesirable consequences such as breaking awstats.

It also makes me wonder about the accuracy of the awstats and other metrics when using a reverse proxy.
 
You must log in or register to reply here.

Similar threads

Jürgen_T
Question Massive Brute-Force Attacks on Plesk Panel – Looking for Additional Protection Measures
Replies
15
Views
1K
Franky H
F
andreios
Issue Fail2ban WordPress login detection doesn't work and fail2ban couldn't be configured trough Plesk
Replies
2
Views
939
andreios
andreios
A
Question Fail2Ban capture and ban IP, connection still being made
Replies
8
Views
2K
Bitpalast
Bitpalast
J
Issue Default plesk-wordpress fail2ban doesn't work
Replies
6
Views
1K
Peter Debik
P
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
2K
NewGate
N
Back
Top