Facebook
Twitter
- Server operating system version
- Ubuntu 22.04 LTS
- Plesk version and microupdate number
- Plesk Obsidian 18.0.60, last updated on April 7, 2024 01:33 PM
Hi!
I run several pretty generic Plesk installations on Strato VMs.
Everything is uptodate, but I found some weird security settings in my machines.
I run some HTML websites, plenty of Wordpress with minimal plugins, and one Moodle instance.
I'm not a great sysadmin, if anyone has explanations, I'd appreciate it.
1.
fail2ban had been switched off. Why might this have happened?
ModSecurity had been switched off. Why?
2.
Diagnose & repair tells me one issue in the file system:
The permissions on the /etc/domainkeys directory are incorrect
They are
drwxr-xr-x 9 root root 4096 Mär 13 21:34 domainkeys
Within this, for an example domain settings are
-r--r----- 1 root popuser 1704 Dez 24 21:35 default
(Elsewhere they are 640, not 440)
Repair could fix this.
3.
Some of my servers have, under security/firewall
MySQL server: Allow incoming from all
Sounds suspicious to me; there is no reason I can think of why this should be allowed.
How does it come about? When trying to set it to deny, applying the firewall config fails.
'['/usr/local/psa/var/modules/firewall/firewall-active.sh']' timed out after 14.999970197677612 seconds
Emergency rollback to configuration without rules was performed. Firewall is now disabled. Fix your rules and try again.
4.
Looking at fail2ban.log, I see stuff like
2024-04-10 07:29:14,160 fail2ban.actions [2504]: NOTICE [plesk-modsecurity] Unban 92.222.212.88
I assume unban happens after a grace period after a ban? Ten minutes earlier:
2024-04-10 07:19:14,944 fail2ban.filter [2504]: INFO [plesk-modsecurity] Found 92.222.212.88 - 2024-04-10 07:19:14
----
Thanks for any help!
Amba
I run several pretty generic Plesk installations on Strato VMs.
Everything is uptodate, but I found some weird security settings in my machines.
I run some HTML websites, plenty of Wordpress with minimal plugins, and one Moodle instance.
I'm not a great sysadmin, if anyone has explanations, I'd appreciate it.
1.
fail2ban had been switched off. Why might this have happened?
ModSecurity had been switched off. Why?
2.
Diagnose & repair tells me one issue in the file system:
The permissions on the /etc/domainkeys directory are incorrect
They are
drwxr-xr-x 9 root root 4096 Mär 13 21:34 domainkeys
Within this, for an example domain settings are
-r--r----- 1 root popuser 1704 Dez 24 21:35 default
(Elsewhere they are 640, not 440)
Repair could fix this.
3.
Some of my servers have, under security/firewall
MySQL server: Allow incoming from all
Sounds suspicious to me; there is no reason I can think of why this should be allowed.
How does it come about? When trying to set it to deny, applying the firewall config fails.
'['/usr/local/psa/var/modules/firewall/firewall-active.sh']' timed out after 14.999970197677612 seconds
Emergency rollback to configuration without rules was performed. Firewall is now disabled. Fix your rules and try again.
4.
Looking at fail2ban.log, I see stuff like
2024-04-10 07:29:14,160 fail2ban.actions [2504]: NOTICE [plesk-modsecurity] Unban 92.222.212.88
I assume unban happens after a grace period after a ban? Ten minutes earlier:
2024-04-10 07:19:14,944 fail2ban.filter [2504]: INFO [plesk-modsecurity] Found 92.222.212.88 - 2024-04-10 07:19:14
----
Thanks for any help!
Amba
