Resolved Way to block or remove Plesk's screenshot bot from logs

[tomzag]

There should be a way to remove, block or filter out log entries made by Plesk screenshot bot, which now triggers each time a domain is opened in new active view, so latest log entries are then "spammed" by screenshot bot, making it clumsy to get to the actual most recent traffic in logs.

If there is a way to do this, please let me know. Apologies if this has been asked and/or answered already.

 

[Bitpalast]

It should only show up once in a while in logs. Could you please provide an example how spammy your logs look?

 

[tomzag]

You are correct, I am sorry, multiple refreshes and reloads of domain page caused multiple screenshot bot runs - we had some bad behaviour chasing recently so we spent some hectic times in logs. Sorry for wasting your time.

On a side note, does the fix that I saw mentioned later, the one stating a change in panel.ini, removes screenshot bots' entries completely? Thank you!

 

[Kaspar]

On a side note, does the fix that I saw mentioned later, the one stating a change in panel.ini, removes screenshot bots' entries completely? Thank you!

Yes, changing the settings in the panel.ini file as described in the support article here will disable the sreenshots completely.

 

[Dave W]

Have a server being spammed by this bot.

34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/09/sport_1.jpg HTTP/1.0" 200 415 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"
34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/09/fami_1.jpg HTTP/1.0" 200 414 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"
34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/09/contact_me.svg HTTP/1.0" 200 421 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"
34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/09/photo_1.svg HTTP/1.0" 200 1217 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"
34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/09/map_1.svg HTTP/1.0" 200 1217 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"
34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/10/file028669-361x240.svg HTTP/1.0" 200 1217 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"
34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/10/file028635-361x240.svg HTTP/1.0" 200 1217 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"
34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/10/file007812-361x535.svg HTTP/1.0" 200 1051 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"
34.249.90.25 - - [21/May/2024:00:52:39 +0100] "GET /wp-content/uploads/2020/10/Anette.svg HTTP/1.0" 200 932 "https://wwwxxxxxxxxx.xx/" "Plesk screenshot bot https://support.plesk.com/hc/en-us/articles/10301006946066"

Can we confirm this IP is Plesk?

rDNS shows ec2-34-249-90-25.eu-west-1.compute.amazonaws.com.

D.

 

[Bitpalast]

Recently I've seen the same behavior on some domains.

 

[Kaspar@Plesk]

@Dave W and @Bitpalast did anything change in the behavior of the screenshot service/bot for you?

I don't see any monkey business going on in the log excerpt. The screenshot service requests all files related to the homepage in order to render an image.

@Dave W Rather then blocking the IP, would it not be more effective to disable the screenshot service in the panel.ini configuration?

 

[Bitpalast]

At least it seems that the bot is reading a large number of files that are not related to a website's homepage. It could also be that this is not the real Plesk service, but someone else that spoofs the bot.

 

[Kaspar@Plesk]

Interesting. You happen to still know the IP address that made those requests @Bitpalast?

 

[Bitpalast]

No, sorry. I saw it a few days ago in one customer account that was causing a high cpu load, but I don't remember which one that was.

 

[Kaspar@Plesk]

Can we confirm this IP is Plesk?

rDNS shows ec2-34-249-90-25.eu-west-1.compute.amazonaws.com.

Sorry for the late reply to your actual question. The screenshot service works with a cluster of dynamic workers and IPs are changing constantly. So it's hard to say for sure if this IP address legitimately was used, but since it's belongs to AWS it probably was.

However let me know if you notice some unusual crawling behavior (for example on pages other then the home/index page) in your logs.

 

[Dave W]

Hey Kaspar,

Yeah you can see from the logs above it was crawling the whole site.

D.

 

[Kaspar@Plesk]

[...] Yeah you can see from the logs above it was crawling the whole site.

The log excerpt shows that 7 svg and 2 jpg files have been requested by the Plesk bot. That can't be the whole site? If those files are part of the website's index page then those are queried by the Plesk bot too in order to fully render the thumbnail image. To me the log excerpt does not look unusual.

 

[Dave W]

Those URLs were not part of the main index page. It crawled the whole site, so i just firewalled the IP. life is quieter now.

 

[Kaspar@Plesk]

Those URLs were not part of the main index page. It crawled the whole site, so i just firewalled the IP.

Got it. Thanks for let me know. I'll relay this internally.

life is quieter now.

Nice!