Resolved Plesk firewall blocks ssh port

TheLuckyGuy · Nov 29, 2016

Hello their,

I turned on the intern firewall. After that I couldn't connect to it via ssh.

Disabling it via the panel I can use ssh again.

Anyone does have an idea what my mistake might be?

Thank's!

UFHH01 · Nov 29, 2016

Hi TheLuckyGuy,

TheLuckyGuy said:
Anyone does have an idea what my mistake might be?

Unfortunately, you don't provide any informations at all, what sort of "firewall rules" you use, which makes it really hard to guess, where the root cause of the misconfiguration might be.

That leaves us to standard answers as:

Did you consider to have a look at the Plesk documentation?

The Plesk Firewall (Linux) ( Plesk Onyx ( 17.0 ) - online documentation - Administrator's Guide )

Did you know, that Plesk stores the depending scripts ( *.sh ) for your Plesk firewall at "/usr/local/psa/var/modules/firewall", where you could read, which settings will be used, when you "turn it on"?

Linulex · Nov 30, 2016

Do the plesk rules open port 22?
If the plesk rules open port 22 then there is a good change your ssh is listening on another port.

A lot of people assign another port to ssh from a security perspective. Its only security by obscurity and a pretty lame security feature if you think about it, but it helps. hackers must run trough all the ports in order to find the correct one and 99,9% of them don't even bother to do that. It a lot easier to hack a server trough an insecure joomla then to scan 65536 ports, only to find that plane logins are forbidden or you get blocked by fail2ban.

regards
Jan

TheLuckyGuy · Nov 30, 2016

Here is the Firewall draft that is generatet via the firewall app in plesk.

Code:

#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
    iptables_bin="$1"
    shift

    iptables_version=`/sbin/iptables --version | awk -F '.' '{print $2$3}'`

    # Use the native --wait option since v1.4.20
    if [ $iptables_version -gt 420 ]; then
        $iptables_bin -w $@ 2>/dev/null
        return $?
    fi

    # Emulate --wait for elderly versions
    for i in `seq 10`; do
        $iptables_bin $@ 2>&1 | grep -q xtable || return 0
        sleep 1
    done

    return 1
}

/sbin/iptables-save  -t filter | grep -- "-A INPUT" |  grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/iptables -D#g" | xargs -0 echo -e "`declare -f apply_rule`\n" | /bin/bash

apply_rule /sbin/iptables -F FORWARD
apply_rule /sbin/iptables -F OUTPUT
apply_rule /sbin/iptables -Z FORWARD
apply_rule /sbin/iptables -Z OUTPUT

apply_rule /sbin/iptables -P INPUT DROP
apply_rule /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P OUTPUT DROP
apply_rule /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P FORWARD DROP
apply_rule /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A FORWARD -m state --state INVALID -j DROP

apply_rule /sbin/iptables -A INPUT -i lo  -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /sbin/iptables -t mangle -F
apply_rule /sbin/iptables -t mangle -Z
apply_rule /sbin/iptables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P INPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/iptables -t mangle -P POSTROUTING ACCEPT

/sbin/ip6tables-save  -t filter | grep -- "-A INPUT" |  grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/ip6tables -D#g" | xargs -0 echo -e "`declare -f apply_rule`\n" | /bin/bash

apply_rule /sbin/ip6tables -F FORWARD
apply_rule /sbin/ip6tables -F OUTPUT
apply_rule /sbin/ip6tables -Z FORWARD
apply_rule /sbin/ip6tables -Z OUTPUT

apply_rule /sbin/ip6tables -P INPUT DROP
apply_rule /sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/ip6tables -P OUTPUT DROP
apply_rule /sbin/ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A OUTPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/ip6tables -P FORWARD DROP
apply_rule /sbin/ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A FORWARD -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A FORWARD -m state --state INVALID -j DROP

apply_rule /sbin/ip6tables -A INPUT -i lo  -j ACCEPT
apply_rule /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/ip6tables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /sbin/ip6tables -t mangle -F
apply_rule /sbin/ip6tables -t mangle -Z
apply_rule /sbin/ip6tables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/ip6tables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/ip6tables -t mangle -P INPUT ACCEPT
apply_rule /sbin/ip6tables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/ip6tables -t mangle -P POSTROUTING ACCEPT


apply_rule /sbin/iptables -t nat -F
apply_rule /sbin/iptables -t nat -Z
apply_rule /sbin/iptables -t nat -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t nat -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t nat -P POSTROUTING ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 12443 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 12443 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 11443 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 11444 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 11443 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 11444 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -s XXXXMYIPADRESSXXX -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -s ::ffff:XXMY IP ADRESSsXXXXXXX -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 110 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 995 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 106 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 3306 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 5432 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 9008 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 9080 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 445 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 1194 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -j DROP
apply_rule /sbin/ip6tables -A INPUT -j DROP

apply_rule /sbin/iptables -A OUTPUT -j ACCEPT
apply_rule /sbin/ip6tables -A OUTPUT -j ACCEPT

apply_rule /sbin/iptables -A FORWARD -j DROP
apply_rule /sbin/ip6tables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
#
# End of script
#

TheLuckyGuy · Nov 30, 2016

I manually use port 2222 with ssh. Do I have to tell plesk which port I use?

UFHH01 · Nov 30, 2016

Hi TheLuckyGuy,

Let's concentrate on the current settings:

Code:

apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -s XXXXMYIPADRESSXXX -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -s ::ffff:XXMY IP ADRESSsXXXXXXX -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -j DROP

... which makes the next statement a bit confusing:

TheLuckyGuy said:
I manually use port 2222 with ssh. Do I have to tell plesk which port I use?

... because your current settings are configured for port "22" and not port "2222".

Second, could you pls. confirm, that "XXXXMYIPADRESSXXX" and "::ffff:XXMY IP ADRESSsXXXXXXX" are the configured IPv4 + IPv6 addresses you are trying to CONNECT FROM and not the server - IPs?

Third, pls. be aware, that if you configure:

Code:

apply_rule /sbin/iptables -A INPUT -j DROP
apply_rule /sbin/ip6tables -A INPUT -j DROP

AND

apply_rule /sbin/iptables -A FORWARD -j DROP
apply_rule /sbin/ip6tables -A FORWARD -j DROP

... you have to be aware, that ALL traffic, which is not explizit configured at your previous rules, will be DROPED.

Fourth, if you use port "2222", WHERE did you configure the SSH - changes?

TheLuckyGuy · Dec 1, 2016

UFHH01 said:
Hi TheLuckyGuy,

Let's concentrate on the current settings:

Code:

apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -s XXXXMYIPADRESSXXX -j ACCEPT apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -s ::ffff:XXMY IP ADRESSsXXXXXXX -j ACCEPT apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -j DROP

... which makes the next statement a bit confusing:

... because your current settings are configured for port "22" and not port "2222".

Second, could you pls. confirm, that "XXXXMYIPADRESSXXX" and "::ffff:XXMY IP ADRESSsXXXXXXX" are the configured IPv4 + IPv6 addresses you are trying to CONNECT FROM and not the server - IPs?

Third, pls. be aware, that if you configure:

Code:

apply_rule /sbin/iptables -A INPUT -j DROP apply_rule /sbin/ip6tables -A INPUT -j DROP AND apply_rule /sbin/iptables -A FORWARD -j DROP apply_rule /sbin/ip6tables -A FORWARD -j DROP

... you have to be aware, that ALL traffic, which is not explizit configured at your previous rules, will be DROPED.

Fourth, if you use port "2222", WHERE did you configure the SSH - changes?

I changed the port manually with vi in ssh.

The firewall is automatically generated via the plesk firewall plugin. Thought that Plesk knows automatically that I changed the ssh port.

I don't understand that last part with All traffic, the text it automatically generatet with the plesk plugin. Should I remove these lines?

Big question. Since I can't edit ports in the firewall plugin inside plesk panel. Where can I tell plesk that I changed the ssh port ?

UFHH01 · Dec 1, 2016

Hi TheLuckyGuy,

if you would like to open an ADDITIONAL port ( in your example port "2222" ), either for all IPs, or only for a specific outgoing server IP, or/and only for a specific external IP, you would configure this port inside a ( additional ) CUSTOM RULE.

TheLuckyGuy said:
The firewall is automatically generated via the plesk firewall plugin. Thought that Plesk knows automatically that I changed the ssh port.

These standard Plesk firewall rules are hardcoded inside encrypted Plesk - PHP - files, located at "/usr/local/psa/admin/plib/modules/firewall" ( based on your used operating system ) and can't be changed.

TheLuckyGuy said:
I don't understand that last part with All traffic, the text it automatically generatet with the plesk plugin. Should I remove these lines?

No, you shouldn't remove these lines, I just want to point to the fact, that you have to add additional rules, if you want the port "2222" to be used by external IPs.

TheLuckyGuy said:
Big question. Since I can't edit ports in the firewall plugin inside plesk panel. Where can I tell plesk that I changed the ssh port ?

As already stated, you can't "tell Plesk" that you changed the standard ssh - port. You would achieve your goal by adding a custom rule, while you could set "DENY" to the standard ssh - port, when you are in the "modifying" mode, after you added the custom rule.

Linulex · Dec 2, 2016

UFHH01 said:
based on your used operating system

then plesk is "mistaken".

It has port 137 open in linux and port 137 is windows. one should never be open port 137 on a linux to the world
https://technet.microsoft.com/en-us/library/cc940063.aspx

close all the 137, 138 and the rest of the 13... ports

open 2222 for your own sshd

regards
Jan

Resolved Plesk firewall blocks ssh port

TheLuckyGuy

New Pleskian

UFHH01

Guest

Linulex

Silver Pleskian

TheLuckyGuy

New Pleskian

TheLuckyGuy

New Pleskian

UFHH01

Guest

TheLuckyGuy

New Pleskian

UFHH01

Guest

Linulex

Silver Pleskian

Similar threads