Plesk Firewall Module, Rules storage?

[carliebentley]

I'm interested in hand modifying the Plesk Firewall Module rules, to deny any inbound or outbound UDP traffic other than DNS on the server.

I'm running Plesk 8 on a RHEL3 server.

I need to know where the Firewall module stores it's rule set.

I think by denying all UDP access on ports other than DNS or those required for Plesk licensing information, I'll be able to prevent some of this Worm/PHP/UDP attacking that I've been suffering from for the last two weeks.

Thanks.

 

[jwagdy]

ohh man.. if you found out how to do it, please list it here.

 

[carliebentley]

No luck yet.

I still haven't figured out how yet.

I'm suspecting it might be realted to the MySQL server used by Plesk it's self.

I haven't torn into that DB yet, I don't want to break it.

 

[phoenixisp]

You should take a look at APF (Advanced Policy Firewall). This firewall is easy to install and is highly configurable. Then add BFD (Brute Force Detection). Every 8 minutes it scans your logs and if it detects a certain number of negative events it will add the offending IP address to the hosts.deny file. Some of the events it monitors for are failed SSH logins, failed ftp login attempts, etc.

And did I mention that it's free?

http://www.rfxnetworks.com/proj.php

 

[carliebentley]

I appreciate the suggestion.

However, I already have the Plesk Firewall module installed and configured with a massive ruleset.

I'm sure AFP is a breeze to install and configure, however it's all command line and does not integrate into the Plesk Control Panel. As far as I know, and that is going to make it something I'm not interested in.

The Plesk Firewall Module seems to be reliable, if a little inflexible, and if I were going to get "more serious" I would put an edge device between my server and the net.

Free is very nice, however it still doesn't integrate with the Plesk Control Panel.

 

[carliebentley]

Actually, I did find the Firewall Module rule sets and they are in the psa MySQL Database.

BUT, it's not going to be something that can be easily hand hacked. It will take quite a bit of skill to figure out exactly what's going on in that table.

Hmmm. I would suggest a complete back up of that particular DB before doing anything.

 

[jwagdy]

well, i'm not trying to hack the firewall moduele. don't want the guys in swsoft to go angery. i'm trying to understand how the rules are set in the DB in order to check the possibility to create an automatic block module to block IPs with suspious activity using the firewall module rules. sort of an upgrade to the current firewall module

 

[carliebentley]

Originally posted by jwagdy
well, i'm not trying to hack the firewall moduele. don't want the guys in swsoft to go angery. i'm trying to understand how the rules are set in the DB in order to check the possibility to create an automatic block module to block IPs with suspious activity using the firewall module rules. sort of an upgrade to the current firewall module

Yah, that was my original idea as well. but from looking at the information in the DB, it is very "cryptic", and doesn't lend it's self to easily changing it.

I'm afraid I've bumped my limit on knowing how to write something for this module. It's a very confusing piece of code, however it does use PHP pages to handle the changes and the pages are easily locatable "locate firewall" will show you all the pages PSA uses to edit the settings.

There's apparently a ton of vars set to allow editing various sections of the Firewall Module. I would have to install on a "test" server and try messing with it.