Plesk 12.x / Linux :: Firewall Module Modified Iptables - FTP Not Working Now
Feb 13, 2015
I temporarily enabled and activated Plesk firewall module (which I wish I didn't the first time) and for some reason it seems to have overwritten the default iptables configuration that was set, leaving my ftp unable to be logged into. I tried to disable the firewall module and reboot the server. It didn't work.
I also noticed that it somehow seem to have changed my hostname to my previous server hostname as well
Is there any way to completely revert back to original iptables settings before enabling the Firewall module?
In plesk I have set the ssh rule to allow from source, deny others and added my IP. However, if I connect my PC to my work VPN, I can still login via ssh, even when I am on a different IP as the allowed IP
After the Plesk Firewall was enabled the FTP Stopped working in passive Mode.
I searched the net and found the following :
Code:
/etc/sysconfig/iptables-config and change the line with IPTABLES_MODULES to: IPTABLES_MODULES="ip_conntrack_ftp"
It started working.
I changed the default FTP port from proftpd.conf
Code: port 2392 and /etc/services
Code: ftp 2392/tcp ftp 2392/udp fsp fspd
I allowed the new port in Plesk Firewall in Incoming connection and disabled port 21
Now I am not able to connect to the ftp, I get the following error. Have I missed anything ?
Code:
Response:257 "/" is the current directory Command:TYPE I Response:200 Type set to I Command:PASV Response:227 Entering Passive Mode (85,25,51,34,216,46). Command:MLSD Error:Connection timed out Error:Failed to retrieve directory listing
When I deny all other traffic for the "System policy for incoming traffic" to secure the server by only allowing the explicit ports I've requested to open, my server stops operating correctly.
It appears when I set the "System policy for incoming traffic" to deny, it appears to be disrupting various functions such as web traffic over ports 80/443, FTP, SSH, they either work extremely slow or don't work at all.
I brought this up with my Plesk license provider and they stated that the Plesk firewall doesn't add any tracking for ephemeral ports, therefore if you set the policy to drop for incoming/outgoing, it's not going to allow proper TCP communication since the return socket can't be opened. Also that the firewall is an explicit deny system rather than explicit allow based system.
Am I doing something wrong? All I want to do is to block all ports other than the ones I've set to allow. Is this how it is supposed to work?
I'm in the process of installing PPA on infrastructure running Parallels Cloud Server. Each container has 2 interfaces, one public facing and a private interface for inter-server communication.
No problems installing PPA 11.5 (specifying IP's on commandline) or adding service nodes however, the firewall rules the documentation speaks of are nowhere to be seen? i.e.:
Important: After the installation, PPA creates the special firewall chain PPA-SN-Rules-INPUT used for communication with service nodes. Do not change it, otherwise, you will not be able to add service nodes to PPA.Click to expand...
Has this been dropped from PPA 11.5 ? (I recall seeing the firewall settings in 11.1) There is also no sign of the ppa.firewall tool that is also mentioned.
The only rule I see inserted is for Postgres on the management node, and 2 for pleskd on all of the nodes (open to world!).
I've bought a basic unmanaged VPS, purely to learn things from it. The best way to learn imo is to hammer the hell out of things, break it, then try to fix it. Anyway, I think I'm part way there, pretty sure I've broken something
When I start the consoleSSH I get this at the top:
Will the APF firewall work without the "ip_tables" module? I contacted my server management company and told them my previous tech said enabling ip_tables module on any VPS on our system would cause a kernel panic. Their response was to install APF on the VPS in question and not enable ip_tables, saying it should still block IPs and ports that aren't supposed to be open. Is this true? Or am I getting the runaround?
Our server setup is like this, wordpress, vtiger crm and ecommerse applications running on plesk 12 , with apache as backend server and nginx as proxy to serve static content. Now plans are to optimize webpages with Google pagespeed module , As per google documentation, module installation on nginx server need to be build from source. Is it recommended to install ngx_pagespeed module by building nginx from source on Plesk server?
Subject : Cron <aioftp@main> /usr/bin/php -q /var/www/vhosts/domain.com/subdomains/somedir/httpdocs/dir/cron.php Failed loading /usr/lib64/php/modules/ioncube_loader_lin_5.4.so: /usr/lib64/php/modules/ioncube_loader_lin_5.4.so: cannot open shared object file: No such file or directory PHP Warning: Module 'soap' already loaded in Unknown on line 0 PHP Warning: PHP Startup: XCache: Unable to initialize module Module compiled with module API=20090626 PHP compiled with module API=20100525 These options need to match in Unknown on line 0
After successful upgrade PHP, and not successful with ioncube i get:
Failed loading /usr/lib/php/modules/ioncube_loader_lin_5.4.so: /usr/lib/php/modules/ioncube_loader_lin_5.4.so: cannot open shared object file: No such file or directory PHP Warning: Module 'ionCube Loader' already loaded in Unknown on line 0 The ionCube PHP Loader is disabled because of startup problems. PHP Warning: Module 'ionCube Loader' already loaded in Unknown on line 0 The ionCube PHP Loader is disabled because of startup problems. PHP 5.4.32 (cli) (built: Aug 21 2014 07:33:35) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies with the ionCube PHP Loader v4.6.1, Copyright (c) 2002-2014, by ionCube Ltd., andClick to expand...
I have a brand new Plesk 12 Installation with just a first Subscription/Domain for my test. Enabling fail2ban jails brings me the following error for the jails plesk-proftpd and ssh. All others went on.
error 'f2bmng failed: ERROR No file(s) found for glob /var/log/secure'.
I see that /var/log/secure is missing, althoug I already used ssh and ftp to log in once. I can go to touch the /var/log/secure file or adjust the jail configs to proper log file location? Which is the way to go?
Is it me or that anyone else experiencing the VZ master node not properly configured for those front-end firewall programs?
I recently purchased couple Linux VPSs (OpenVZ) from different vendors and both seems not having iptables properly configured. One of them finally got resolved, but took like a week for them to figure out what's wrong with it.
I'm currently still stuck with second VPS not protected.
I have not check into which iptables modules APF or CSF requires, but VPS vendors/resellers should expect their clients would be using those and properly configure their VZ master prior to deployments.
I'm begin to wonder people that purchases VPS slices, are they using any decent firewall front-end or not.
It always seems that ip_conntrack is missing. When exists, everything works.
I have a list of bad Ips and would like to add it into iptables, but I don't went to enter one-by-one or by command line, I would like to insert into list file of iptables editing a file or something like that, where and how I can procedure to do this?
after turning on the iptables firewall i can't receive emails anymore on a dedicated centos 5.3 server with postfix and dovecot.
with iptables firewall turned off everythin works fine.
following is the /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT # -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
# ************ tried doing this first ************
I've got problems with my APF firewall. Here is are the errors I get :
[root@ks123456 ~]# apf -r apf(6493): {glob} flushing & zeroing chain policies apf(6493): {glob} firewall offline apf(6530): {glob} activating firewall Opening /proc/modules: No such file or directory apf(6570): {glob} unable to load iptables module (ip_tables), aborting. apf(6530): {glob} firewall initalized apf(6530): {glob} fast load snapshot saved
The /var/log/apf_log file is full of these errors.
I've been told that it was a compatibility issue with the server's kernel. So I upgraded the kernel to the last version, but the problem still remains and I get the same errors...
I have two similar VPS plans with identical software setups. I installed APF Firewall on VPS A, modified the conf.apf file to change the interfaces to venet0 and set monokern to 1 and then opened all the ingress ports required. Started the firewall with 'service apf start' and everything went fine, and everything is working fine with no errors.
I did the same on VPS B but when I start apf I get the following error that reoccurs during the startup sequence:
iptables: No chain/target/match by that name
While the firewall does seem to be running (by checking iptables -L) I am unable to download files on the VPS, via wget or yum ...
Am am getting several "iptables: Invalid arguments" message. I traced this to these iptables calls from within /etc/apf/firewall. Each of these iptables calls gives "iptables: Invalid arguments":
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL NONE -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN,URG,PSH -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL ALL -j IN_SANITY
/sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN -j IN_SANITY
Any thoughts? According to my ISP, I have these iptables modules: iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc
CSF dont ban the IP and if manually it is done I get following error. ---------------- csf -d 195.88.65.47 Adding 195.88.65.47 to csf.deny and iptables DROP... iptables: Index of insertion too big DROP all opt -- in !lo out * 195.88.65.47 -> 0.0.0.0/0 Error: iptables command [/sbin/iptables -v -I INPUT 2 -i ! lo -s 195.88.65.47 -j DROP] failed, at line 864 ------------------- Also iptables is not running on server. If status is checked it says its stopped.
I have many sites on my server I dont want to get any downtime.
Please let us know how can we fix this issue as soon as possible.
I have tried reinstall CSF but still the issue remains same.
After I start iptables: service iptables start There is not any message coming up. When use service iptables status, It said: iptables: Firewall is not running.
60.216.238.212 still has 301 connection, any idea.
Basically, I use ddos-deflate to block ddos attack. I already set the max conection to 25. But it seems not working. all the connections over 25 have not been blocked. Did I miss something? I mean after I issue