I previously enabled the WAF for Plesk by setting PSA_WAF_ENABLE="yes", but it seems that setting no longer does anything although it's still present in the default /etc/asl/config file? I was kind of surprised to find that our Plesk installations were no longer protected by the WAF.

Mod_security is active for ports 80 and 443 by default, even when WAF_ENABLED="off", like it is by default, right?

I also noticed that when adding an entry to the T-WAF there is a preset for Plesk, but it only handles traffic to Plesk via port 8443 (https), but not via port 8880 (http). It would be good to add that preset as well or the bad guys can just use that unprotected entrance.

Hm, I'm not sure I understand T-WAF completely and I also can't find a wiki page about T-WAF.

I noticed different default entries in the T-WAF settings window on different servers. On one ASL EL5 server I found this:

Type IP / Domain URL Destination SSL Port
embedded * * * * 80
embedded * * * * 443

On another ASL EL5 server I found this:

Type IP / Domain URL Destination SSL Port
embedded * * * * *

Can you explain the difference? And why would I find different defaults on different servers with the same OS and same ASL version? And what does 'embedded' mean exactly here?

I just added T-WAF on a Plesk server for the local webserver on port 80 to see what would happen. Afterwards I tried to remove the entry again via the ASL GUI, but the button with the cross doesn't do anything. Should I file a bug report for this?

I then removed the entry from /etc/asl/waf-config and ran 'asl -s -f', but it looks like more is needed to get rid of the entry, because looking at the output of 'service iptables status' it's still active. How do I clean up this entry manually?

Does adding a Plesk servers's local webserver on port 80 to the T-WAF make Apache more secure? Apache uses the Tortix WAF (mod_security) by default, right?

The T-WAF wiki entry is at http://www.atomicorp.com/wiki/index.php/ASL_WAF

Thanks for the "service iptables status" pointer. That's showing me prerouting rules and I have no redirects there.

The redirect rules are added from /var/asl/data/fw_waf_policy which is loaded via asl-firewall

Thankz, I couldn't find that by searching for T-WAF or WAF on the wiki. Apparently I even broke access to Apache by configuring T-WAF for port 80, since it was already using the WAF in embedded mode. Might be good if the GUI would warn for this.



Thanks, I removed the entry for port 80 from that file and restarted asl-firewall, but that didn't seem to change anything. I also restarted tortixd, but that also didn't change the firewall. In the end I just ran the iptables commands myself.

I also found /var/asl/etc/httpd/conf.d/asl_waf.conf.new which was not a syntactically correct Apache configuration file, but it seems this file is not actually used. Where are the T-WAF proxy configurations stored these days?

man...this vulnerabilty really is a pain...
on the net you get a gui to fetch the admin pw from plesk. unbelievable how far this got already?!

SOURCE:
http://krebsonsecurity.com/2012/07/ples ... es-hacked/

it'd be easier to manage if you open cases through the portal about this.

I just wish we knew for sure if this was something new or ....

I've firewalled 8880 and 8443 on all our systems as a temporary measure.

Luckily we don't have that many clients who use the panel itself.

yes. who knows if its the old one or something new.

i have closed port 8443 and 8880 has always been closed by me.
is it possible to access plesk via 8447 somehow?

changed all passwords...what a nightmare pita work.

t-waf will be setup.

AFAIK, no. 8447 is the port used by the autoinstaller.

thanks.

Sorry scott. I thought this was unsupported otherwise I would have done so.

Saw this in the plesk log. This IP is up to no good for sure. Notice the change in browser id. IP is from Indonesia.



Hopefully unrelated of course. It was the POST to agent.php (not Agent.php which was the original source of the known vulnerability) that rang alarm bells.

I can no longer access Plesk after enabling T-WAF for Plesk. Tried it on two servers, but had to disable T-WAF again. Anyone else seeing this?

Yes just registered to get more info on this as well. Appears only on 11.0 as other server is 10.4 and it works ok without any problems. On the 11.0 account you get a time out and it is rectified by dropping t-waf rule for Plesk and restarting asl firewall, and iptables -F -----Reload url and you get your gui login screen back.