Technical support is available from any of the options below. All support requests must be made in English. You must be logged into our client area to open a ticket with the support, billing, and licensing departments.

The current local date and time is Monday - 2024-03-18 21:50 MDT.




Installation Instructions

Learn how to install the product.

Getting Started

Learn how to configure the product.

Troubleshooting

Having problems? Learn how to diagnose and debug issues.

Knowledgebase

Self help questions and answers for product support, including pre-sales questions.


How to test SpamAssassin To test the spam filter, it is necessary to send a Gtube test spam email using the command below (Replacing emailonserver@example.com with a real email account on the server). If the Anti-spam is working correctly you will see it listed in the maillog and in Warden log under Warden -> Logs -> Message Log. While testing, note that Gtube test email gives +1000 scores to spam. So, even if a mailbox is in the whitelist, mail still be detected as spam because whitelisted email gets -100 scores. Disable Greylisting: If greylisting is enabled then you must disable it on the recipient domain before running these tests. /usr/local/psa/bin/grey_listing --update-domain example.com -status off Centos/RHEL/CloudLinux/AlmaLinux: echo "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" | mail -S smtp=localhost -r sender@test.com -s "Spam test example" emailonserver@example.com Debian/Ubuntu: apt-get install s-nail echo "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" | s-nail -S smtp=localhost -r sender@test.com -s "Spam test example" emailonserver@example.com How to test ClamAV
To test the virus filter, it is necessary to download the eicar test virus email and send it using the command below (Replacing emailonserver@example.com with a real email account on the server). If the Anti-virus is working correctly you will see it get blocked and it will be listed in the maillog and in Warden -> Logs -> Message Log. Disable Greylisting: If greylisting is enabled then you must disable it on the recipient domain before running these tests. /usr/local/psa/bin/grey_listing --update-domain example.com -status off Centos/RHEL/CloudLinux/AlmaLinux: wget http://www.eicar.org/download/eicar.com.txt echo "TEST MESSAGE w/ ATTACHMENT" | mail -S smtp=localhost -r sender@test.com -s "A/V test example" -a eicar.com.txt emailonserver@example.com Debian/Ubuntu: apt-get install s-nail wget http://www.eicar.org/download/eicar.com.txt echo "TEST MESSAGE w/ ATTACHMENT" | s-nail -S smtp=localhost -r sender@test.com -s "A/V test example" -a eicar.com.txt emailonserver@example.com
View Full Article...

Amavis will tag the subject line of any email that it can't scan with the tag UNCHECKED. ClamAV Problems First check and see that the ClamAV daemon is running properly. See: How can I check the status of ClamAV and fix any problems? Password Protected Archives Amavis will prepend to Subject (for local recipients only) if mail could not be decoded or checked entirely, e.g. due to password-protected archives. To Disable the UNCHECKED Header (Not recommended)
To disable this on Centos/RHEL edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and add the line (before the last line 1;): $undecipherable_subject_tag = undef; After making the changes restart Amavis: // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis
View Full Article...

Bad Header Destiny The default setting under Warden -> Settings -> Content Filter-> Content Filter Settings -> Bad header destiny is set to reject. The server wide policy option under Warden -> Settings -> Content Filter -> Policy Settings -> Receive bad header emails is set to Yes to allow bad header emails to pass to the mailbox. This means that Amavis will store a copy of the bad header emails for review but will still allow the emails to pass to the users mailbox. Amavis will delete the quarantined copies of the messages automatically after 30 days.
If you would like to reject mail with bad headers you can change the server wide policy option under Warden -> Settings -> Content Filter -> Policy Settings -> Receive bad header emails is set to No. Then bad header emails will not be passed though to the users mailbox.

To disable all bad header tests To disable all bad header tests on Centos/RHEL/CloudLinux/AlmaLinux edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and search for the @bypass_header_checks_maps option. Change from: @bypass_header_checks_maps = (\%bypass_header_checks, \@bypass_header_checks_acl, \$bypass_header_checks_re); Change to: @bypass_header_checks_maps = [1]; After making these changes restart Amavis: // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis To disable all bad header tests for a specific policy bank (outgoing email only) Go to Warden -> Settings -> Policy Banks and set the Disable bad header filter to Yes for the policy you want to disable it on. To disable specific bad header tests There is an $allowed_header_tests option by which you can define what should be looked up during the bad-header checks, and the list is as follows: other catchall for everything else - normally not used mime Bad MIME (sub)headers or bad MIME structure 8bit Invalid non-encoded 8-bit characters in header control Invalid control characters in header (CR or NUL) empty Folded header field made up entirely of whitespace long Header line longer than RFC 2822 limit of 998 characters syntax Header field syntax error missing Missing required header field multiple Duplicate or multiple occurrence of a header field To disable certain tests on Centos/RHEL/CloudLinux/AlmaLinux edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and search for the $allowed_header_tests option. Setting a test to 0 will disable that test: $allowed_header_tests{'multiple'} = 0; $allowed_header_tests{'missing'} = 0; After making these changes restart Amavis // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis  
View Full Article...

In order for PHP to log what scripts are sending out from the server you must first set mail.add_x_header = On in all the php.ini files that are being used by the server. 1. Enable the mail.add_x_header in all of your PHP.ini files: // turn on for the OS default php version if you have the base PHP packages installed sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /etc/php.ini // turn on for all of the Plesk PHP versions sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /opt/plesk/php/*/etc/php.ini // restart any PHP FPM instances systemctl restart plesk-php73-fpm systemctl restart plesk-php74-fpm systemctl restart plesk-php80-fpm 2. Go to Warden -> Settings -> Filter Settings and change the Log template option from short to verbose. 3. Now you should see the X-PHP-Originating-Script header logged when clicking on the plus icon for a message entry that was sent out using PHP in the message log. It will log the UID of the user that ran the script and the script name. Looking up the User from the X-PHP-Originating-Script Header The X-PHP-Originating-Script header consists of the UID of the user and the script name: X-PHP-Originating-Script: 10000:class.phpmailer.php To find the vhost directory from a UID (replace the UID with the user ID that was logged): grep UID /etc/passwd 5. To find the full path to a script (replace the path with the vhost directory from the UID and the php script name with the name of the script that was logged): find /var/www/vhosts/example.com/httpdocs -type f -name "class.phpmailer.php" Viewing the X-PHP-Originating-Script Header from the Queue When viewing a message in the Warden queue, the PHP tab will lookup the local user information based off the X-PHP-Originating-Script header (if it exists) and search the vhost files for any matching script files with the same name.
View Full Article...

To get your free Maxmind license key Signup for the free license key here: https://www.maxmind.com/en/geolite2/signup Generate a license key here (When asked - Will this key be used for geoipupdate? Choose: no) Navigate to your Extension -> Settings -> Panel Application -> Geolocation Settings and enter the license key under MaxMind license key. (It might take 30 minutes before MaxMind will recognize a newly created key). Press the Update button to save your settings.
View Full Article...

Lots of people seem to be confused by the "autolearn=no" statement in the default X-Spam-Status header. There are usually questions regarding whether or not "no" means SpamAssassin is not autolearning at all. What it actually means is that the specific message which includes the "autolearn=no" part was not autolearned, not that autolearning is disabled or somehow broken.

The three values that can be displayed are "no" (autolearning did not occur), "ham" (the message was learned as ham), and "spam" (the message was learned as spam).

If a message has already been learned by SpamAssassin, then that message will not be learned again. Therefore, if you run a message through SpamAssassin to see why it was classified as spam or ham, and it has already been learned, you will always get the result "autolearn=no". (To see this more clearly, use the "-D" flag, and you will see debug output explaining that the message has already been learned.)

Furthermore, the score used to trigger autolearning is somewhat different than the one reported in the final score; therefore a score displayed in the headers that ostensibly should trigger autolearning will not do so. Again, use the "-D" flag to SpamAssassin, and you will see the score that is used to determine whether or not autolearning will be triggered.

Finally, SpamAssassin requires at least 3 points from the header and 3 points from the body, to auto-learn as spam. If either section contributes fewer points, the message will not be auto-learned.

Possible Autolearn States

ham: the message was learned as ham (non-spam)
spam: the message was learned as spam
no: the specific message didn't achieve the proper threshold values and requirements to be learned
disabled: the configuration specifies bayes_auto_learn 0 or use_bayes 0 and so no autolearning is attempted
failed: autolearning was attempted, but couldn't complete. This happens if SpamAssassin can't gain a lock on the Bayes database files, etc.
unavailable: autolearning not completed for any reason not covered above. It could be the message was already learned. Reasons why Autolearn isn't Working 1. In order for autolearn to work you need at least 200 trained messages in the ham and spam category.
2. If using Redis Bayes storage your Bayes Token TTL might be too low so the spam entries expire before they reach the 200 trained messages threshhold. Try raising the Bayes Token TTL to 180d
View Full Article...

In Amavis banned attachments are controlled by the $banned_filename_re option in the Amavis config file. Centos/RHEL/CLoudLinux/AlmaLinux Edit the file /etc/amavisd.conf/amavisd.conf and search for the $banned_filename_re option. You can comment out or add new file extensions: $banned_filename_re = new_RE( ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary # qr'^\.(exe|lha|cab|dll)$', # banned file(1) types ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: # [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(pif|scr)$'i, # banned extensions - rudimentary # qr'^\.zip$', # block zip type ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, # rfc2046 MIME type # qr'^message/external-body$'i, # rfc2046 MIME type # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type # qr'^\.wmf$', # Windows Metafile file(1) type # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic # qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| # msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| # wmf|wsc|wsf|wsh)$'ix, # banned extensions - long # qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also # qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename # qr'^\.ani$', # banned animated cursor file(1) type # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. ); Debian/Ubuntu Edit the file /etc/amavis/conf.d/20-debian_defaults and search for the $banned_filename_re option. You can comment out or add new file extensions: $banned_filename_re = new_RE( # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components # block certain double extensions anywhere in the base name qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^application/x-msmetafile$'i, # Windows Metafile MIME type # qr'^\.wmf$', # Windows Metafile file(1) type # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types # [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed # [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives # [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. qr'^\.(exe-ms)$', # banned file(1) types # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types ); Restart Amavis: // Centos / RHEL / CloudLinux systemctl restart amavisd // Debian / Ubuntu systemctl restart amavis
View Full Article...

About Greylisting Important: Greylisting is recommended for advanced users only. Make sure to read though this article thoroughly so that you don't accidentally get extended delays in legitimate email after enabling greylisting.
Greylisting is a method of defending against spam. Greylisting will tell the mail server to temporarily reject any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again after a delay, and if sufficient time has elapsed, the email will be accepted. Warden uses Plesk's built in greylisting tool. Server-wide and domain level greylisting management is supported by Warden. Personal level (mailbox level) grey listing management is not supported and should not be enabled.
Server-wide greylisting can be enabled/disabled in Warden ->Settings -> Greylisting Settings -> Greylisting . Unchecking and disabling the server wide setting will disable all greylisting and hide the greylisting tab in Warden for all domains. Domain level greylisting can be enabled/disabled under Warden -> Policies -> click the edit icon next to the domain on the grid -> Greylisting -> Disable greylisting option (yes or no). Greylisting defers emails from senders that use multiple IP addresses so it is important to whitelist those providers otherwise you will get extended delays in email. Look at the "Senders that use multiple IP addresses" section below for how to whitelist those mail servers. Greylisting will be applied to any non-authenticated email (both incoming and outgoing email). There will be longer delays in email delivery after first enabling greylisting as it might take a few days for entries to be populated in the greylisting database. Enabling Greylisting To enable greylisting server wide go to Warden -> Settings -> Greylisting Settings -> Check the greylisting option to enable it. Note that unchecking and disabling the server wide setting will disable all greylisting and hide the greylisting tab in Warden for all domains. After greylising is enabled server wide you have the option of disabling greylisting per domain under Warden -> Policies -> click the edit icon next to the domain on the grid -> Greylisting -> Disable greylisting (yes or no). Viewing Greylisted Emails Emails that are greylisted will be listed under Warden -> Logs -> Reject Log. Greylisted entries will have the a 451 4.7.1 status with the message Service unavailable - try again later (postfix is telling the other mail server to try again later). You can use the message select list on the reject page to filter by Service unavailable - try again later to view all greylisted entries. Normally greylisted emails will have at least 3 rejected entries before delivery is accepted. The Client rDNS column in the reject log is important as that is what you will use to whitelist a mail server from greylisting. If you see many entries for the same message coming from different IP addresses then you might need to create a wildcard whitelist for that provider. See: "Sender mail servers that use multiple IP addresses" below for more information. Sender mail servers that use multiple IP addresses After enabling greylisting it is important to review your Warden -> Logs -> Reject log over the next week in order to whitelist those mail service providers that send using multiple IP addresses otherwise you will get extended delays in email. It could take 1 or 2 days for delivery with greylisting enabled unless you whitelist those mail servers. You can whitelist the mail servers using a matching wildcard on the Client rDNS (PTR record) of the connecting mail server. Example: You might see the same email in the reject log coming from different mail servers from one provider: a15-177.smtp-out.amazonses.com a14-30.smtp-out.amazonses.com a15-229.smtp-out.amazonses.com e252-50.smtp-out.amazonses.com To whitelist emails from Amazon matching all of the mail servers you can whitelist it using a wildcard entry (Remember that you are whitelisting the client RDNS record of the email server not an email address): plesk bin grey_listing --update-server -domains-whitelist add:"*.amazonses.com" Known providers that send out using multiple IP addresses: // Adobe plesk bin grey_listing --update-server -domains-whitelist add:"*.adobe.com" // Amazon plesk bin grey_listing --update-server -domains-whitelist add:"*.amazonses.com" // Ebay plesk bin grey_listing --update-server -domains-whitelist add:"*.ebay.com" // Google plesk bin grey_listing --update-server -domains-whitelist add:"*.google.com" // Github plesk bin grey_listing --update-server -domains-whitelist add:"*.github.com" // Linkedin plesk bin grey_listing --update-server -domains-whitelist add:"*.linkedin.com" // Paypal plesk bin grey_listing --update-server -domains-whitelist add:"*.paypal.com" // Shopify plesk bin grey_listing --update-server -domains-whitelist add:"*.shopify.com" // Telus plesk bin grey_listing --update-server -domains-whitelist add:"*.telus.com" Configuring Greylisting Parameters like expire-interval, grey-interval, penalty-interval, and others can be configured under Warden -> Settings -> Greylisting Settings or using the Plesk CLI utility "grey_listing". Note: The personal command line option --update-mailname is not supported as it's tied to Plesk's legacy spam filter. To view the current greylisting settings: plesk bin grey_listing --info-server To enable greylisting for a specific domain: plesk bin grey_listing --update-domain example.com -status on To disable greylisting for a specific domain: plesk bin grey_listing --update-domain example.com -status off Whitelisting To whitelist a mail server from greylisting (Remember that you are whitelisting the client RDNS record of the email server not an email address): plesk bin grey_listing --update-server -domains-whitelist add:"mail.example.com" To remove a whitelisted mail server from greylisting: plesk bin grey_listing --update-server -domains-whitelist del:"mail.example.com" Blacklisting By default greylisting will block any client rDNS that matches the following patterns (The default patterns match dynamic hosts that should not be sending any emails). Mail servers that are blacklisted will be listed under Warden -> Logs -> Reject Log. Blacklisted entries will have the a 451 4.7.1 status with the message Command rejected. *[0-9][0-9]-[0-9][0-9]-[0-9][0-9]* *[0-9][0-9].[0-9][0-9].[0-9][0-9]* *[0-9][0-9][0-9]-[0-9][0-9][0-9]-[0-9][0-9][0-9]* *[0-9][0-9][0-9].[0-9][0-9][0-9].[0-9[0-9]][0-9]* dsl|broadband|hsd dynamic|static|ppp|dyn-ip|dial-up To add blacklist patterns: plesk bin grey_listing --update-server -domains-blacklist add:"mail.badserver.com" To remove blacklist patterns: plesk bin grey_listing --update-server -domains-blacklist del:"mail.badserver.com" Adjusting the Default Blacklist Patterns
Some of the default blacklist patterns will likely block email from legitimate providers so it is recommended that you remove them: // matches mta-70-12-15.sparkpostmail.com plesk bin grey_listing --update-server -domains-blacklist del:"*[0-9][0-9]-[0-9][0-9]-[0-9][0-9]*" // matches outbound-147-160-155-33.pinterestmail.com plesk bin grey_listing --update-server -domains-blacklist del:"*[0-9][0-9][0-9]-[0-9][0-9][0-9]-[0-9][0-9][0-9]*" // matches mail25.static.mailgun.info so we remove the "static" pattern then re-add the rest plesk bin grey_listing --update-server -domains-blacklist del:"dynamic|static|ppp|dyn-ip|dial-up" plesk bin grey_listing --update-server -domains-blacklist add:"dynamic|ppp|dyn-ip|dial-up" Disabling Greylisting For Newly Created Domains Some users may want to have greylisting enabled server wide but have greylisting disabled by default for newly created domains. This can be done using a Plesk event handler. In Plesk go to Tools & Settings -> Event Manager -> Add Event Handler: Event: Default domain (the first domain added to a subscription) created Priorty: lowest(0) User: root Command: /usr/local/psa/bin/grey_listing --update-domain <NEW_DOMAIN_NAME> -status off  
View Full Article...

View All...


Installation Instructions

Learn how to install the product.

Getting Started

Learn how to configure the product.

Troubleshooting

Having problems? Learn how to diagnose and debug issues.

Knowledgebase

Self help questions and answers for product support, including pre-sales questions.


ConfigServer Security & Firewall (csf) currently supports using iptables interface so when upgrading to Debian 11, Ubuntu 20.04 LTS, or Ubuntu 22.04 LTS which uses nftables by default you must switch back to the iptables interface. Most of the newer OS support iptables-nft which provides a bridge to the nftables kernel API and infrastructure so using iptables isn't an issue. Make sure that the iptables packages are installed: # apt-get install iptables There are two variants of the iptables command: nf_tables: Often referred to as iptables-nft. legacy: Often referred to as iptables-legacy. The newer iptables-nft command provides a bridge to the nftables kernel API and infrastructure and is recommended if it is supported by your OS. You can find out which variant is in use by looking up the iptables version. For iptables-nft, the variant will be shown in parentheses after the version number, denoted as nf_tables: # iptables -V iptables v1.8.4 (nf_tables) 1. To view your alternatives for running iptables you can run the command: update-alternatives --config iptables # update-alternatives --config iptables There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/sbin/iptables-nft 20 auto mode 1 /usr/sbin/iptables-legacy 10 manual mode 2 /usr/sbin/iptables-nft 20 manual mode Press <enter> to keep the current choice[*], or type selection number: 2. Run the following commands to re-link any symbolic links: ln -s /etc/alternatives/iptables /sbin/iptables 2>/dev/null ln -s /etc/alternatives/iptables-save /sbin/iptables-save 2>/dev/null ln -s /etc/alternatives/iptables-restore /sbin/iptables-restore 2>/dev/null ln -s /etc/alternatives/ip6tables /sbin/ip6tables 2>/dev/null ln -s /etc/alternatives/ip6tables-save /sbin/ip6tables-save 2>/dev/null ln -s /etc/alternatives/ip6tables-restore /sbin/ip6tables-restore 2>/dev/null 3. Go to the Juggernaut Firewall -> Settings -> Binary Settings and press the default button at the bottom of the page to apply the correct iptables binary locations.  Now everything should be switched over to iptables and CSF should function correctly.  
View Full Article...

Yes we support blocking attacks like these very easily. See below for more information: How can I enable a custom login failure trigger for an application? https://www.danami.com/clients/knowledgebase/174/How-can-I-enable-a-custom-login-failure-trigger-for-an-application.html Login Failure Custom Triggers https://docs.danami.com/juggernaut/user-guide/login-failure-custom-triggers  
View Full Article...

To get your free Maxmind license key Signup for the free license key here: https://www.maxmind.com/en/geolite2/signup Generate a license key here (When asked - Will this key be used for geoipupdate? Choose: no) Navigate to your Extension -> Settings -> Panel Application -> Geolocation Settings and enter the license key under MaxMind license key. (It might take 30 minutes before MaxMind will recognize a newly created key). Press the Update button to save your settings.
View Full Article...

You can disable and enable the firewall from the command line using the following commands:

To disable the firewall: csf -x To re-enable the firewall: csf -e To get the list of all command line options: csf --help
View Full Article...

AbuseIPDB is the gold standard for abuse reporting and is used by some of the largest hosting companies worldwide. To enable AbuseIPDB support within the extension: Sign up for a free API key here. The free API key is good for up to 1000 checks per day. Generate an API key here. Enter your API key at Settings -> Network Tools Settings -> Reputation Settings -> AbuseIPDB API key. Check the "Block Reporting" checkbox to have the login failure daemon report failed trigger blocks back to AbuseIPDB automatically (Juggernaut Firewall extension only). Press the update button to save your settings. Check an IP Address To check an IP address click on an IP address then select "Reputation". Report an IP Address To report an IP address select "Report" from the operation select list. Then select the abuse categories you want it. Remove a Reported IP Address To remove a reported a IP address select "Clear" from the operation select list (You are limited to 10 clear operations per day). See here for how to remove a reported IP address from the AbuseIPDB website. Block Reporting If "Block Reporting" is enabled the login failure daemon will report failed triggers back to AbuseIPDB automatically. (Juggernaut Firewall extension only) AbuseIPDB Blocklist
Navigate to Juggernaut Firewall -> Settings -> Login Failure Daemon -> IP Block Lists Click the edit icon next to the AbuseIPDB block list. Replace YOUR_API_KEY with your API key in the source URL. Check the enabled checkbox. Then press the submit button to save the entry then press the restart button to restart the firewall and login failure daemon. Check the Enabled checkbox and press the submit button. Press the Restart button on the grid so that the login failure daemon will download the new blocklist. // Default Source URL https://api.abuseipdb.com/api/v2/blacklist?plaintext&limit=65000&confidenceMinimum=100&key=YOUR_API_KEY // Replace YOUR_API_KEY with the API key that you generate https://api.abuseipdb.com/api/v2/blacklist?plaintext&limit=65000&confidenceMinimum=100&key=db413d60408bd4cba20840285402385sdjfasjdpu09374934gsdfg99de1f You can see the view the login failure daemon download the block list under Logs -> LDF log 2022-01-19 01:28:53 PM 5105 IPSET: switching set new_6_ABUSEIPDB to bl_6_ABUSEIPDB 2022-01-19 01:28:53 PM 5105 IPSET: loading set new_6_ABUSEIPDB with 99 entries 2022-01-19 01:28:52 PM 5105 IPSET: switching set new_ABUSEIPDB to bl_ABUSEIPDB 2022-01-19 01:28:52 PM 5105 IPSET: loading set new_ABUSEIPDB with 46914 entries Block list entries are stored in the /var/lib/csf/ directory. Note: CSF will optimize downloaded blocklists so if another blocklist already has the same IP address then it will not be included. To view the number of entries for a blocklist on the command line: # wc -l /var/lib/csf/csf.block.ABUSEIPDB 74140 /var/lib/csf/csf.block.ABUSEIPDB AbuseIPDB Free vs Paid Plans The free plan blocklist is limited to a maximum of 10,000 IP addresses. Paid users can include more IP addresses by raising the limit option and lowering the confidenceMinimum option in the source URL. Admins should first raise the Juggernaut Firewall -> Settings -> General Settings -> Ipset maxelem option larger than your limit (e.g. 100,000 - so that you don't get ipset errors loading a large blocklist of that size). // Paid source URL example with limit set to 100,000 IP addresses and a confidenceMinimum set to 75 https://api.abuseipdb.com/api/v2/blacklist?plaintext&limit=100000&confidenceMinimum=75&key=db413d60408bd4cba20840285402385sdjfasjdpu09374934gsdfg99de1f AbuseIPDB has a nice graph with how many IP addresses will be included at different confidence minimums here.
View Full Article...

From the Extension Interface Admins can remove a reported IP address by clicking on the IP address from any of the grid pages then click on the reputation tab then select the clear operation. From the AbuseIPDB Website Registered users have the option to remove their own reports via the Reports section of the AbuseIPDB user control panel. Additionally there is a take down request feature on the each reported IP addresses page, usable by all registered users. 
View Full Article...

Controlling What Gets Logged to the ModSecurity Log The following options control what gets logged to the modsecurity audit log: SecAuditEngine - Configures the audit logging engine. Possible values are: On - log all transactions by default.
Off - do not log transactions by default.
RelevantOnly - by default only log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant (see SecAuditLogRelevantStatus). SecAuditLogRelevantStatus - Configures which response status code is to be considered relevant for the purpose of audit logging. The parameter is a regular expression.
SecAuditLogParts - Configures what sections to log. The default is: ABCFHZ. Available audit log parts: A – audit log header (mandatory)
B – request headers
C – request body (present only if the request body exists and ModSecurity is configured to intercept it)
D - RESERVED for intermediary response headers, not implemented yet.
E – intermediary response body (present only if ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it). Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).
F – final response headers (excluding the Date and Server headers, which are always added by Apache in the late stage of content delivery).
G – RESERVED for the actual response body, not implemented yet.
H - audit log trailer
I - This part is a replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In this case it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don't want to have (often large) files stored in your audit logs.
J - RESERVED. This part, when implemented, will contain information about the files uploaded using multipart/form-data encoding.
Z – final boundary, signifies the end of the entry (mandatory) Example To only log 5XX and 4XX status codes. Go to Tools & Settings -> Web Application Firewall (ModSecurity) -> Settings -> enter the code below in the Custom directives textarea: SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4)" SecAuditLogParts ABIFHZ SecAuditLogType Concurrent SecAuditLogStorageDir /var/log/modsecurity/audit Data Retention Period Administrators can set the number of days to keep SecAutitLog records by going to Juggernaut Firewall -> Settings -> Database Maintenance -> Maintenance Settings -> Delete modsecurity logs after  
View Full Article...

As Cloudflare is a reverse proxy, any attacking IP addresses (so far as iptables is concerned) come from the Cloudflare IP's. To counter this, an Apache module mod_cloudflare is available that obtains the true attackers IP from a custom HTTP header record (similar functionality is available for other HTTP daemons. Cloudflare Limitations As CloudFlare is a reverse proxy, any attacking IP addresses (so far as iptables is concerned) come from the CloudFlare IP's. To counter this, an Apache module (mod_cloudflare) is available that obtains the true attackers IP from a custom HTTP header record (similar functionality is available for other HTTP daemons. However, despite now knowing the true attacking IP address, iptables cannot be used to block that IP as the traffic is still coming from the CloudFlare servers. You can read more about these limitations in section 27. CloudFlare if the CSF firewall readme.txt Restoring Original Visitor IP Addresses Apache Install the mod_cloudflare module. This will make sure that the users real IP address is reported correctly in the web server logs. Centos/RHEL/CloudLinux Plesk maintains their own mod_cloudflare pacakges so it should be a simple process to install: // install the mod_cloudflare package yum install mod_cloudflare // restart apache systemctl restart httpd Debian/Ubuntu Plesk does not have mod_cloudflare pacakges so we have to enable the mod_remoteip module in the Apache HTTP server: a2enmod mod_remoteip Add a /etc/apache2/conf-available/remoteip.conf file with this content: RemoteIPHeader CF-Connecting-IP # IPV4 RemoteIPTrustedProxy 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/13 104.24.0.0/14 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 # IPV6 RemoteIPTrustedProxy 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32 Enable the remoteip.conf configuration file: a2enconf remoteip.conf Reload or Restart Apache systemctl reload apache2 Add the Cloudflare Network Ranges To Ignore Permanently
Navigate to Juggernaut Firewall -> Ignore Permanently Click the Advanced button and add the Cloudflare IPv4 and Cloudflare IPv6 network ranges to ignore permanently so the login failure daemon will never block them. Click the Update button to save your settings. Click the Restart button to restart the firewall and login failure daemon. Enable Cloudflare Support Navigate to Juggernaut Firewall -> Settings -> Other -> Cloudflare Settings Check the Cloudflare firewall checkbox to enable Cloudflare support. Click the Update button to save your settings. Click the Restart button to restart the firewall and login failure daemon. Add Your CloudFlare API Keys Navigate to Juggernaut Firewall -> Settings -> Other -> Cloudflare Settings -> Cloudflare Users Click the Add button on the grid to add any Cloudflare user API keys (CSF uses the older API keys not API tokens) Click the Submit button to save your settings. Click the Restart button on the grid to restart the firewall and login failure daemon. Add the Cloudflare Actions Widget To The Dashboard
Navigate to Juggernaut Firewall -> Dashboard Click the Add Widget button on the top right of the dashboard. Click the Add Widget button below the Cloudflare Actions widget.
View Full Article...

View All...


Installation Instructions

Learn how to install the product.

Getting Started

Learn how to configure the product.

Troubleshooting

Having problems? Learn how to diagnose and debug issues.

Knowledgebase

Self help questions and answers for product support, including pre-sales questions.


To get your free Maxmind license key Signup for the free license key here: https://www.maxmind.com/en/geolite2/signup Generate a license key here (When asked - Will this key be used for geoipupdate? Choose: no) Navigate to your Extension -> Settings -> Panel Application -> Geolocation Settings and enter the license key under MaxMind license key. (It might take 30 minutes before MaxMind will recognize a newly created key). Press the Update button to save your settings.
View Full Article...

To run a Malware Scan Navigate to Sentinel Anti-malware -> Scan Select the specific domains you want to scan or choose All domains to scan all of them. Click the Scan button to start the scan. After the scans are complete the scan report will be listed under the Reports tab. To View a Scan Report
Navigate to Sentinel Anti-malware -> Reports Click on a Scan ID entry in the grid for the report you want to view. Any detected malware will be listed under the Malware Hits section. To Perform an Action on the Malware hits Click on the Actions tab for the scan report. Choose an operation to perform from the select list (Quarantine, Restore, Clean, Email). Press the Run button to perform the selected action.
View Full Article...

Sentinel Anti-malware can automatically quarantine viruses and malware the moment they are detected. Important: We recommend that you first run a full scan of all domains without the automatic quarantine enabled so that you can work out any false positives. Navigate to Sentinel Anti-malware -> Settings -> Quarantine Settings. Check the Quarantine hits checkbox. Click the Update button to save your settings. Click the Restart button to restart the real-time monitoring.
View Full Article...

You can change the interface language under Settings -> Application Settings -> Locale   We are looking for volunteers to fix any errors with the machine translations in our Plesk extensions for the following languages: Español (Spain)
Français (France)
Português (Brazil)
Magyar (Hungary)
Русский (Russia)
Türkçe (Turkey)
Svenska (Sweden)
中文 (China)
中文 (Taiwan/Hong Kong)
日本語 (Japan) Volunteers will get a free license for every Plesk extension that they help translate. The translator must be a native speaker of the language they are translating. The license will remain free as long as they want to remain the translator for that language. Open a support ticket though our client area if you are interested.  
View Full Article...

If you have a virus or malware that is not detected by ClamAV, please fill out: https://www.clamav.net/reports/malware The ClamAV Detection Content Team will review your submission and update the virus database. If approved ClamAV will publish a new signature so that your virus or malware will be detected. This way everyone can benefit from your report! Note: We highly recommend that users enable the third party signatures for both Warden Anti-spam and Virus Protection and Sentinel Anti-malware to improve the ClamAV detection rate. See here for how to enable third party signatures for Warden Anti-spam and Virus Protection. See here for how to enable third party signatures for Sentinel Anti-malware.
View Full Article...

Testing Sentinel Anti-malware Detection
Download the eicar test malware into the httpdocs directory of one of your domains. Change the ownership from root:root to the owner of the domain. (By default Sentinel will ignore files owned by root). Run a scan on the domain with the sample malware. See: https://www.danami.com/clients/knowledgebase/168/How-do-I-run-a-malware-scan-using-Sentinel-Anti-malware.html Testing Sentinel Anti-malware Automatic Quarantine
Make sure that automatic quarantine is enabled. See: https://www.danami.com/clients/knowledgebase/165/How-can-I-enable-automatic-qurantine-using-Sentinal-Anti-malware.html Download the eicar test malware into the httpdocs directory of one of your domains. Change the ownership from root:root to the owner of the domain. (By default Sentinel will ignore files owned by root). If real-time monitoring is enabled then the file should be automatically moved to the quarantine area. If the real-time monitoring is disabled you can run manually run a scan on the domain with the sample malware. See: https://www.danami.com/clients/knowledgebase/168/How-do-I-run-a-malware-scan-using-Sentinel-Anti-malware.html To Download the Eicar Test Malware Sample // change to a domain hosted on your server cd /var/www/vhosts/example.com/httpdocs/ // download the test malware wget http://www.eicar.org/download/eicar.com.txt // change the ownership to the domain owner user chown example:psacln eicar.com.txt
View Full Article...

Centos/RHEL/CloudLinux/AlmaLinux
Configuration files: // Linux malware detect (Anti-malware Settings) /usr/local/maldetect/conf.maldet // clamd scan daemon (Anti-virus Settings) /etc/clamd.d/scan.conf // clamav signature update (Anti-virus Signature Settings) /etc/freshclam.conf Restarting Services: // Linux malware detect restart systemctl restart maldet // Linux malware detect log file tail -f /usr/local/maldetect/logs/event_log // clamav restart systemctl restart clamd@scan // clamav log file tail -f /var/log/clamd.scan // freshclam restart (Centos/RHEL/Cloudlinux 8 only) systemctl restart clamav-freshclam // freshclam log file tail -f /var/log/freshclam.log Debian/Ubuntu // Linux malware detect (Anti-malware Settings) /usr/local/maldetect/conf.maldet // clamd scan daemon (Anti-virus Settings) /etc/clamav/clamd.conf // clamav signature update (Anti-virus Signature Settings) /etc/clamav/freshclam.conf Restarting Services: // Linux malware detect restart systemctl restart maldet // Linux malware detect log file tail -f /usr/local/maldetect/logs/event_log // clamav restart systemctl restart clamav-daemon // clamav log file tail -f /var/log/clamav/clamav.log // freshclam restart systemctl restart clamav-freshclam // freshclam log file tail -f /var/log/clamav/freshclam.log
View Full Article...

To View the File Contents Navigate to Sentinel Anti-malware -> Quarantine Click on a File entry in the grid for the file that you want to view. From the popup you can view/edit the source code or download it to your computer.
View Full Article...

View All...