Setting ‘admin’ ip address restrictions via command line in Plesk

If you manage Plesk servers, you should be making use of their ‘admin’ IP address restriction feature to lock down where ‘admin’ can log in from.  It’s a real pain in the ass to do this via the web interface, and even more of a pain if you need to update your list regularly on a large number of servers.  Fortunately you can do it via SQL queries run from command line so that makes it easy to push the changes out to a bunch of servers using automated processes.  Here’s the commands you’ll send:

/usr/bin/mysql -u admin --password=`cat /etc/psa/.psa.shadow` -e \
 "UPDATE misc SET val = 'deny' WHERE param = 'access_policy'" psa

/usr/bin/mysql -u admin --password=`cat /etc/psa/.psa.shadow` -e \
 "INSERT INTO misc (param,val) VALUES ('access_policy','deny')" psa

/usr/bin/mysql -u admin --password=`cat /etc/psa/.psa.shadow` -e \
 "TRUNCATE cp_access" psa

/usr/bin/mysql -u admin --password=`cat /etc/psa/.psa.shadow` -e \
 "INSERT INTO cp_access (type, netaddr, netmask) VALUES
  ('deny', '127.0.0.1', '255.255.255.255'), 
  ('deny', '10.0.0.0', '255.255.255.0'), 
  ('deny', '2001:0DB8::','32'), 
  ('deny', '2001:0DB8::1','128')" psa

The first line sets the list to act as a deny if not present list versus the default of deny the listed addresses (which you’d use to block a specific person, i.e. pointless).    The second line adds the entry in case it was not already present (which would have caused the update to fail).  The third line empties the current IP list.  The fourth and beyond add the new addresses.  The netmask should be normal dotted decimal notation for IPv4 addresses but should be the cidr format length for IPv6.

Leave a Reply

Your email address will not be published.