Plesk DNS and Cisco PIX 501e

Greetings, my name is cha0tic, I run a small web hosting service on a dedicated server leased from godaddy. and i need help!

------ SKIP DOWN TO GET TO QUESTION ------


Let me give you some backround first, a few months ago we leased a dedicated server from godaddy, and managed it via plesk, worked great, no problems, easy sailing, added clients, domains, etc, everything was a snap.

then.. it happened...

phone rings, its one of my clients, their website was not coming up, so i figured they messed up their files as they have done before in the past. So i stumbled over to my laptop, fired it up, and attempted to log in via plesk, no response.

hm, strange I thought to myself.
So i fired up RDC and attempted to connect, connected just fine, a bit slow, but connected.
the plesk service had been stopped.
IIS had been stopped, basically nothing was running.
So while i was still unsure of what was going on, I started to get a general idea.
attempted to start some of the services, and they started, everything started back up.
went to check some of the websites, and lo and behold, massive defacement.
great.
checked other domains that were hosted, almost all of them had been defaced. REALLY great!

So after checking some of the logs, which showed me absolutely nothing, decided to reprovision the server and start over, did the updates, went through a bunch of steps to secure it, spent a few days doing so.
everything worked great
which brought me to my next step of securing it, a firewall.
after mucking around forums trying to find a decent FREE software firewall (im broke, not making profit from the hosting yet, close, but no profit yet) decided to bite the bullet and invest in a Cisco PIX 501e NAT Firewall.

Talked to godaddy, it was installed.






------ SKIP TO HERE TO GET TO THE POINT ------







recap on above:

1. server got hacked.
2. reprovisioned server, secure it, updated it, etc
3. had a Cisco PIX e501 NAT Firewall added

Once the firewall was added, my server was unreachable.
I contacted godaddy, and it turns out it was a small error on their part, and was fixed.
I could RDC into the server, np, worked great
however plesk, domains, dns, nothing else worked.
After reading some forums, turns out plesk needed to be configured in a specific way for it to work: http://download1.swsoft.com/Plesk/Pl...l/ch02s02.html


I configured it as said above in the link, still did not work.
so i checked on the plesk forums and came accross this:
http://forum.plesk.com/showthread.ph...&highlight=NAT
which I did, and still, did not work.

I'm at my wits end, and hoping someone here will have an idea on what i can do to get it working.

Below is the info i currently have for plesk and the firewall and the server

server:
Windows 2003 Server Standard.

firewall:
Cisco PIX 501e NAT Firewall

plesk:
plesk 7.5.6

------------------------------------------
FIREWALL INFO:

Result of firewall command: "show run"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100


hostname pixfirewall
domain-name obscured
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ssh
access-list outside_access_in permit tcp any any eq 42
access-list outside_access_in permit udp any any eq nameserver
access-list outside_access_in permit tcp any any eq domain
access-list outside_access_in permit udp any any eq domain
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq 465
access-list outside_access_in permit tcp any any eq 587
access-list outside_access_in permit tcp any any eq 995
access-list outside_access_in permit tcp any any eq 993
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 8443
access-list outside_access_in permit tcp any any eq 9999
access-list outside_access_in deny tcp any any eq telnet
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in deny tcp any any eq imap4
access-list outside_access_in deny tcp any any eq 1433
access-list outside_access_in deny tcp any any eq 3306
access-list outside_access_in deny tcp any any eq 9080
access-list outside_access_in deny tcp any any eq 9090
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 60.0.0.55 255.255.255.0
ip address inside 10.0.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.1 255.255.255.255 inside
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 10.0.0.3 255.255.255.255 inside
pdm location 60.0.0.1 255.255.255.255 outside
pdm location 60.0.0.2 255.255.255.255 outside
pdm location 60.0.0.3 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
static (outside,inside) 10.0.0.1 60.0.0.1 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.1 10.0.0.1 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.2 60.0.0.2 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.2 10.0.0.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.3 60.0.0.3 netmask 255.255.255.255 0 0
static (inside,outside) 60.0.0.3 10.0.0.3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 60.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access outside
console timeout 0

terminal width 80
------------------------------------------

Copy of Plesk DNS Config for one of our domains

10.0.0.1 / 24 PTR domain1.com.
domain1.com. A 10.0.0.1
domain1.com. MX (10) mail.domain1.com.
domain1.com. NS ns.domain1.com.
ftp.domain1.com. CNAME domain1.com.
mail.domain1.com. A 10.0.0.1
mssql.domain1.com. A 10.0.0.1
ns.domain1.com. A 10.0.0.1
sitebuilder.domain1.com. A 10.0.0.1
webmail.domain1.com. A 10.0.0.1
www.domain1.com. CNAME domain1.com.

--- IPS/DOMAINS WERE REPLACED WITH FAKES FOR SECURITY PURPOSES
---------------------------

Im sorry for the long post, ANY help would be greatly appreciated, even links to a site that could help me further are appreciated.
I had considered asking the hosting provider for help, but I believe they would charge me a ton!

Thanks Again.

 

 

 

 

Top