Setting up the Web Application Firewall in Plesk

Introduction to Web Application Firewall Configuration in Plesk

This comprehensive article guides you through the essential steps for configuring, managing, and monitoring the Web Application Firewall (WAF) within your Plesk hosting account. Understanding these procedures is crucial for safeguarding your website from various online threats and ensuring its smooth operation. We will cover how to activate or deactivate the firewall, set specific operational modes, and manage individual security rules to optimize your site's protection.

Prerequisites

• An active Plesk hosting account.
• Valid login credentials for accessing the Plesk administration panel.

Configuring the Web Application Firewall

To begin managing your web application firewall, follow these detailed steps:

1. Upon successfully logging into your Plesk administration panel, navigate to and select the "Web Application Firewall" option from the main interface. This section is where all WAF-related configurations are managed.
2. Once on the Web Application Firewall page, you will be presented with three distinct modes of operation for the firewall. Each mode offers a different level of protection and logging capabilities, allowing you to choose the best fit for your website's security needs:
   1. ON (Default Setting): In this active mode, every incoming request to your server is meticulously scrutinized against a predefined set of security rules. If a request is deemed legitimate and safe, it is allowed to proceed to your website. Conversely, if a request is identified as malicious by the applied filters, the event is immediately logged into an error file, and the request to your site is effectively blocked with an appropriate error code. This mode offers the highest level of protection.
   2. OFF (Stopped): When this mode is selected, the Web Application Firewall is completely deactivated. Consequently, no incoming requests to your website will be checked against any security rules, leaving your site exposed to potential vulnerabilities. This mode is generally not recommended for live production environments.
   3. Detection Only: Also known as "detection mode," this setting allows the firewall to analyze each request coming to the server against its set of rules. However, unlike the "ON" mode, even if a request is identified as malicious, it will still be allowed to reach your website. The primary function of this mode is to log all detected malicious activities in an error log without blocking them, providing valuable insights into potential threats without impacting site accessibility.

Monitoring Firewall Activity through the Error Log File

Monitoring the firewall's activity is a critical aspect of maintaining website security. The "Error Log File" provides a comprehensive record of all events processed by the Web Application Firewall.

3. To access these records, simply navigate to the "Error Log File" section. Here, you will find detailed error logs transmitted by the firewall, offering insights into blocked requests and detected malicious activities.

Real-Time Log Visualization

For more dynamic monitoring, the Plesk panel offers real-time log updates:

4. On the Error Log File page, you have the option to view selected logs in real-time. Activate this feature by checking the "Start real-time updates" option. Additionally, you can specify the particular services for which you wish to monitor real-time updates by selecting them from the dropdown box conveniently located in the top-right corner of the interface. This feature is invaluable for immediate threat detection and response.

Managing Individual Security Rules

Occasionally, certain security rules within the web firewall may inadvertently conflict with the legitimate functionality of your website. Plesk allows for the precise deactivation of such individual rules:

5. The web firewall provides flexibility by allowing the deactivation of specific individual rules. These rules are typically identified by unique IDs, which appear in the error log in a format similar to `[id "340003"]`. To ignore a rule that is causing conflicts, simply enter its corresponding ID into the "Security rule IDs" field. This ensures that the rule will no longer apply to incoming requests, resolving any potential conflicts without compromising overall security.

Deactivating Entire Rule Groups

For broader management, the firewall also supports disabling entire categories of rules:

6. Beyond individual rules, you can also disable entire sets of rules that are grouped based on specific attack vectors or applications. This includes rules designed to mitigate Brute Force attacks, detect Backdoor exploits, or those specifically tailored for well-known applications such as WordPress, Drupal, or Joomla. To deactivate a group, select it from the "Active" field and move it to the "Deactivated" field. This can be useful for fine-tuning security based on your website's specific environment and needs.

Applying Changes

To ensure your modifications take effect, a final step is required:

7. After making all desired adjustments to your Web Application Firewall settings, it is crucial to save your changes. To implement these modifications, press the "OK" button, typically located at the bottom of the configuration page. A confirmation message will then be displayed, indicating that your new firewall settings have been successfully applied.

Conclusion

Effectively managing your Web Application Firewall in Plesk is a vital practice for safeguarding your website against common web threats. By understanding and utilizing the various modes, monitoring capabilities, and rule management options, you can significantly enhance your site's security posture. Regular review of your firewall logs and judicious adjustment of rules will ensure continuous protection and optimal performance for your online presence.