The Plesk Firewall for Linux

Understanding the Plesk Firewall: An Overview

The Plesk firewall is an essential security component for your Plesk for Linux server. It enables you to enhance server security by carefully controlling and restricting network connections, both incoming to and outgoing from the server. This comprehensive guide will walk you through the process of adding and removing firewall rules and policies, implementing country-based blocking, and leveraging export/import functionalities to streamline firewall configuration replication across your server infrastructure.

Caution: It is critical to understand that both the Plesk firewall and firewalld are designed to manage the underlying iptables firewall. Operating both tools concurrently can lead to significant conflicts, potentially resulting in the unintended closure of ports vital for Plesk's operational stability. For optimal performance and security, we strongly advise using only one of these tools at any given time.

Managing Firewall Rules and Policies

The Plesk firewall configuration is fundamentally built upon a system of policies and rules, each serving a distinct purpose in controlling network traffic:

• Policies: These possess a broad scope, influencing all connections to or from the server based on their specific definition. For instance, the "System policy for incoming traffic" allows for the complete blockage of all inbound connections to the server, establishing a high-level security baseline.
• Rules: In contrast to policies, rules are more granular, governing incoming connections for individual Plesk services, such as SMTP or MySQL/MariaDB. They offer fine-tuned control over specific services.

An important hierarchical aspect to remember is that rules always override policies. This means if a global policy is set to deny all incoming traffic, but a specific rule permits incoming traffic from a particular IP address, that rule will take precedence. This powerful mechanism allows you to either strengthen or relax the security posture of your server with precision.

For example, implementing policies that forbid all connections to and from the server, with exceptions only for a select few allowed IP addresses or ports, will significantly bolster security. However, this rigorous approach might prevent certain applications from functioning correctly due to network restrictions. Conversely, configuring policies to allow all connections by default, and then utilizing rules to specifically block access to individual services or from particular IP addresses, offers greater flexibility but inherently reduces overall server security. It is essential to experiment and find the optimal balance between usability and robust security for your specific environment.

You have two primary methods for managing your server's firewall:

• Modifying existing policies and rules, which includes the default configurations provided by Plesk.
• Creating and subsequently removing custom rules tailored to your specific security requirements.

Modifying an Existing Policy or Rule

1. Access your Plesk panel by logging in to Plesk.
2. Navigate to Tools & Settings > Firewall (located under the “Security” section).
3. Ensure that “Firewall protection” is enabled by clicking the toggle button until it displays “Enabled”. If it is already enabled, you may proceed to the next step.
4. Click on the specific policy or rule you intend to modify to open its configuration settings.
5. Implement your desired changes. After making modifications, click Save, then Apply Changes, and finally Apply to confirm the update.

Once these steps are completed, the adjustments to your firewall configuration will immediately take effect, enhancing or modifying your server's security profile.

Creating a Custom Rule

1. Begin by logging in to Plesk.
2. Go to Tools & Settings > Firewall (found under “Security”).
3. Confirm that “Firewall protection” is active by clicking the toggle button to “Enabled”. If it’s already active, you can skip this step.
4. Click the button to initiate the creation of a new rule.
5. (Optional) Assign a descriptive name to your new rule for easier identification and management.
6. Proceed to configure the rule according to your security needs. For example, to block all incoming connections to the SSH service from a specific IP address like 198.51.100.1 (assuming the standard SSH port is in use), you would configure the rule as follows: set “Match direction” to “Incoming”, set “Action” to “Deny”, specify “Port” as “TCP 22”, and then input “198.51.100.1” into the “Sources” field.
7. Once your rule is meticulously configured, click Save, followed by Apply Changes, and then Apply to deploy the rule.

The newly configured firewall rule will become active immediately. When creating custom rules, exercise extreme caution to avoid inadvertently blocking connections to essential ports used by Plesk services, which could disrupt server operations.

Note: It is important to be aware that if you are utilizing Docker containers, their specific firewall rules will not be automatically integrated into the Plesk firewall ruleset. You may need to manage these independently.

Removing Custom Rules

1. Access your Plesk environment by logging in to Plesk.
2. Navigate to Tools & Settings > Firewall (under “Security”).
3. Ensure that “Firewall protection” is active by verifying the toggle button shows “Enabled”. If it’s already enabled, you can bypass this step.
4. Select one or more custom rules that you wish to remove. Please note that only custom rules are eligible for removal; default policies and rules cannot be deleted.
5. Click Remove, then confirm your action by clicking Yes, remove. Finally, click Apply Changes and then Apply to finalize the removal.

The firewall configuration will be updated, and the selected custom rules will no longer be active on your server.

Country-Based Blocking with Plesk Firewall

The Plesk firewall provides a robust feature that allows you to block network access to or from IP addresses originating from specific countries. This can be a powerful tool for mitigating unwanted traffic or enhancing geographical security.

Blocking Access from a Specific Country

1. Start by logging in to Plesk.
2. Proceed to Tools & Settings > Firewall (located within the “Security” section).
3. Verify that “Firewall protection” is enabled by ensuring the toggle button displays “Enabled”. If it is already enabled, you can skip this step.
4. Click the button to begin creating a new rule.
5. (Optional) Provide a meaningful name for your rule to describe its purpose.
6. Set the “Action” for this rule to “Deny”.
7. In the “Sources” field, input the two-letter ISO 3166 country code of the country you intend to block. For instance, to block all incoming connections from Afghanistan, you would enter “AF”.
8. (Optional) If you wish to block multiple countries, click “Add one more” and repeat the previous step for each additional country. The Plesk firewall supports blocking an unlimited number of countries.
9. Once all desired countries have been added to your rule, click Save.
10. Finally, click Apply Changes, and then Apply to activate the new country blocking configuration.

Upon the successful application of this firewall configuration, all incoming connections to your server originating from the specified blocked country or countries will be effectively denied, significantly enhancing your server's security posture.

By default, Plesk utilizes the free “IP to Country Lite” database provided by DB-IP for country-based IP resolution. However, you have the flexibility to switch to either a free or paid database from MaxMind, which often offers enhanced accuracy. Before making this switch, you will need to acquire a license from MaxMind and obtain your unique license key.

• For a free option, you can get a free GeoLite2 license.
• If you require more advanced features, you can purchase a GeoIP2 license.

Switching to the MaxMind GeoIP Database

1. Modify the panel.ini file by adding one of the following lines:

   [ext-firewall]
   geoipDataSource = maxmind-lite

   Use the above if you intend to utilize the free GeoLite2 database, or:

   [ext-firewall]
   geoipDataSource = maxmind

   Use this configuration for the paid GeoIP2 database.

2. Log in to your server via SSH. Execute the appropriate command based on your MaxMind database choice:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   for the free GeoLite2 database, or:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   for the paid GeoIP2 database. Remember to replace <enter your license key here> with your actual MaxMind license key.

   Note: You might observe a Set cannot be destroyed warning upon command completion. This warning is generally harmless and can be safely disregarded.

3. Log in to Plesk.
4. Navigate to Tools & Settings > Firewall (under “Security”).
5. Click Apply Changes, and then click Apply to finalize the database switch.

Note: Should the Apply Changes button be unavailable, a temporary workaround is to create a new firewall rule. This action will typically re-enable the ability to apply changes. You can then remove this temporary rule after the changes have been applied.

After applying the firewall configuration, the MaxMind GeoIP2 database (or GeoLite2, depending on your choice) will be used for all country-based blocking, replacing the default DB-IP database.

To revert to the original free database from DB-IP, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file, and then reapply the firewall configuration within Plesk.

Importing and Exporting Firewall Configurations for Efficiency

For administrators managing multiple Plesk for Linux servers, the ability to duplicate firewall configurations across machines can be a significant time-saver. This is efficiently achieved by exporting a server’s firewall settings to a file and then importing that file onto other servers, ensuring consistent security policies with minimal effort. Both the graphical user interface (GUI) and the command-line interface (CLI) offer methods for this process.

Exporting the Firewall Configuration via the GUI

1. On the source server (the one with the desired firewall configuration), log in to Plesk.
2. Navigate to Tools & Settings > Firewall (under “Security”).
3. Ensure that “Firewall protection” is active by clicking the toggle button to “Enabled”, then click Apply. If it’s already enabled, you can skip this step.
4. Click the Export button.

The firewall configuration will be saved as a .json file, typically found in your web browser’s default downloads directory.

Importing the Firewall Configuration via the GUI

1. On the target server (where you want to apply the configuration), log in to Plesk.
2. Go to Tools & Settings > Firewall (under “Security”).
3. Confirm that “Firewall protection” is enabled by clicking the toggle button to “Enabled”, then click Apply. If it’s already active, this step is not needed.
4. Click Import, and then browse to locate the .json file that was previously exported from the source server.

The firewall configuration contained within the selected file will then be applied to the current server, replicating the security settings.

Exporting the Firewall Configuration via the CLI

1. Establish an SSH connection to the source server from which you intend to copy the firewall configuration.
2. Execute the following command to export the current firewall configuration:

   plesk ext firewall --export > rules.json

   You have the flexibility to name the output file as you prefer; “rules.json” is merely an illustrative example.

The server’s firewall configuration will be securely saved to the specified file, ready for transfer or import.

Importing the Firewall Configuration via the CLI

To import a firewall configuration using the command line, you will need two separate SSH sessions to your target server.

1. In your first SSH session, enable firewall protection by running the command below. If firewall protection is already active, you can skip this step.

   plesk ext firewall --enable

2. In your second SSH session, confirm the firewall protection. This step is also skippable if protection is already enabled.

   plesk ext firewall --confirm

3. Return to your first SSH session. Execute the following command to import and immediately apply the desired firewall configuration. Remember to replace <the file's URL or local path> with the actual path to your .json configuration file:

   plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply

   For example, you could use a URL:

   plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   Or a local file path:

   plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

4. After applying the new firewall configuration, it is crucial to verify that you can still connect to the server via SSH. If connectivity is successful, proceed to your second SSH session and run the following command to definitively confirm the imported firewall configuration:

   plesk ext firewall --confirm

   Note: If the imported firewall configuration is not confirmed within 60 seconds of executing the plesk ext firewall --apply command, the changes will automatically be rolled back, reverting the server to its previous firewall settings. This built-in safeguard prevents accidental permanent lockouts.

Once confirmed, the firewall configuration from the specified file will be fully applied and active on the server, ensuring your security policies are consistently maintained.