The Plesk Firewall for Linux: Comprehensive Security Management

Managing Firewall Rules and Policies

The Plesk firewall provides a robust framework for managing network access, primarily through its configuration of policies and rules. Understanding the distinction and interplay between these two components is key to effective server security.

• Policies: These are comprehensive directives that broadly impact all network connections, either inbound to or outbound from the server. For instance, implementing a "System policy for incoming traffic" allows you to globally restrict all incoming connections to your server, providing a strong baseline security posture.
• Rules: In contrast to policies, rules offer a more granular level of control. They are designed to manage incoming connections to specific Plesk services, such as SMTP for email or MySQL/MariaDB for databases.

A fundamental principle of the Plesk firewall is that rules take precedence over policies. This means if a global policy is configured to deny all incoming traffic, but a specific rule permits incoming connections from a particular IP address, the rule's allowance will override the policy's denial. This hierarchical structure offers flexibility, enabling you to either significantly strengthen or strategically relax your server's security posture as needed.

Consider the balance between security and functionality. Implementing policies that restrict all connections except for explicitly allowed IP addresses or ports will undoubtedly enhance security. However, this stringent approach might inadvertently prevent certain applications from functioning correctly due to network restrictions. Conversely, adopting a default policy that allows all connections and then using rules to block access to individual services or from individual IP addresses offers greater usability, though at the potential cost of reduced overall security. It is highly recommended to experiment and identify the optimal trade-off that aligns with your specific operational and security requirements.

You have two primary methods for managing the Plesk firewall:

• Modifying existing policies and rules, including those configured by default.
• Creating and subsequently removing custom rules tailored to specific needs.

Modifying an Existing Policy or Rule

To adjust an already established firewall policy or rule, follow these steps:

1. Log in to your Plesk control panel.
2. Navigate to Tools & Settings, then under the "Security" section, select Firewall.
3. Ensure that "Firewall protection" is enabled. If the toggle button displays "Disabled," click it to activate firewall protection. You can skip this step if it's already enabled.
4. Select the specific policy or rule that you wish to modify from the list.
5. Implement your desired alterations, then click Save. Following this, click Apply Changes, and finally, confirm by clicking Apply.

Upon completion of these steps, the modifications to your firewall configuration will be actively enforced, enhancing or adjusting your server's security posture immediately.

Creating a Custom Rule

To establish a new, custom firewall rule tailored to specific network traffic requirements, follow these instructions:

1. Log in to your Plesk control panel.
2. Navigate to Tools & Settings, then under the "Security" section, click on Firewall.
3. Confirm that "Firewall protection" is enabled. If it is not, click the toggle button to activate it.
4. Click the button to initiate the creation of a new rule.
5. (Optional) Assign a descriptive name to your new rule for easier identification and management.
6. Proceed to configure the rule's parameters. For example, if your objective is to deny all incoming SSH connections from the specific IP address 198.51.100.1 (assuming SSH is running on its default port), you would set "Match direction" to "Incoming," "Action" to "Deny," "Port" to "TCP 22," and then enter "198.51.100.1" in the "Sources" field. This allows for precise control over network access.
7. Once all parameters are configured as desired, click Save. Subsequently, click Apply Changes, and finally, click Apply to activate the rule.

The newly configured firewall rule will immediately take effect. When crafting custom rules, it is paramount to exercise caution to avoid inadvertently blocking essential ports vital for Plesk services, which could disrupt server operations.

Removing Custom Rules

Should you need to remove custom firewall rules that are no longer necessary, follow these steps:

1. Log in to your Plesk control panel.
2. Navigate to Tools & Settings, then under the "Security" section, select Firewall.
3. Verify that "Firewall protection" is enabled. If it's not, click the toggle button to enable it.
4. From the list of rules, select the custom rule(s) you wish to remove. Please note that only rules you have specifically created can be removed; default policies and rules are permanent.
5. Click the Remove button. Confirm your action by clicking Yes, remove, then click Apply Changes, and finally, Apply.

The selected custom firewall rules will be immediately deactivated and removed from your server's configuration, with the changes taking immediate effect.

Country Blocking

The Plesk firewall offers a powerful feature known as Country Blocking, allowing you to control network access based on geographic origin. This functionality enables you to block incoming or outgoing connections associated with IP addresses originating from or destined for specific countries, significantly enhancing your server's security against region-specific threats or unwanted traffic.

Blocking Access from a Specific Country

To configure your Plesk firewall to deny incoming connections originating from particular countries, follow these detailed steps:

1. Log in to your Plesk control panel.
2. Navigate to Tools & Settings, then under the "Security" section, select Firewall.
3. Ensure that "Firewall protection" is active. If it is not, click the toggle to enable it.
4. Click the button to add a new rule.
5. (Optional) Provide a descriptive name for your rule, such as "Block Traffic from [Country Name]," to clearly identify its purpose.
6. Set the "Action" for this rule to "Deny."
7. In the "Sources" field, input the two-letter ISO 3166 country code for each country you wish to block. For instance, to block all incoming traffic from Afghanistan, you would enter "AF."
8. (Optional) To block multiple countries, click "Add one more" and repeat the previous step for each additional country. There is no limit to the number of countries you can block using a single rule.
9. Once all desired countries have been added to the rule, click Save.
10. Finally, click Apply Changes, and then confirm by clicking Apply.

After the firewall configuration is successfully applied, all incoming network connections to your server from the specified blocked countries will be automatically denied. This enhances security by limiting potential threats originating from particular geographic regions.

By default, Plesk leverages the "IP to Country Lite" database provided by DB-IP for its geographical IP mapping. For users requiring more advanced or precise geolocation data, Plesk also supports integration with MaxMind's databases, including their free GeoLite2 and various paid GeoIP2 options. To utilize MaxMind's services, you will first need to obtain a license and acquire your unique license key directly from MaxMind.

• For a free option, you can obtain a free GeoLite2 license.
• For more comprehensive data and support, you may consider to purchase a GeoIP2 license.

Switching to a MaxMind GeoIP Database

To enhance your country blocking capabilities by utilizing a MaxMind GeoIP database (either the free GeoLite2 or a paid GeoIP2 version), follow these configuration steps:

1. Access your server's panel.ini file and add one of the following lines, depending on your chosen MaxMind database:
   • To use the free GeoLite2 database:

     [ext-firewall]
     geoipDataSource = maxmind-lite

   • To use a paid GeoIP2 database:

     [ext-firewall]
     geoipDataSource = maxmind

2. Log in to your server via SSH and execute the appropriate command, replacing <enter your license key here> with your actual MaxMind license key:
   • For the free GeoLite2 database:

     LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   • For a paid GeoIP2 database:

     LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   Note: You might encounter a Set cannot be destroyed warning upon command completion. This warning is benign and can be safely disregarded.
3. Log in to your Plesk control panel.
4. Navigate to Tools & Settings, then under the "Security" section, select Firewall.
5. Click Apply Changes, and then confirm by clicking Apply to propagate the new configuration.

Once these steps are completed and the firewall configuration is applied, Plesk will begin utilizing the specified MaxMind GeoIP database for all country blocking functionalities, replacing the default DB-IP database.

To revert to the default free DB-IP database, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file and then reapply your firewall configuration within Plesk.

Importing and Exporting Firewall Configuration

For administrators managing multiple Plesk for Linux servers, the ability to replicate firewall configurations across different instances is invaluable for consistency and efficiency. The Plesk firewall provides convenient mechanisms to export an existing configuration to a file and subsequently import it onto other servers. This process streamlines security setup and ensures uniform protection across your infrastructure. Configuration can be managed through both the intuitive graphical user interface (GUI) and the powerful command-line interface (CLI).

Exporting the Firewall Configuration via the GUI

To export your current Plesk firewall configuration through the graphical interface for backup or replication purposes, follow these steps:

1. Log in to the Plesk control panel of the server whose firewall configuration you intend to export.
2. Navigate to Tools & Settings, then under the "Security" section, select Firewall.
3. Ensure that "Firewall protection" is enabled. If it is not, click the toggle button to activate it, and then click Apply. If firewall protection is already active, you can skip this step.
4. Click the Export button.

The entire firewall configuration will be saved as a .json file, which you will typically find in your web browser's default downloads directory. This file can then be used to import the configuration onto other Plesk servers.

Importing the Firewall Configuration via the GUI

To import a previously exported firewall configuration file onto another Plesk for Linux server using the graphical interface, proceed as follows:

1. Log in to the Plesk control panel of the target server where you wish to apply the firewall configuration.
2. Navigate to Tools & Settings, then under "Security," select Firewall.
3. Confirm that "Firewall protection" is enabled. If it is not, toggle it to "Enabled" and click Apply. This step can be skipped if protection is already active.
4. Click the Import button. A file browser window will appear, prompting you to locate and select the .json file containing the desired firewall configuration that you previously exported from another server.

Once the file is selected, the firewall configuration contained within it will be automatically applied to the current server, streamlining the replication of your security settings.

Exporting the Firewall Configuration via the CLI

For those who prefer command-line operations, the Plesk firewall configuration can be efficiently exported via SSH:

1. Establish an SSH connection to the Plesk for Linux server from which you wish to export the firewall configuration.
2. Execute the following command in your terminal to export the current firewall configuration:

   plesk ext firewall --export > rules.json

   You have the flexibility to name the output file as per your preference; rules.json is provided as a common example. The contents of this file will reflect your server's complete firewall settings.

Upon successful execution, the entire firewall configuration will be saved into the specified .json file, ready for transfer or archival.

Importing the Firewall Configuration via the CLI

Importing a firewall configuration via the command-line interface requires careful execution, particularly regarding the use of two separate SSH sessions to ensure successful application and confirmation. Here’s how to proceed:

1. Establish an SSH connection to the target server where the firewall configuration is to be imported. You will need to open two distinct SSH sessions to complete this process reliably.
2. In your first SSH session: If firewall protection is not already active on the server, enable it by running the following command:

   plesk ext firewall --enable

   If protection is already enabled, you can safely skip this step.

3. In your second SSH session: To confirm the firewall protection status, execute this command. This step is also skippable if protection is already enabled:

   plesk ext firewall --confirm

4. Back in your first SSH session: Proceed to import and apply the firewall configuration using one of the following commands, depending on whether your configuration file is accessible via a URL or a local path:
   • For a file accessible via a URL (e.g., from a web server):

     plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   • For a locally stored file (e.g., in the /tmp directory):

     plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

5. Immediately after applying the new configuration, it is crucial to verify that you can still connect to your server via SSH. If your connection remains stable, return to your second SSH session and run the following command to permanently confirm the imported firewall configuration:

   plesk ext firewall --confirm

   Important Note: It is critical to confirm the imported firewall configuration within 60 seconds of executing the plesk ext firewall --apply command. Failure to do so will result in an automatic rollback, reverting the server to its previous firewall settings to prevent accidental lockout.

Once confirmed, the imported firewall configuration from your specified file will be fully applied and active on the target server, ensuring consistent security policies across your Plesk environment.