The Plesk Firewall for Linux: Enhancing Server Security

Important Note: The Plesk firewall and firewalld are both designed to manage the underlying iptables firewall. Operating both tools concurrently can lead to critical conflicts, potentially closing ports essential for Plesk's functionality. For optimal system stability and security, it is strongly recommended to use only one firewall management tool at any given time.

Managing Firewall Rules and Policies

The Plesk firewall configuration is fundamentally structured around two core components: policies and rules. Understanding their distinction is crucial for effective server security management.

• Policies: These are comprehensive in nature, dictating the overall behavior for network connections to and from the server. For instance, a "System policy for incoming traffic" can be configured to globally deny all inbound connections to your server.
• Rules: In contrast, rules are more granular, targeting specific incoming connections to individual Plesk services, such as mail (SMTP) or database (MySQL/MariaDB) services.

A key principle of the Plesk firewall is that rules always take precedence over policies. This means that even if a global policy is set to deny all incoming traffic, a specific rule allowing incoming connections from a particular IP address will override that policy. This hierarchical structure provides a flexible mechanism to either significantly tighten or selectively relax your server's security posture as needed.

Consider the balance between security and functionality. Implementing stringent policies that forbid all connections except for a select few allowed IP addresses or ports will undoubtedly enhance security. However, this rigorous approach might inadvertently prevent certain applications from functioning correctly due to network limitations. Conversely, a more lenient default policy that allows all connections, combined with specific rules to block access to individual services or from particular IP addresses, offers greater operational flexibility. While this might slightly reduce the overall security posture, it helps avoid common connection issues. We encourage you to experiment with different configurations to discover the optimal trade-off that best suits your specific usability requirements and security objectives.

Effectively managing your Plesk firewall can be accomplished through two primary methods:

• Modifying pre-existing policies and rules, including the default configurations provided by Plesk.
• Developing and deploying new custom rules, or removing those that are no longer required.

Modifying Existing Policies or Rules

Follow these steps to adjust an existing firewall policy or rule:

1. Access your Plesk panel by logging in.
2. Navigate to the Tools & Settings section, and then select Firewall (located under “Security”).
3. Ensure that "Firewall protection" is activated. If the toggle button displays “Enabled”, you can proceed to the next step. Otherwise, click it to enable the firewall.
4. Select the specific policy or rule you intend to modify from the list.
5. Implement your desired alterations, then click Save, followed by Apply Changes, and finally Apply to confirm.

Upon completing these steps, the modifications to your firewall configuration will be successfully applied and become active.

Creating Custom Firewall Rules

To implement new, tailored firewall rules, follow these instructions:

1. Begin by logging into your Plesk account.
2. Navigate to Tools & Settings, then select Firewall (found under the “Security” heading).
3. Verify that “Firewall protection” is enabled. If not, click the toggle button to activate it.
4. Click the button to initiate the creation of a new rule.
5. (Optional) Assign a descriptive name to your new rule for easier identification.
6. Proceed to configure the rule according to your security requirements. For instance, to prevent all incoming connections to the SSH service from a specific IP address like 198.51.100.1 (assuming SSH operates on its default port), you would set “Match direction” to “Incoming”, choose “Deny” for the “Action”, specify “TCP 22” for the “Port”, and input “198.51.100.1” into the “Sources” field.
7. After defining your rule, click Save, then Apply Changes, and finally Apply to confirm and activate.

Following these steps, your newly created firewall rule will be active. It is paramount to exercise caution when configuring custom rules to avoid inadvertently blocking critical ports essential for Plesk services, which could disrupt server operations.

Note on Docker: For users leveraging Docker containers, it's important to understand that Docker's inherent firewall rules operate independently and are not automatically integrated into the Plesk firewall ruleset.

Removing Custom Firewall Rules

To remove custom firewall rules that are no longer needed, follow these steps:

1. Access your Plesk panel by logging in.
2. Navigate to Tools & Settings, then select Firewall (under “Security”).
3. Ensure “Firewall protection” is active. If the toggle indicates “Enabled”, you can proceed.
4. Identify and select the custom rule(s) you wish to delete. Please note that only custom rules can be removed; default policies are not removable.
5. To finalize the removal, click Remove, confirm by clicking Yes, remove, then click Apply Changes, and finally Apply.

Once these steps are completed, the selected custom firewall rules will be successfully removed from your configuration.

Implementing Country-Based Connection Blocking

The Plesk firewall offers a robust feature to enhance security by enabling you to block network access to or from specific countries. This can be particularly useful for mitigating threats originating from known problematic regions or for complying with geographic access restrictions.

Blocking Incoming Connections from Specific Countries

To configure your firewall to deny incoming connections from particular countries, follow these steps:

1. Start by logging into your Plesk account.
2. Navigate to Tools & Settings, then click on Firewall (under “Security”).
3. Confirm that “Firewall protection” is enabled. If not, toggle it to the “Enabled” state.
4. Click the button to add a new firewall rule.
5. (Optional) Provide a meaningful name for your country-blocking rule.
6. Set the “Action” for this rule to “Deny”.
7. In the “Sources” field, input the two-letter ISO 3166 country code for the nation you wish to block. For instance, to block all incoming traffic originating from Afghanistan, you would enter “AF”.
8. (Optional) To block multiple countries, click “Add one more” and repeat the previous step for each additional country. There is no limit to the number of countries you can add to a single rule.
9. After listing all countries to be blocked, click Save.
10. Finally, click Apply Changes, and then confirm by clicking Apply.

Upon the successful application of this firewall configuration, all subsequent incoming connections to your server from the specified blocked countries will be automatically denied, significantly enhancing your server's security perimeter.

By default, Plesk utilizes the complimentary “IP to Country Lite” database provided by DB-IP for geolocation purposes. However, for enhanced accuracy and functionality, you have the option to integrate a free or paid database from MaxMind. To proceed with this integration, you must first acquire a license from MaxMind and obtain your unique license key, which will be necessary for the setup process.

You can obtain your MaxMind license through the following links:

• Obtain a free GeoLite2 license
• Purchase a GeoIP2 license

Switching to a MaxMind GeoIP Database

To switch from the default DB-IP database to a MaxMind GeoIP database, follow these detailed steps:

1. Edit your panel.ini file to include the necessary configuration lines. Depending on your choice of database, add one of the following:

   [ext-firewall]
   geoipDataSource = maxmind-lite

   Use the above lines to enable the free GeoLite2 database.

   Alternatively, for the paid GeoIP2 database, add:

   [ext-firewall]
   geoipDataSource = maxmind

2. Access your server via SSH and execute the appropriate command to configure the IP sets:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   This command is for integrating the free GeoLite2 database from MaxMind.

   For the paid GeoIP2 database, use:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   Note: You might encounter a "Set cannot be destroyed" warning upon execution. This warning is generally harmless and can be safely disregarded.

3. Return to your Plesk panel by logging in.
4. Navigate to Tools & Settings, and then select Firewall (under “Security”).
5. To finalize the integration, click Apply Changes, followed by Apply.

   Important: If you find that the Apply Changes button is not visible, a workaround is to create a temporary, new firewall rule. This action typically re-enables the "Apply Changes" functionality, after which you can proceed and later remove the temporary rule.

With these steps completed and the firewall configuration successfully applied, Plesk will now utilize your chosen MaxMind GeoIP database for all country-based filtering operations.

Should you wish to revert to the default free DB-IP database, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file. After saving the changes, remember to reapply your firewall configuration within the Plesk interface for the changes to take effect.

Importing and Exporting Firewall Configurations

For administrators managing multiple Plesk for Linux servers, replicating firewall configurations across instances can be a significant time-saver and ensures consistency in security policies. Plesk facilitates this process through intuitive import and export functionalities. This allows you to effortlessly transfer an existing firewall setup from one server to another, whether through the user-friendly graphical interface or via command-line operations.

Exporting Firewall Configurations via the Graphical User Interface (GUI)

To export your current firewall configuration using the Plesk GUI, follow these steps:

1. On the source server (the server with the desired firewall configuration), log into your Plesk panel.
2. Navigate to Tools & Settings, then click Firewall (located in the “Security” group).
3. Verify that “Firewall protection” is enabled. If it is not, toggle it to “Enabled” and click Apply. If already enabled, this step can be skipped.
4. Click the Export button.

Your server's firewall configuration will be downloaded as a .json file, typically found in your web browser's default downloads folder. This file can then be used to import the configuration to other servers.

Importing Firewall Configurations via the Graphical User Interface (GUI)

To import a previously exported firewall configuration using the Plesk GUI, follow these instructions:

1. On the target server (where you wish to apply the configuration), log into your Plesk panel.
2. Navigate to Tools & Settings, then click Firewall (under “Security”).
3. Ensure “Firewall protection” is enabled. If not, toggle it to “Enabled” and click Apply. Skip if already enabled.
4. Click the Import button. A file browser will appear, allowing you to locate and select the .json configuration file that was previously exported from your source server.

Once selected, the firewall configuration from the .json file will be uploaded and applied to the target server, mirroring the security settings of your source server.

Exporting Firewall Configurations via the Command Line Interface (CLI)

For administrators who prefer command-line operations, here’s how to export your firewall configuration:

1. Establish an SSH connection to the Plesk server from which you intend to export the firewall configuration.
2. Execute the following command in your terminal to export the current firewall configuration:

   plesk ext firewall --export > rules.json

   You have the flexibility to assign any desired filename; "rules.json" is used here as a representative example.

The complete firewall configuration will be saved to the specified .json file on your server, ready for transfer or import to other systems.

Importing Firewall Configurations via the Command Line Interface (CLI)

Importing firewall configurations via the command line requires careful execution of a few steps, often involving two separate SSH sessions:

1. To import a firewall configuration using the CLI, establish two separate SSH sessions to the target server where you wish to apply the configuration.
2. In the first SSH session, enable firewall protection by executing the following command. If firewall protection is already active, this step can be bypassed:

   plesk ext firewall --enable

3. In the second SSH session, confirm that firewall protection has been enabled (or is already active) using this command. Skip if already enabled:

   plesk ext firewall --confirm

4. Returning to the first SSH session, import and apply the firewall configuration using one of the following commands, depending on whether your .json file is accessible via a URL or a local path:

   plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply

   Example using a URL:

   plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   Example using a local path:

   plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

5. After applying the new configuration, it is crucial to verify SSH connectivity to your server. If you can successfully reconnect, proceed to the second SSH session and run the following command to confirm the imported firewall configuration:

   plesk ext firewall --confirm

   Critical Note: If the imported firewall configuration is not explicitly confirmed within 60 seconds of executing the plesk ext firewall --apply command, the system will automatically roll back all changes, restoring the server's previous firewall configuration. Timely confirmation is essential to prevent automatic reversion.

Upon successful confirmation, the firewall configuration from your specified .json file will be fully applied and active on the server.