The Plesk Firewall for Linux: Comprehensive Guide to Enhanced Security

The Plesk firewall is an invaluable tool designed to significantly bolster the security of your Plesk for Linux server by precisely controlling and restricting network connections to and from the server. This comprehensive guide will walk you through the essential processes of adding, modifying, and removing firewall rules and policies. Furthermore, you will learn how to implement advanced security measures such as blocking incoming connections from specific countries and how to efficiently export and import firewall rules to replicate configurations across multiple servers with ease.

Important Caution: Both the Plesk firewall and firewalld serve as independent management tools for the underlying iptables firewall system. Operating both simultaneously can lead to critical conflicts, potentially resulting in the closure of ports essential for Plesk's proper functionality. To ensure system stability and avoid operational disruptions, we strongly advise using only one of these firewall management tools at any given time.

Managing Firewall Rules and Policies

The Plesk firewall configuration is fundamentally structured around two core components: policies and rules. Understanding their interplay is crucial for effective security management.

• Policies: These are broad directives that apply globally, affecting all connections either to or from the server, depending on the specific policy. For instance, the "System policy for incoming traffic" can be configured to completely block all incoming network connections to the server, providing a high level of default security.
• Rules: In contrast to policies, rules are much narrower in their scope, designed to govern incoming connections to individual Plesk services, such as SMTP (email) or MySQL/MariaDB (database) servers.

An important aspect of the Plesk firewall is that rules always override policies. This hierarchical mechanism allows for fine-grained control over network traffic. For example, if a global policy dictates denying all incoming traffic, but a specific rule permits incoming connections from a particular IP address, the rule will take precedence, allowing that specific connection. This mechanism offers flexibility to either tighten or relax the server's security posture as needed.

Consider the trade-off between security and usability: a configuration that sets policies to forbid all connections except for a select few allowed IP addresses or ports will undoubtedly enhance security. However, this stringent approach might inadvertently prevent some legitimate applications or services from functioning correctly due to network restrictions. Conversely, a more permissive default policy that allows all connections, combined with specific rules to block access to individual services or from problematic IP addresses, offers greater usability but might render your server less secure overall. It is recommended to experiment and identify the optimal balance between robust security and operational efficiency for your specific environment.

You have two primary methods for managing the firewall:

• Modifying existing policies and rules, including the default configurations provided by Plesk.
• Creating and removing custom rules tailored to your specific security requirements.

Modifying Existing Policies and Rules

To adjust an existing firewall policy or rule, follow these steps:

1. Log in to Plesk as the administrator.
2. Navigate to Tools & Settings, then under the "Security" section, click Firewall.
3. Ensure that "Firewall protection" is enabled. If it displays "Disabled", click the toggle button to switch it to "Enabled". If it's already enabled, proceed to the next step.
4. Click on the specific policy or rule that you wish to modify.
5. Make your desired changes, then click Save. After saving, click Apply Changes, and finally click Apply to commit the updates.

The updated firewall configuration will now be active on your server.

Creating Custom Firewall Rules

To implement a new custom firewall rule, follow these instructions:

1. Log in to Plesk as the administrator.
2. Go to Tools & Settings, and then under "Security", select Firewall.
3. Verify that "Firewall protection" is enabled. If not, click the toggle button to "Enabled" and then continue.
4. Click the button to add a new rule.
5. (Optional) Provide a descriptive name for your rule to easily identify its purpose later.
6. Configure the rule according to your requirements. For example, to block all incoming connections to the SSH service from a specific IP address (e.g., 198.51.100.1, assuming default SSH port 22 is used), set "Match direction" to "Incoming", "Action" to "Deny", "Port" to "TCP 22", and enter "198.51.100.1" in the "Sources" field.
7. Once the rule is configured, click Save, then Apply Changes, and finally Apply.

The new custom firewall rule will be immediately enforced. When creating custom rules, exercise extreme caution to avoid inadvertently blocking connections to ports vital for Plesk services.

Note: If you are utilizing Docker containers, it's important to understand that Docker's own firewall rules are managed independently and will not be automatically integrated into the Plesk firewall ruleset.

Removing Custom Firewall Rules

To delete custom firewall rules that are no longer needed, follow these steps:

1. Log in to Plesk as the administrator.
2. Navigate to Tools & Settings, and then under "Security", click Firewall.
3. Confirm that "Firewall protection" is set to "Enabled". If it's disabled, enable it before proceeding.
4. Select one or more custom rules from the list that you wish to remove. Please note that only custom rules can be deleted; default policies and rules cannot be removed.
5. Click the Remove button, confirm your action by clicking Yes, remove, then click Apply Changes, and finally Apply.

The selected custom firewall rules will be removed, and the updated firewall configuration will take effect.

Country Blocking with Plesk Firewall

The Plesk firewall provides a powerful feature allowing you to block network access to or from IP addresses associated with specific geographical countries. This can be particularly useful for mitigating threats from known problematic regions or for compliance reasons.

Blocking Access from Specific Countries

To configure your firewall to deny connections originating from a particular country, follow these steps:

1. Log in to Plesk as the administrator.
2. Go to Tools & Settings, and under "Security", click Firewall.
3. Ensure that "Firewall protection" is enabled. If not, click the toggle button to "Enabled".
4. Click the button to create a new rule.
5. (Optional) Assign a clear and descriptive name to your rule.
6. Set the "Action" for this rule to "Deny".
7. Under the "Sources" field, enter the two-letter ISO 3166 country code of the country you wish to block. For example, to block all incoming connections from Afghanistan, you would enter "AF".
8. (Optional) To block multiple countries, click "Add one more" and repeat the previous step for each additional country. You can block an unlimited number of countries.
9. Once all desired countries have been added, click Save.
10. Finally, click Apply Changes, and then Apply to activate the country blocking rule.

After the firewall configuration is applied, all incoming connections to your server originating from the specified blocked countries will be automatically denied.

Switching to MaxMind GeoIP Databases

By default, Plesk utilizes the free "IP to Country Lite" database from DB-IP for country blocking. For enhanced accuracy and more comprehensive data, you have the option to switch to either a free or paid database provided by MaxMind. Before making this switch, you will need to obtain a license (free or paid) from MaxMind and receive your unique license key.

• Get a free GeoLite2 license
• Buy a GeoIP2 license

To switch to a MaxMind database, follow these steps:

1. Add the following lines to your panel.ini file. Choose the appropriate setting based on your MaxMind license:

   [ext-firewall]
   geoipDataSource = maxmind-lite

   Use the above for the free GeoLite2 database, or:

   [ext-firewall]
   geoipDataSource = maxmind

   Use this for the paid GeoIP2 database.

2. Access your server via SSH and execute the following command, replacing <enter your license key here> with your actual MaxMind license key:

   LICENSE_KEY= plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   For the free GeoLite2 database, or:

   LICENSE_KEY= plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   For the paid GeoIP2 database.

   Note: This command may sometimes conclude with a Set cannot be destroyed warning. This warning is typically benign and can be safely ignored.

3. Log in to Plesk as the administrator.
4. Go to Tools & Settings, and then under "Security", select Firewall.
5. Click Apply Changes, and then Apply to finalize the configuration change.

Note: If the Apply Changes button appears to be missing, you can create a temporary new firewall rule to trigger its availability. After applying the changes, you may remove this temporary rule.

Once the firewall configuration has been successfully applied, your Plesk server will begin utilizing the specified MaxMind GeoIP database for country blocking instead of the default DB-IP database.

To revert to the free DB-IP database, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file, and then reapply the firewall configuration through the Plesk interface.

Importing and Exporting Firewall Configuration

For administrators managing multiple Plesk for Linux servers, duplicating a firewall configuration from one server to another can be a significant time-saver. Plesk provides convenient methods to export your current firewall configuration to a file and then import it onto other servers. This capability streamlines the process of maintaining consistent security policies across your infrastructure. You can perform these import and export operations via both the Plesk graphical user interface (GUI) and the command-line interface (CLI).

Exporting Firewall Configuration via GUI

To export your firewall configuration using the Plesk GUI:

1. Log in to Plesk on the server from which you wish to copy the firewall configuration.
2. Navigate to Tools & Settings, and then under "Security", click Firewall.
3. Ensure "Firewall protection" is "Enabled". If it's disabled, toggle it to "Enabled" and then click Apply. If it's already enabled, you can skip this step.
4. Click the Export button.

The firewall configuration will be saved as a .json file, typically found in your browser's default downloads directory.

Importing Firewall Configuration via GUI

To import a previously exported firewall configuration using the Plesk GUI:

1. Log in to Plesk on the target server where you want to apply the imported configuration.
2. Go to Tools & Settings, and then under "Security", select Firewall.
3. Confirm that "Firewall protection" is "Enabled". If it's disabled, enable it and click Apply. If it's already enabled, proceed.
4. Click the Import button, and then browse to locate and select the .json file that contains the firewall configuration you wish to import.

The firewall configuration from the selected file will be applied to the server.

Exporting Firewall Configuration via CLI

To export your firewall configuration using the command-line interface (CLI):

1. Log in via SSH to the source server whose firewall configuration you intend to copy.
2. Execute the following command to export the firewall configuration:

   plesk ext firewall --export > rules.json

   You may choose any filename you prefer; "rules.json" is used here as an example.

The firewall configuration will be saved to the specified file in your current directory.

Importing Firewall Configuration via CLI

To import and apply a firewall configuration via the command-line interface (CLI), you will need to utilize two separate SSH sessions simultaneously to complete the process securely:

1. In your first SSH session, run the following command to ensure firewall protection is enabled. If it is already enabled, you can skip this step:

   plesk ext firewall --enable

2. In your second SSH session, run the following command to confirm the firewall protection. This step is also skippable if firewall protection is already active:

   plesk ext firewall --confirm

3. Return to your first SSH session and execute the following command to import and apply the firewall configuration. Replace <the file's URL or local path> with the actual path or URL of your .json configuration file:

   plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply

   For example, if your file is hosted online:

   plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   Or if the file is located locally on the server:

   plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

4. Crucially, verify that you can still successfully connect to the server via SSH after the new firewall configuration has been applied. If your connection is successful, proceed to your second SSH session and run the following command to definitively confirm the imported firewall configuration:

   plesk ext firewall --confirm

   Note: It is imperative to confirm the imported firewall configuration within 60 seconds of running the plesk ext firewall --apply command. Failure to do so will result in the automatic rollback of all changes, and the server's previous firewall configuration will be restored.

Upon successful confirmation, the firewall configuration from your specified file will be permanently applied to the server.