The Plesk Firewall is an essential tool designed to significantly enhance the security posture of your Plesk for Linux server. By enabling you to meticulously control and restrict network connections, both inbound and outbound, it provides a critical layer of defense against unauthorized access and malicious activities. This comprehensive guide will walk you through the process of effectively managing your Plesk firewall, covering everything from establishing and modifying firewall rules and policies, to implementing country-specific blocking, and even replicating configurations across multiple servers with ease through import and export functionalities.

Understanding and correctly configuring your server's firewall is paramount for maintaining a secure and stable environment. This guide offers practical steps and insights to help you leverage the full capabilities of the Plesk Firewall.

Caution: It is crucial to understand that both the Plesk firewall and firewalld are distinct tools for managing the underlying iptables firewall. Operating both tools concurrently can lead to critical conflicts and inadvertently close ports vital for Plesk's operational integrity. To avoid such issues, we strongly recommend utilizing only one firewall management tool at any given time.

Managing Firewall Rules and Policies

The Plesk firewall configuration is structured around two key components: policies and rules. These work in conjunction to provide flexible control over your server's network traffic.

  • Policies: These are broad directives that apply to all connections to or from the server. For instance, the “System policy for incoming traffic” can be configured to globally block all incoming connections, acting as a foundational security measure.
  • Rules: In contrast, rules are more granular, targeting specific incoming connections to individual Plesk services, such as SMTP (for email) or MySQL/MariaDB (for databases).

An important aspect of the Plesk firewall is that rules always override policies. This hierarchical structure allows for nuanced security configurations. For example, if a global policy denies all incoming traffic, a specific rule can still permit incoming connections from a designated IP address, taking precedence over the broader policy. This mechanism empowers administrators to either tighten or relax the server’s security precisely as needed.

Consider the following scenarios for optimal security balancing:

  • Enhanced Security: By default, configure policies to prohibit all connections to and from the server, then create specific rules to allow only essential IP addresses or ports. While this significantly boosts security, it may restrict certain application functionalities if not carefully configured.
  • Flexible Security: Alternatively, you can allow all connections by default and use rules to specifically block access to individual services or from particular IP addresses. This approach offers greater flexibility but might inherently make your server less secure.

It is advisable to experiment with these configurations to discover the optimal balance between server usability and robust security for your specific operational needs.

Plesk Firewall landing page

Modifying Existing Policies or Rules

To adjust an existing firewall policy or rule, follow these steps:

  1. Log in to Plesk.
  2. Navigate to Tools & Settings > Firewall (found under the “Security” section).
  3. Ensure "Firewall protection" is enabled. If it displays “Disabled”, click the toggle button to switch it to “Enabled”.
  4. Click on the specific policy or rule you wish to modify.
  5. Apply your desired changes, then click Save. Following this, click Apply Changes, and finally, click Apply to activate the new configuration.

Your adjustments to the firewall configuration will now be active on the server.

Creating a Custom Rule

To implement a new, custom firewall rule, proceed as follows:

  1. Log in to Plesk.
  2. Go to Tools & Settings > Firewall (under “Security”).
  3. Verify that "Firewall protection" is enabled. If not, toggle it to “Enabled”.
  4. Click the plus icon button to add a new rule.
  5. (Optional) Assign a descriptive name to your new rule for easier identification.
  6. Configure the rule according to your requirements. For example, to block all incoming SSH connections from a specific IP address (e.g., 198.51.100.1, assuming default SSH port 22), set “Match direction” to “Incoming”, “Action” to “Deny”, “Port” to “TCP 22”, and enter “198.51.100.1” in the “Sources” field.
  7. After configuring the rule, click Save, then Apply Changes, and finally Apply.

The newly created firewall rule will now be enforced. Exercise caution when defining custom rules to avoid inadvertently blocking essential ports used by Plesk services, which could disrupt server functionality.

Note: If you are leveraging Docker containers, it is important to be aware that Docker firewall rules operate independently and are not automatically integrated into the Plesk firewall ruleset.

Removing Custom Rules

Should you need to remove custom firewall rules, follow these instructions:

  1. Log in to Plesk.
  2. Navigate to Tools & Settings > Firewall (under “Security”).
  3. Ensure that "Firewall protection" is enabled. If it is not, activate it.
  4. Select one or more custom rules you wish to remove. Only rules that you have explicitly created can be deleted.
  5. Click Remove, confirm by clicking Yes, remove, then click Apply Changes, and finally Apply.

The selected custom rules will be permanently removed, and the firewall configuration updated accordingly.

Country Blocking

The Plesk firewall provides a powerful feature for enhancing security: the ability to block network access to or from specific countries. This can be particularly useful for mitigating threats originating from known problematic regions or for compliance reasons.

Blocking Access from a Specific Country

To deny incoming connections from a particular country, execute the following steps:

  1. Log in to Plesk.
  2. Go to Tools & Settings > Firewall (under “Security”).
  3. Confirm that "Firewall protection" is enabled. If not, enable it.
  4. Click the plus icon button to create a new rule.
  5. (Optional) Provide a meaningful name for your rule.
  6. Set the “Action” to “Deny”.
  7. In the “Sources” field, input the two-letter ISO 3166 country code for the country you wish to block (e.g., "AF" for Afghanistan).
  8. (Optional) To block multiple countries, click “Add one more” and repeat the previous step for each additional country.
  9. Once all desired countries are added, click Save.
  10. Finally, click Apply Changes, and then Apply to implement the new blocking rule.

Upon successful application of the firewall configuration, all incoming connections to your server originating from the specified country or countries will be effectively denied.

Configuring GeoIP Databases for Country Blocking

By default, Plesk leverages the free “IP to Country Lite” database from DB-IP for country blocking. For enhanced accuracy and more frequent updates, you have the option to switch to a free or paid database provided by MaxMind. This requires obtaining a license key from MaxMind beforehand.

To configure Plesk to use a MaxMind GeoIP database, follow these steps:

  1. Edit the panel.ini file by adding one of the following lines, depending on your chosen MaxMind database:
    • For the free GeoLite2 database: 
      [ext-firewall]
geoipDataSource = maxmind-lite
    • For the paid GeoIP2 database: 
      [ext-firewall]
geoipDataSource = maxmind
  2. Access your server via SSH and execute the appropriate command, replacing <enter your license key here> with your actual MaxMind license key:
    • For GeoLite2: 
      LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force
    • For GeoIP2: 
      LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

    Note: The command may conclude with a Set cannot be destroyed warning. This message can be safely disregarded.

  3. Log in to Plesk.
  4. Navigate to Tools & Settings > Firewall (under “Security”).
  5. Click Apply Changes, and then click Apply to finalize the configuration.

Note: If the Apply Changes button is not visible, you may need to create a temporary, new firewall rule to trigger its appearance. This rule can be removed after the changes are applied.

After the firewall configuration is applied, Plesk will begin utilizing the specified MaxMind GeoIP database for country blocking. To revert to the default DB-IP database, simply remove the geoipDataSource line from your panel.ini file and reapply the firewall configuration.

Importing and Exporting Firewall Configuration

For administrators managing multiple Plesk for Linux servers, replicating a consistent firewall configuration across all instances is a common and critical task. The Plesk firewall simplifies this process by allowing you to easily export an existing configuration to a file and then import it onto other servers. This capability is available through both the graphical user interface (GUI) and the command-line interface (CLI).

Exporting Firewall Configuration via the GUI

To export your firewall configuration using the Plesk GUI:

  1. Log in to Plesk on the source server (the server with the configuration you wish to copy).
  2. Navigate to Tools & Settings > Firewall (under “Security”).
  3. Ensure "Firewall protection" is enabled. If not, toggle it to “Enabled” and click Apply.
  4. Click the Export button.

The firewall configuration will be saved as a .json file, typically found in your browser’s default downloads directory.

Importing Firewall Configuration via the GUI

To import a firewall configuration using the Plesk GUI onto a target server:

  1. Log in to Plesk on the target server where you want to apply the copied configuration.
  2. Go to Tools & Settings > Firewall (under “Security”).
  3. Verify that "Firewall protection" is enabled. If disabled, activate it and click Apply.
  4. Click the Import button, and then browse to select the .json file you previously exported from the source server.

The firewall configuration contained within the selected file will now be applied to the target server, ensuring consistency across your deployments.

Exporting Firewall Configuration via the CLI

For command-line enthusiasts, exporting the firewall configuration is straightforward:

  1. Establish an SSH connection to the source server from which you intend to copy the firewall configuration.
  2. Execute the following command to export the configuration: 
    plesk ext firewall --export > rules.json

    You can choose any filename; "rules.json" is provided as an example. The command redirects the output to the specified file.

The firewall configuration will be saved to the designated file in the current directory.

Importing Firewall Configuration via the CLI

Importing a firewall configuration using the CLI involves a few more steps to ensure safety and proper application:

  1. Connect via SSH to the target server where you wish to import the configuration. Note that you will need two separate SSH sessions for this process.
  2. In your first SSH session, enable firewall protection if it is not already active: 
    plesk ext firewall --enable

    If already enabled, you can skip this step.

  3. In your second SSH session, confirm the firewall protection. This step can also be skipped if protection is already enabled: 
    plesk ext firewall --confirm
  4. Return to your first SSH session and run the command to import and apply the firewall configuration. Replace <the file's URL or local path> with the actual path to your .json file:

    For example, if hosted remotely:

    plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

    Or, if the file is stored locally (e.g., in /tmp/):

    plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply
  5. Immediately after applying the new configuration, verify that you can still connect to the server via SSH. If connectivity is successful, proceed to your second SSH session and run the following command to confirm the imported firewall configuration: 
    plesk ext firewall --confirm

    Note: It is critical to confirm the imported firewall configuration within 60 seconds of executing the plesk ext firewall --apply command. Failure to do so will result in an automatic rollback, reverting to the previous firewall settings for safety.

Upon successful confirmation, the firewall configuration from your specified file will be fully applied and active on the server, providing a consistent security posture across your infrastructure.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Setup Email Accounts in cPanel

Setting Up Email Accounts in cPanelThis guide will walk you through the process of creating and...
Understand Workflow Triggers

Understanding Workflow Triggers for Metanow CRM Integrations Workflow triggers in Metanow CRM are...
ModSecurity® 3

ModSecurity® 3 - Metanow CRM ModSecurity® 3 Overview ModSecurity...
The Ultimate Guide to Voicemail: Everything You Need to Know

The Ultimate Guide to Voicemail: Everything You Need to Know Understanding Voicemail: A Brief...
Gain Insights into Every Association | Features

Gain Comprehensive Insights into Every Association | Metanow CRM Features Association Deep...