The Plesk Firewall for Linux: Enhancing Server Security

The Plesk firewall is an essential tool designed to significantly enhance the security posture of your Plesk for Linux server. It achieves this by allowing you to meticulously control and restrict network connections both to and from your server.

This comprehensive guide will walk you through the process of effectively managing your server's security. You will discover how to implement and remove firewall rules and policies, understand the functionality of blocking incoming connections from specific geographical regions, and learn to efficiently export and import firewall configurations. This last capability is particularly useful for replicating consistent security settings across multiple servers with ease.

Caution: It is crucial to understand that both the Plesk firewall and firewalld are distinct tools designed to manage the underlying iptables firewall. Operating both of these tools concurrently can lead to critical conflicts, potentially resulting in the closure of ports essential for Plesk's proper operation. To ensure system stability and optimal security, we strongly advise using only one firewall management tool at any given time.

Managing Firewall Rules and Policies

The Plesk firewall configuration is structured around two primary components: policies and rules. Understanding their interplay is key to effective server security management.

• Policies: These are overarching directives with a broad scope, influencing all network connections to or from the server based on their definition. For instance, the "System policy for incoming traffic" can be configured to completely block all incoming connections to your server, providing a strong baseline of security.
• Rules: In contrast, rules are more specific, targeting incoming connections to individual Plesk services, such as SMTP for email or MySQL/MariaDB for databases. They allow for granular control over specific traffic types.

It's important to note that rules are designed to override policies. This hierarchical structure offers flexibility: if a global policy dictates denying all incoming traffic, but a specific rule permits incoming traffic from a particular IP address, the rule will take precedence. This powerful mechanism allows you to either tighten your server's security measures or, conversely, relax them to accommodate specific operational needs.

For example, implementing policies that forbid all connections to and from the server, with exceptions for only a select few allowed IP addresses or specific ports, will undoubtedly result in significantly improved security. However, this stringent approach might inadvertently prevent certain applications from functioning correctly due to network restrictions. Conversely, configuring the firewall to allow all connections by default and then using specific rules to block access to individual services or from particular IP addresses will create a less secure environment, but it ensures that you are unlikely to encounter connectivity issues. We recommend experimenting with these configurations to discover the optimal balance between robust security and essential usability for your server environment.

There are two primary methods for managing the Plesk firewall:

• Modifying existing policies and rules, including the default configurations.
• Creating and removing custom rules tailored to your specific security needs.

Modifying an Existing Policy or Rule

1. Log in to your Plesk account.
2. Navigate to Tools & Settings, then under the "Security" section, select Firewall.
3. Ensure that the "Firewall protection" toggle button displays "Enabled". If it is not enabled, click it to activate firewall protection. You can skip this step if it's already enabled.
4. Click on the specific policy or rule you wish to modify from the displayed list.
5. Implement your desired changes. After making modifications, click Save, then Apply Changes, and finally Apply to confirm.

Upon completing these steps, the adjustments to your firewall configuration will immediately take effect.

Creating a Custom Rule

1. Log in to your Plesk account.
2. Go to Tools & Settings, and then select Firewall under the "Security" category.
3. Verify that the "Firewall protection" toggle button is set to "Enabled". If it is not, click it to enable the firewall.
4. Click the button to add a new rule.
5. (Optional) Provide a descriptive name for your new rule to easily identify its purpose.
6. Proceed to configure the rule according to your requirements. For instance, to block all incoming connections to the SSH service from the IP address 198.51.100.1 (assuming SSH is running on its default port), you would set "Match direction" to "Incoming", "Action" to "Deny", "Port" to "TCP 22", and enter "198.51.100.1" in the "Sources" field.
7. Once the rule is configured to your satisfaction, click Save, then Apply Changes, and finally Apply.

The newly created firewall rule will be active immediately. When establishing custom rules, exercise caution to avoid inadvertently blocking connections to ports that are essential for Plesk services.

Note: It is important to remember that if you are utilizing Docker containers, their firewall rules are managed independently and will not be automatically incorporated into the Plesk firewall rules.

Removing Custom Rules

1. Log in to your Plesk account.
2. Navigate to Tools & Settings, and then select Firewall under the "Security" section.
3. Confirm that the "Firewall protection" toggle button is showing "Enabled". If it's not, enable it first.
4. Select one or more of the custom rules you wish to remove. Please note that only custom rules can be deleted.
5. Click the Remove button, confirm your action by clicking Yes, remove, then click Apply Changes, and finally Apply.

The selected custom rules will be removed, and the updated firewall configuration will be in effect.

Country Blocking

The Plesk firewall provides a robust feature that enables you to block network access to or from IP addresses originating from specific countries. This can be an effective strategy for mitigating threats or managing geographical access restrictions.

Blocking Access from a Specific Country

1. Log in to your Plesk account.
2. Navigate to Tools & Settings, then locate and click Firewall under the "Security" section.
3. Ensure that the "Firewall protection" toggle button indicates "Enabled". If it's not active, click it to enable firewall protection.
4. Click the button to create a new rule.
5. (Optional) Assign a clear and descriptive name to your rule.
6. Set the "Action" for this rule to "Deny".
7. In the "Sources" field, input the two-letter ISO 3166 country code for each country you wish to block. For example, entering "AF" will block all incoming connections originating from Afghanistan.
8. (Optional) If you need to block multiple countries, click "Add one more" and repeat the previous step. You have the flexibility to block as many countries as required.
9. Once all desired countries have been added, click Save.
10. Finally, click Apply Changes, and then confirm by clicking Apply.

After the firewall configuration has been successfully applied, all incoming connections directed to your server from the specified blocked country or countries will be automatically denied.

Configuring Geographic IP Databases (MaxMind)

By default, Plesk utilizes the free "IP to Country Lite" database provided by DB-IP for its country blocking feature. However, you have the option to switch to either a free or paid database from MaxMind, which can offer greater accuracy or more extensive features. To use a MaxMind database, you will first need to obtain a license and receive a corresponding license key from MaxMind.

• Obtain a free GeoLite2 license.
• Purchase a GeoIP2 license.

Switching to a MaxMind Database (GeoLite2 or GeoIP2)

1. To configure Plesk to use a MaxMind database, you need to add specific lines to your panel.ini file.
   • For the free GeoLite2 database, add the following lines:

     [ext-firewall]
     geoipDataSource = maxmind-lite

   • For the paid GeoIP2 database, use these lines instead:

     [ext-firewall]
     geoipDataSource = maxmind

2. Access your server via SSH and execute one of the following commands, replacing <enter your license key here> with your actual MaxMind license key:
   • For GeoLite2:

     LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   • For GeoIP2:

     LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   Note: You might encounter a "Set cannot be destroyed" warning upon command completion. This warning is generally harmless and can be safely disregarded.

3. Log back into Plesk.
4. Navigate to Tools & Settings, and then click Firewall under "Security".
5. Finally, click Apply Changes, and then Apply to commit the database switch.

   Note: If the Apply Changes button is not visible, a temporary workaround is to create a new, minor firewall rule. This action often triggers the ability to apply changes, after which you can safely remove the temporary rule.

Once the firewall configuration is successfully applied, your Plesk server will begin utilizing the specified MaxMind GeoIP2 or GeoLite2 database for country blocking, instead of the default DB-IP database.

Reverting to the DB-IP Database

Should you wish to revert to the default free DB-IP database, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file. After saving the changes to panel.ini, reapply the firewall configuration through the Plesk interface as described in the steps above.

Importing and Exporting Firewall Configuration

For administrators managing multiple Plesk for Linux servers, the ability to replicate firewall configurations efficiently is invaluable. This section details how to export a server's firewall settings to a file and subsequently import it onto other servers, ensuring consistent security policies across your infrastructure. Both graphical interface (GUI) and command-line interface (CLI) methods are available for this process.

Exporting Firewall Configuration via the GUI

1. Log in to Plesk on the server from which you wish to copy the firewall configuration.
2. Navigate to Tools & Settings, and then select Firewall under the "Security" section.
3. Ensure that the "Firewall protection" toggle button is set to "Enabled", and then click Apply. If firewall protection is already active, you may proceed to the next step.
4. Click the Export button.

Your server's current firewall configuration will be saved as a .json file, typically found in your web browser's default downloads directory.

Importing Firewall Configuration via the GUI

1. Log in to Plesk on the target server where you intend to apply the copied firewall configuration.
2. Go to Tools & Settings, and then select Firewall under "Security".
3. Confirm that the "Firewall protection" toggle button displays "Enabled", and then click Apply. Skip this step if the firewall is already enabled.
4. Click the Import button. You will then be prompted to locate and select the .json file that you previously exported from the source server.

Once selected, the firewall configuration contained within the file will be applied to the target server.

Exporting Firewall Configuration via the CLI

1. Establish an SSH connection to the source server whose firewall configuration you intend to export.
2. Execute the following command to export the firewall configuration:

   plesk ext firewall --export > rules.json

   You have the flexibility to name the output file as you prefer; "rules.json" is provided merely as an illustrative example.

The firewall configuration will be saved to the designated file on your server.

Importing Firewall Configuration via the CLI

1. Initiate an SSH session to the target server where you wish to import the firewall configuration. For this procedure, it is necessary to open two distinct SSH sessions simultaneously.
2. In your first SSH session, run the following command to enable firewall protection. If firewall protection is already active, this step can be skipped.

   plesk ext firewall --enable

3. Concurrently, in your second SSH session, execute the following command to confirm that firewall protection is enabled. Again, skip if already active.

   plesk ext firewall --confirm

4. Return to the first SSH session and run the command below to import and apply the firewall configuration. Replace <the file's URL or local path> with the actual URL or local file path of your .json configuration file.

   plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply

   For instance, to import from a URL:

   plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   Or, to import from a local path:

   plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

5. Crucially, after applying the new firewall configuration, immediately verify that you can still successfully connect to the server via SSH. If connectivity is confirmed, return to your second SSH session and execute the following command to permanently confirm the imported firewall configuration:

   plesk ext firewall --confirm

   Note: It is imperative to confirm the imported firewall configuration within 60 seconds of running the plesk ext firewall --apply command. Failure to do so will result in an automatic rollback of the changes, and the server's previous firewall configuration will be restored for safety.

Upon successful confirmation, the firewall configuration from your specified file will be fully applied and active on the server.