Enhancing Server Security with the Plesk Firewall for Linux

The Plesk Firewall is an essential tool designed to bolster the security of your Plesk for Linux server by precisely controlling inbound and outbound network connections. This guide will walk you through the process of adding and removing firewall rules and policies, implementing country-specific connection blocking, and demonstrating how to export and import firewall rules to effortlessly replicate configurations across multiple servers.

Caution: Both the Plesk firewall and firewalld are powerful tools for managing the underlying iptables firewall. Utilizing both simultaneously can lead to conflicts and inadvertently close ports critical for Plesk’s operation. For optimal stability and security, we strongly recommend employing only one firewall management tool at a time.

Understanding and Managing Plesk Firewall Rules and Policies

By default, the Plesk firewall configuration is built upon a combination of policies and rules, each serving a distinct purpose in governing network traffic:

• Policies: These are broad directives that impact all network connections to or from the server. For instance, the "System policy for incoming traffic" can be configured to completely restrict all incoming connections to the server.
• Rules: These provide a more granular level of control, specifically managing incoming connections for individual Plesk services, such as SMTP or MySQL/MariaDB.

It is important to note that rules always take precedence over policies. For example, if a global policy dictates the denial of all incoming traffic, yet a specific rule permits incoming connections from a particular IP address, the rule will override the policy. This hierarchical mechanism offers considerable flexibility, allowing you to fine-tune your server's security posture.

For instance, establishing policies that prohibit all connections to and from the server, with exceptions for only a few explicitly allowed IP addresses or ports, significantly enhances security. However, this rigorous approach might prevent certain applications from functioning correctly due to network restrictions. Conversely, allowing all connections by default and then using specific rules to block access to individual services or from certain IP addresses offers greater usability but results in a less secure server. We encourage you to experiment to discover the optimal balance between server usability and robust security for your specific environment.

You have two primary methods for managing the Plesk firewall:

• Modifying existing policies and rules, including those provided by default.
• Creating and removing custom rules tailored to your specific security needs.

Modifying an Existing Policy or Rule

To adjust an existing firewall policy or rule, follow these steps:

1. Log in to Plesk as an administrator.
2. Navigate to Tools & Settings > Firewall (found under the “Security” section).
3. Ensure that “Firewall protection” is set to “Enabled”. If it is not, click the toggle button to activate it.
4. Click on the specific policy or rule you wish to modify from the list.
5. Implement your desired changes, then click Save. Afterward, click Apply Changes, and finally, click Apply to confirm.

Your modifications to the firewall configuration will now be active.

Creating a Custom Rule

To establish a new, custom firewall rule, proceed as follows:

1. Log in to Plesk.
2. Go to Tools & Settings > Firewall (under “Security”).
3. Verify that “Firewall protection” is “Enabled”. If not, enable it.
4. Click the button to add a new rule.
5. (Optional) Provide a descriptive name for your new rule to easily identify it later.
6. Configure the rule according to your requirements. For example, to block all incoming connections to the SSH service from a specific IP address (e.g., 198.51.100.1, assuming default SSH port 22), set “Match direction” to “Incoming”, “Action” to “Deny”, “Port” to “TCP 22”, and enter “198.51.100.1” in the “Sources” field.
7. Once the rule is configured, click Save, then Apply Changes, and finally Apply.

The new firewall rule will now be enforced. When creating custom rules, exercise caution to avoid inadvertently blocking connections to ports utilized by Plesk services, which could disrupt server functionality.

Note: If you are employing Docker containers, their specific firewall rules will not be automatically integrated into the Plesk firewall ruleset.

Removing Custom Rules

To delete custom firewall rules that are no longer needed:

1. Log in to Plesk.
2. Access Tools & Settings > Firewall (under “Security”).
3. Ensure “Firewall protection” is “Enabled”.
4. Select one or more custom rules you wish to remove. Only rules you have created can be deleted.
5. Click Remove, confirm by clicking Yes, remove, then click Apply Changes, and finally Apply.

The selected custom rules will be removed, and the firewall configuration will be updated.

Implementing Country Blocking with Plesk Firewall

The Plesk firewall offers a robust feature allowing you to block network access to or from IP addresses originating from specific countries. This can be a highly effective measure for mitigating threats from known malicious regions or for complying with geographic access restrictions.

Blocking Access from a Specific Country

To prevent connections from a particular country:

1. Log in to Plesk.
2. Go to Tools & Settings > Firewall (under “Security”).
3. Confirm that “Firewall protection” is “Enabled”.
4. Click the button to create a new rule.
5. (Optional) Assign a clear name to your rule.
6. Set the “Action” to “Deny”.
7. Under “Sources”, input the two-letter ISO 3166 country code of the country you intend to block. For instance, to block all incoming connections from Afghanistan, you would enter “AF”.
8. (Optional) To block additional countries, click “Add one more” and repeat the previous step. You can include as many countries as necessary.
9. Once all desired countries are added, click Save.
10. Finally, click Apply Changes, and then Apply to activate the new country blocking rules.

After the firewall configuration is applied, all incoming connections to your server originating from the specified country or countries will be denied.

By default, Plesk utilizes the free “IP to Country Lite” database from DB-IP for country detection. For enhanced accuracy and features, you may opt to use a free or paid database from MaxMind. Before making this switch, you will need to obtain either a free GeoLite2 license or purchase a GeoIP2 license from MaxMind and receive your unique license key:

• Get a free GeoLite2 license
• Buy a GeoIP2 license

Switching to a MaxMind GeoIP Database

To configure Plesk to use a MaxMind GeoIP database:

1. Edit the panel.ini file by adding the following lines. Use geoipDataSource = maxmind-lite for the free GeoLite2 database, or geoipDataSource = maxmind for the paid GeoIP2 database:

   [ext-firewall]
   geoipDataSource = maxmind-lite

   or for the paid version:

   [ext-firewall]
   geoipDataSource = maxmind

2. Access your server via SSH and execute the appropriate command, replacing <enter your license key here> with your actual MaxMind license key:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   or for the paid version:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   Note: You might encounter a Set cannot be destroyed warning after running this command; this warning can be safely disregarded.

3. Log in to Plesk.
4. Navigate to Tools & Settings > Firewall (under “Security”).
5. Click Apply Changes, and then click Apply.

Note: If the Apply Changes button is not visible, you may need to create a temporary new firewall rule to trigger its appearance. This rule can be removed after the changes are applied.

Once the firewall configuration is applied, Plesk will begin using the selected MaxMind GeoIP database. To revert to the free DB-IP database, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file and then reapply the firewall configuration.

Importing and Exporting Plesk Firewall Configurations

For administrators managing multiple Plesk for Linux servers, the ability to duplicate firewall configurations across machines can significantly streamline security management. Plesk facilitates this by allowing you to export a server's firewall configuration to a file, which can then be easily imported onto other servers. This feature is accessible via both the graphical user interface (GUI) and the command-line interface (CLI).

Exporting the Firewall Configuration via the GUI

To export your firewall configuration using the Plesk GUI:

1. Log in to Plesk on the server whose firewall configuration you wish to copy.
2. Navigate to Tools & Settings > Firewall (under “Security”).
3. Ensure “Firewall protection” is “Enabled”. If it is not, toggle it to “Enabled” and click Apply.
4. Click the Export button.

The firewall configuration will be saved as a .json file, typically found in your web browser’s default downloads directory.

Importing the Firewall Configuration via the GUI

To import a previously exported firewall configuration using the Plesk GUI:

1. Log in to Plesk on the target server where you want to apply the configuration.
2. Go to Tools & Settings > Firewall (under “Security”).
3. Confirm that “Firewall protection” is “Enabled”. If not, enable it and click Apply.
4. Click the Import button, and then browse to select the .json file containing the firewall configuration you wish to import.

The firewall configuration from the selected file will be applied to the server.

Exporting the Firewall Configuration via the CLI

For command-line users, exporting the firewall configuration is straightforward:

1. Log in to the source server via SSH.
2. Execute the following command to export the firewall configuration:

   plesk ext firewall --export > rules.json

   You can choose any filename; "rules.json" is used here as an example.

The firewall configuration will be saved to the specified file.

Importing the Firewall Configuration via the CLI

Importing a firewall configuration via the CLI requires two separate SSH sessions to ensure a seamless application process:

1. In your first SSH session, enable firewall protection by running:

   plesk ext firewall --enable

   If firewall protection is already enabled, you can skip this step.
2. In your second SSH session, confirm firewall protection by running:

   plesk ext firewall --confirm

   Again, if firewall protection is already enabled, this step can be skipped.
3. Back in the first SSH session, import and apply the firewall configuration using the following command, replacing <the file's URL or local path> with the actual path or URL to your .json configuration file:

   plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   For a local file, you might use:

   plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

4. Immediately after applying the new configuration, verify that you can still connect to the server via SSH.
5. If connectivity is confirmed, return to your second SSH session and run the following command to finalize and confirm the imported firewall configuration:

   plesk ext firewall --confirm

Note: It is crucial to confirm the imported firewall configuration within 60 seconds of executing the plesk ext firewall --apply command. Failure to do so will result in the automatic rollback of changes, restoring the server to its previous firewall configuration.

The firewall configuration from your specified file will now be fully applied and active on the server.