The Plesk Firewall for Linux: Comprehensive Guide to Plesk Obsidian Security

Caution: Both the Plesk firewall and firewalld are powerful tools designed for managing the iptables firewall on your system. It is crucial to understand that utilizing both tools concurrently can lead to significant conflicts and potentially result in essential ports required for Plesk operations being inadvertently closed, compromising server functionality. Therefore, we strongly recommend employing only one firewall management tool at any given time to ensure system stability and security.

Managing Firewall Rules and Policies

The Plesk firewall configuration is inherently structured around a combination of policies and rules, each serving a distinct purpose in governing network traffic.

• Policies: These are broad in scope, designed to affect all connections either to or from the server, depending on the specific policy. For instance, the “System policy for incoming traffic” can be configured to completely block all inbound connections to your server, providing a robust baseline security posture.
• Rules: In contrast, rules are more granular and specifically govern incoming connections to individual Plesk services, such as SMTP for email communication or MySQL/MariaDB for database operations.

A key aspect of the Plesk firewall hierarchy is that rules take precedence over policies. This means that if a global policy is set to deny all incoming traffic, but a specific rule permits incoming traffic from a particular IP address, the rule will override the policy for that specific connection. This powerful mechanism allows you to either tighten or relax the overall security posture of your server with precision.

For example, you could configure policies to strictly forbid all connections to and from the server, with the exception of a few explicitly allowed IP addresses or specific ports. While this approach significantly enhances security, it's important to note that certain applications might experience connectivity issues due to these stringent network restrictions. Conversely, allowing all connections by default and then using specific rules to block access to individual services or from particular IP addresses offers greater flexibility, but inherently makes your server less secure. We encourage careful experimentation to discover the optimal balance between usability, accessibility, and the desired level of security for your environment.

You have two primary methods for managing the firewall:

• Modifying existing policies and rules, which includes the default configurations provided by Plesk.
• Creating and removing custom rules tailored to your specific security requirements.

Modifying an Existing Policy or Rule

1. Log in to Plesk as an administrator.
2. Navigate to Tools & Settings, then under the “Security” section, click on Firewall.
3. Ensure that the “Firewall protection” toggle button displays “Enabled”. If it is currently disabled, click it to enable protection. If already enabled, you may proceed to the next step.
4. Click on the specific policy or rule that you wish to adjust.
5. Apply your desired modifications, then click Save. Following this, click Apply Changes, and finally click Apply to commit the configuration.

The updated firewall configuration will now be actively enforced on your server.

Creating a Custom Rule

1. Log in to Plesk.
2. Go to Tools & Settings, then under “Security”, select Firewall.
3. Verify that the “Firewall protection” toggle button is set to “Enabled”. If it's not, activate it.
4. Click the button to add a new rule.
5. (Optional) Assign a descriptive name to your custom rule for easier identification and management.
6. Proceed to configure the rule according to your needs. For instance, to block all incoming connections to the SSH service from a specific IP address like 198.51.100.1 (assuming you are using the default SSH port 22), you would set “Match direction” to “Incoming”, “Action” to “Deny”, “Port” to “TCP 22”, and then input “198.51.100.1” into the “Sources” field.
7. Once your rule is configured, click Save, then click Apply Changes, and finally Apply to activate the new rule.

The changes to your firewall configuration are now fully operational. When creating custom rules, it is imperative to exercise caution and avoid inadvertently blocking connections to ports utilized by critical Plesk services, as this can severely impact server functionality.

Note: If you are leveraging Docker containers, it's important to understand that Docker's own firewall rules are managed independently and will not be automatically integrated into the Plesk firewall ruleset.

Removing Custom Rules

1. Log in to Plesk.
2. Navigate to Tools & Settings, then under “Security”, select Firewall.
3. Confirm that the “Firewall protection” toggle button shows “Enabled”. Enable it if necessary.
4. Select one or more custom rules that you wish to remove. Please note that only custom rules can be removed; default policies and rules are permanent.
5. Click Remove, confirm your decision by clicking Yes, remove, then click Apply Changes, and finally Apply.

The selected custom rules have now been successfully removed, and the updated firewall configuration is in effect.

Country Blocking

The Plesk firewall provides a robust feature allowing you to block network access to or from specific IP addresses associated with particular countries. This can be an effective measure to mitigate geographically targeted threats or restrict access based on regional policies.

Blocking Access from a Specific Country

1. Log in to Plesk.
2. Go to Tools & Settings, then under “Security”, select Firewall.
3. Ensure the “Firewall protection” toggle button is set to “Enabled”. Activate it if it is currently off.
4. Click the button to create a new rule.
5. (Optional) Provide a meaningful name for your rule, such as "Block Afghanistan Traffic".
6. Set the “Action” for this rule to “Deny”.
7. In the “Sources” field, input the two-letter ISO 3166 country code of the country you intend to block. For example, to deny all incoming connections originating from Afghanistan, you would enter "AF".
8. (Optional) If you need to block additional countries, click “Add one more” and repeat the previous step. You have the flexibility to block as many countries as your security strategy requires.
9. Once all desired countries have been added, click Save.
10. Finally, click Apply Changes, and then click Apply to deploy the new firewall configuration.

Upon the successful application of this firewall configuration, all incoming connections to your server from the specified blocked country or countries will be effectively denied.

By default, Plesk leverages the free “IP to Country Lite” database provided by DB-IP for geographic IP resolution. However, for enhanced accuracy and more frequent updates, you have the option to switch to either a free or paid database from MaxMind. Before making this transition, you will need to acquire the appropriate license from MaxMind and obtain your unique license key.

• Obtain a free GeoLite2 license here.
• Purchase a GeoIP2 license here.

Switching to a MaxMind GeoIP Database

1. Add the following lines to your panel.ini file to specify your preferred MaxMind database:

   [ext-firewall]
   geoipDataSource = maxmind-lite

   Use the above configuration for the free GeoLite2 database.

   Alternatively, for the paid GeoIP2 database, use:

   [ext-firewall]
   geoipDataSource = maxmind

2. Access your server via SSH. Once logged in, execute the following command, replacing <enter your license key here> with your actual MaxMind license key:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   This command is for integrating the free GeoLite2 database. If you are using the paid GeoIP2 database, the command will be:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   Note: The execution of this command might conclude with a warning message such as Set cannot be destroyed. This warning is typically benign and can be safely disregarded.

3. Log in to Plesk.
4. Navigate to Tools & Settings, then under “Security”, select Firewall.
5. Click Apply Changes, and subsequently click Apply to synchronize the firewall configuration with the newly selected GeoIP database.

   Note: If the Apply Changes button is not visible, a temporary workaround is to create a new firewall rule. This action often triggers the ability to apply changes. After the changes are applied, you can safely remove the temporary rule.

Once the firewall configuration is applied, Plesk will begin utilizing the specified MaxMind GeoIP database for country-based blocking, enhancing the accuracy of your geographic restrictions.

To revert to the default free database from DB-IP, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file, and then reapply your firewall configuration within Plesk.

Importing and Exporting Firewall Configuration

For administrators managing multiple Plesk for Linux servers, the ability to replicate firewall configurations across different instances is invaluable. The Plesk firewall facilitates this through its import and export features, allowing you to easily duplicate an existing firewall setup from one server to another. This process can be executed efficiently via both the graphical user interface (GUI) and the command-line interface (CLI).

Exporting Firewall Configuration via the GUI

1. Log in to Plesk on the source server, which holds the firewall configuration you wish to copy.
2. Navigate to Tools & Settings, then under “Security”, select Firewall.
3. Ensure the “Firewall protection” toggle button indicates “Enabled”, and then click Apply. If firewall protection is already active, you can skip this step.
4. Click the Export button.

Your server's current firewall configuration will be saved as a .json file, typically found in your web browser’s default downloads directory.

Importing Firewall Configuration via the GUI

1. Log in to Plesk on the destination server, where you intend to apply the copied firewall configuration.
2. Go to Tools & Settings, then under “Security”, select Firewall.
3. Verify that the “Firewall protection” toggle button is set to “Enabled”, and click Apply. If it is already enabled, proceed to the next step.
4. Click Import, then browse and select the .json file that you previously exported from your source server.

The firewall configuration contained within the selected file will now be applied to the destination server, streamlining the replication process.

Exporting Firewall Configuration via the CLI

1. Establish an SSH connection to the source server from which you want to export the firewall configuration.
2. Execute the following command to save the firewall configuration to a file:

   plesk ext firewall --export > rules.json

   You have the flexibility to name the output file as per your preference; rules.json is provided merely as an example.

The firewall configuration will be successfully saved to the file you specified.

Importing Firewall Configuration via the CLI

1. Establish an SSH connection to the destination server where you wish to import the firewall configuration. For this process, you will need two separate SSH sessions active simultaneously.
2. In the first SSH session, run the following command to ensure firewall protection is enabled. If it is already enabled, this step can be skipped:

   plesk ext firewall --enable

3. In the second SSH session, execute the following command to confirm the firewall protection. This step is also skippable if protection is already enabled:

   plesk ext firewall --confirm

4. Back in the first SSH session, run the command below to import and apply the firewall configuration. Remember to replace <the file's URL or local path> with the actual URL or local path to your exported .json file:

   plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply

   For example, if your file is hosted online:

   plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   Or, if the file is located locally on the server:

   plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

5. After applying the new firewall configuration, it is critical to verify that you can still successfully connect to the server via SSH. If connectivity is confirmed, switch to the second SSH session and run the following command to confirm the imported firewall configuration:

   plesk ext firewall --confirm

   Note: If you fail to confirm the imported firewall configuration within 60 seconds of executing the plesk ext firewall --apply command, the changes will be automatically rolled back, and your server will revert to its previous firewall settings for safety.

Upon successful completion, the firewall configuration from your specified file will be fully applied and active on the server.