The Plesk Firewall for Linux: Enhancing Server Security

The Plesk firewall is an essential tool designed to enhance the security posture of your Plesk for Linux server by precisely controlling network connections to and from the server. This comprehensive guide will walk you through the process of adding and removing firewall rules and policies, implementing country-specific blocking, and efficiently replicating firewall configurations across multiple servers through import and export functionalities.

Caution: Both the Plesk firewall and firewalld are distinct tools for managing the underlying iptables firewall. Operating both tools concurrently can lead to critical conflicts, potentially resulting in the unintended closure of ports vital for Plesk operations. It is strongly recommended to use only one of these firewall management tools at any given time to ensure system stability and security.

Managing Firewall Rules and Policies

By default, the Plesk firewall configuration is structured around a combination of policies and rules, each serving a distinct purpose in controlling network traffic:

• Policies: These are broad directives that apply universally to all connections entering or leaving the server. For instance, the "System policy for incoming traffic" can be configured to completely restrict all incoming connections to your server.
• Rules: These provide more granular control, specifically targeting incoming connections to individual Plesk services, such as SMTP or MySQL/MariaDB.

An important aspect of the Plesk firewall is that rules always take precedence over policies. This means if a global policy is set to deny all incoming traffic, but a specific rule permits incoming traffic from a particular IP address, the rule will override the policy for that specific connection. This powerful mechanism allows administrators to fine-tune the server's security.

For example, a highly secure setup might involve setting policies to forbid all connections except for a select few allowed IP addresses or specific ports. While this significantly enhances security, it may inadvertently restrict certain applications from functioning correctly. Conversely, a more open approach might allow all connections by default, using rules to block access to individual services or from problematic IP addresses. This offers greater usability but might present a lower security posture. It is crucial to experiment and find the optimal balance between operational convenience and robust security for your specific environment.

Firewall management in Plesk can be accomplished in two primary ways:

• Modifying existing policies and rules, including the predefined default settings.
• Creating and removing custom rules to address specific security requirements.

Modifying an Existing Policy or Rule

1. Log in to Plesk.
2. Navigate to Tools & Settings, then select Firewall (found under the “Security” section).
3. Ensure that the "Firewall protection" toggle button displays "Enabled". If it is currently disabled, click it to enable protection.
4. Click on the specific policy or rule you wish to modify.
5. Implement your desired changes, then click Save. After saving, click Apply Changes, and finally, click Apply to commit the configuration.

The updated firewall configuration will now be actively enforced on your server.

Creating a Custom Rule

1. Log in to Plesk.
2. Go to Tools & Settings, then select Firewall (under “Security”).
3. Verify that the "Firewall protection" toggle button shows "Enabled". Enable it if necessary.
4. Click the button to add a new rule.
5. (Optional) Assign a descriptive name to your new rule for easier identification.
6. Proceed to configure the rule according to your requirements. For example, to block all incoming connections to the SSH service from a specific IP address (e.g., 198.51.100.1, assuming default SSH port 22), you would set "Match direction" to "Incoming", "Action" to "Deny", "Port" to "TCP 22", and then input "198.51.100.1" into the "Sources" field.
7. Once the rule is fully configured, click Save, then Apply Changes, and finally Apply to activate it.

The newly created custom rule will immediately take effect. Exercise caution when creating custom rules to avoid inadvertently blocking connections to essential ports used by Plesk services.

Note: If you are utilizing Docker containers, it's important to understand that Docker firewall rules operate independently and are not integrated into the Plesk firewall ruleset.

Removing Custom Rules

1. Log in to Plesk.
2. Navigate to Tools & Settings, then Firewall (under “Security”).
3. Confirm that "Firewall protection" is "Enabled".
4. Select one or more custom rules you wish to remove. Note that only custom rules can be deleted; default policies and rules cannot be removed.
5. Click Remove, then confirm by clicking Yes, remove. Finally, click Apply Changes, and then Apply.

The selected custom rules will be immediately removed from the firewall configuration.

Country Blocking

The Plesk firewall provides a powerful feature allowing you to control network access based on geographic location. You can effectively block incoming or outgoing connections to and from IP addresses associated with specific countries, enhancing your server's security by mitigating threats from known high-risk regions.

Blocking Access from a Specific Country

1. Log in to Plesk.
2. Go to Tools & Settings, then Firewall (under “Security”).
3. Ensure the "Firewall protection" toggle button displays "Enabled". Enable it if it's currently off.
4. Click the button to create a new rule.
5. (Optional) Provide a meaningful name for your rule.
6. Set the "Action" for this rule to "Deny".
7. In the "Sources" field, enter the two-letter ISO 3166 country code for the country you wish to block. For example, entering "AF" will block all incoming connections originating from Afghanistan.
8. (Optional) To block additional countries, click "Add one more" and repeat the previous step. You have the flexibility to block as many countries as needed.
9. Once all desired countries are added, click Save.
10. Finally, click Apply Changes, and then Apply to implement the new country blocking configuration.

After the firewall configuration is applied, all incoming connections to your server from the specified country or countries will be effectively denied.

By default, Plesk utilizes the free "IP to Country Lite" database provided by DB-IP for geographic IP resolution. For enhanced accuracy and additional features, you have the option to switch to a free or paid database from MaxMind. Before making this switch, you will need to obtain a license from MaxMind and receive your unique license key.

• Obtain a free GeoLite2 license.
• Purchase a GeoIP2 license.

Switching to a MaxMind GeoIP Database

1. Add the following lines to your panel.ini file to specify your preferred MaxMind database:

   [ext-firewall]
   geoipDataSource = maxmind-lite

   Use the above for the free GeoLite2 database, or:

   [ext-firewall]
   geoipDataSource = maxmind

   Use this for the paid GeoIP2 database.

2. Access your server via SSH and execute the following command, replacing <enter your license key here> with your actual MaxMind license key:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   for the free GeoLite2 database, or:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   for the paid GeoIP2 database.

   Note: You might encounter a Set cannot be destroyed warning after running the command. This warning is typically harmless and can be safely disregarded.

3. Log in to Plesk.
4. Navigate to Tools & Settings, then Firewall (under “Security”).
5. Click Apply Changes, and then click Apply.

Note: If the Apply Changes button is not visible, you may need to create a temporary new firewall rule to trigger its appearance. This rule can be removed once the changes are applied.

Once the firewall configuration is successfully applied, the specified MaxMind GeoIP database will be actively used for country blocking instead of the default DB-IP GeoLite2.

To revert to the free DB-IP database, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file, and then reapply your firewall configuration.

Importing and Exporting Firewall Configuration

For administrators managing multiple Plesk for Linux servers, the ability to duplicate firewall configurations across machines can significantly streamline security management. This feature allows you to export an existing firewall configuration from one server to a file and then easily import it onto other servers, ensuring consistent security policies without manual re-configuration. Both graphical interface (GUI) and command-line interface (CLI) methods are available for this process.

Exporting the Firewall Configuration via the GUI

1. Log in to Plesk on the server from which you intend to copy the firewall configuration.
2. Go to Tools & Settings, then Firewall (under “Security”).
3. Ensure the "Firewall protection" toggle button shows "Enabled", and then click Apply. If protection is already active, you can skip this step.
4. Click the Export button.

The firewall configuration will be saved as a .json file, typically found in your web browser’s default downloads directory.

Importing the Firewall Configuration via the GUI

1. Log in to Plesk on the target server where you wish to apply the exported firewall configuration.
2. Navigate to Tools & Settings, then Firewall (under “Security”).
3. Confirm that the "Firewall protection" toggle button shows "Enabled", and then click Apply. If protection is already enabled, this step can be skipped.
4. Click the Import button, and then browse to locate the .json file that contains the firewall configuration you previously exported.

The firewall configuration from the selected file will be promptly applied to the server.

Exporting the Firewall Configuration via the CLI

1. Establish an SSH connection to the source server whose firewall configuration you intend to export.
2. Execute the following command to export the firewall configuration:

   plesk ext firewall --export > rules.json

   You may choose any desired filename; "rules.json" is used here as an illustrative example.

The firewall configuration will be saved to the specified file on your server.

Importing the Firewall Configuration via the CLI

1. Connect to the target server via SSH. For this procedure, you will need to open two separate SSH sessions simultaneously.
2. In the first SSH session, run the following command to enable firewall protection. If it is already enabled, this step can be skipped:

   plesk ext firewall --enable

3. In the second SSH session, run the following command to confirm firewall protection. Again, skip this step if protection is already enabled:

   plesk ext firewall --confirm

4. Back in the first SSH session, execute the following command to import and immediately apply the firewall configuration:

   plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply

   For instance, you might use:

   plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   or if the file is stored locally:

   plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

5. After applying the new firewall configuration, it is crucial to verify that you can still successfully connect to the server via SSH. If connectivity is confirmed, return to the second SSH session and run the following command to finalize and confirm the imported firewall configuration:

   plesk ext firewall --confirm

   Note: If you fail to confirm the imported firewall configuration within 60 seconds of executing the plesk ext firewall --apply command, the changes will be automatically rolled back, and the server's previous firewall configuration will be restored. This is a safety mechanism to prevent accidental server lockout.

Upon successful confirmation, the firewall configuration from the specified file will be fully applied and active on the server.