(Plesk for Linux) The Plesk Firewall

The Plesk Firewall is an essential tool designed to significantly enhance the security of your Plesk for Linux server by enabling precise control over network connections. It allows you to restrict both incoming and outgoing traffic, thereby creating a more secure environment for your server operations.

This comprehensive guide will walk you through the process of effectively managing your server's security. You will learn how to implement and remove firewall rules and policies, understand how to block unwanted incoming connections from specific geographical regions, and discover methods for exporting and importing firewall rules. These capabilities enable you to easily replicate robust firewall configurations across multiple servers, ensuring consistent security.

Caution: It is critical to understand that both the Plesk Firewall and firewalld are designed to manage the underlying iptables firewall. Operating both tools concurrently can lead to severe conflicts, potentially resulting in the closure of ports vital for Plesk's functionality and overall server operation. For optimal and stable security management, we strongly advise using only one of these tools at any given time.

Managing Firewall Rules and Policies

The Plesk firewall configuration operates through a combination of policies and rules, each serving a distinct purpose in securing your server:

• Policies: These are broad directives that encompass a wide scope, influencing all connections either to or from the server. For instance, the "System policy for incoming traffic" can be configured to completely prohibit all incoming network connections to your server, providing a high level of default security.
• Rules: In contrast, rules are more granular and specifically target incoming connections for individual Plesk services, such as SMTP for email or MySQL/MariaDB for databases. They allow for fine-tuned control over specific traffic flows.

It is important to note that rules are designed to override policies. This means that if a global policy is set to deny all incoming traffic, but a specific rule permits incoming traffic from a particular IP address, the rule will take precedence, allowing that specific connection. This hierarchical mechanism offers powerful flexibility, enabling you to either strengthen or relax the security posture of your server as needed.

For example, implementing policies that forbid all connections to and from the server, with exceptions for only a select few allowed IP addresses or ports, will significantly enhance security. However, this rigorous approach might prevent certain applications from functioning correctly due to the tight network restrictions. Conversely, if you choose to allow all connections by default and use rules primarily to block access to individual services or from specific IP addresses, your server will be less secure, though it will ensure fewer connection issues. We recommend carefully experimenting with these settings to discover the optimal balance between server usability and robust security.

There are two primary methods for managing the Plesk firewall:

• Modifying existing policies and rules, including the default configurations.
• Creating and removing custom rules tailored to your specific security requirements.

Modifying an Existing Policy or Rule

1. To begin, log in to your Plesk account.
2. Navigate to Tools & Settings, then locate and click on Firewall under the "Security" section.
3. Ensure that the "Firewall protection" toggle button displays as “Enabled”. If it is already enabled, you may proceed to the next step.
4. Select the specific policy or rule you wish to modify by clicking on it.
5. Apply your desired changes, then click Save. Subsequently, click Apply Changes, and finally, click Apply to confirm.

Upon completing these steps, the modifications to your firewall configuration will be actively in effect.

Creating a Custom Rule

1. First, log in to Plesk.
2. Access Tools & Settings, and then select Firewall from the “Security” options.
3. Verify that the "Firewall protection" toggle button is set to “Enabled”. If it’s already active, you can skip this step.
4. Click the button to initiate the creation of a new rule.
5. (Optional) Provide a descriptive name for your custom rule to easily identify its purpose.
6. Proceed to configure the rule according to your needs. For instance, to prevent all incoming connections to the SSH service from the IP address 198.51.100.1 (assuming the standard SSH port is in use), you would set "Match direction" to “Incoming”, "Action" to “Deny”, "Port" to “TCP 22”, and then input “198.51.100.1” into the “Sources” field.
7. Once your rule is fully configured, click Save, then click Apply Changes, and finally, click Apply.

Your new custom firewall rule is now active. When implementing custom rules, exercise caution to avoid inadvertently blocking connections to essential ports utilized by Plesk services, which could disrupt server functionality.

Note: If you are utilizing Docker containers, it is important to be aware that Docker’s internal firewall rules operate independently and will not be automatically integrated into the Plesk firewall rules.

Removing Custom Rules

1. Begin by logging in to Plesk.
2. Go to Tools & Settings, and then select Firewall under “Security”.
3. Confirm that the "Firewall protection" toggle button is set to “Enabled”. If it's already active, you can skip this step.
4. Identify and select one or more custom rules that you wish to remove. Please note that only custom rules can be deleted; default policies and rules are permanent.
5. Click Remove, confirm by clicking Yes, remove, then click Apply Changes, and finally, click Apply.

The selected custom firewall rules will now be successfully removed, and the changes to your firewall configuration will be in effect.

Country Blocking

The Plesk Firewall offers a powerful feature for enhancing security: the ability to block network access to or from IP addresses associated with specific countries. This can be particularly useful for mitigating threats from known malicious regions or for complying with geographical access restrictions.

Blocking Access from a Specific Country

1. First, log in to your Plesk account.
2. Navigate to Tools & Settings, and then select Firewall under the “Security” category.
3. Ensure that "Firewall protection" is toggled to “Enabled”. If it’s already active, you can bypass this step.
4. Click the button to create a new rule.
5. (Optional) Assign a clear and descriptive name to your rule.
6. Set the “Action” for this rule to “Deny”.
7. In the “Sources” field, input the two-letter ISO 3166 country code for the country you wish to block. For example, to block all incoming connections originating from Afghanistan, you would enter “AF”.
8. (Optional) If you need to block additional countries, click “Add one more” and repeat the previous step. You have the flexibility to block as many countries as your security policy requires.
9. Once all desired countries have been added, click Save.
10. Finally, click Apply Changes, and then click Apply to activate your new country blocking rules.

Once the firewall configuration has been successfully applied, all incoming connections directed towards your server from the specified blocked countries will be effectively denied, significantly enhancing your server's security posture against geographically targeted threats.

By default, Plesk utilizes the free “IP to Country Lite” database provided by DB-IP for geographical IP resolution. However, for enhanced accuracy and more comprehensive data, you have the option to integrate with either a free or paid database from MaxMind. Before you can switch to a MaxMind database, you will need to obtain a license (either free or paid) from MaxMind and receive your corresponding license key.

• For a free option, you can obtain a GeoLite2 license.
• For a more robust, paid solution, you can purchase a GeoIP2 license.

Switching to a MaxMind GeoIP Database

1. To configure your Plesk instance to use a MaxMind database, you need to add the appropriate lines to your panel.ini file. Add the following:

   [ext-firewall]
   geoipDataSource = maxmind-lite

   to utilize the free GeoLite2 database, or:

   [ext-firewall]
   geoipDataSource = maxmind

   to leverage the comprehensive paid GeoIP2 database.

2. After modifying the panel.ini file, log in to your server via SSH. Then, execute the relevant command to configure the IP sets:

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force

   or

   LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force

   These commands will configure Plesk to use either the free or paid MaxMind database, respectively.

   Note: It is possible that the command may conclude with a Set cannot be destroyed warning. This warning can typically be safely disregarded as it does not affect the successful configuration.

3. Next, log back into Plesk.
4. Navigate to Tools & Settings, and then click on Firewall under “Security”.
5. Click Apply Changes, and then click Apply to implement the new database configuration.

   Note: Should the Apply Changes button not be visible, you may need to create a temporary, new firewall rule to activate the ability to apply changes. This temporary rule can be removed once the changes are applied.

Once these steps are completed and the firewall configuration is applied, Plesk will begin using the specified MaxMind GeoIP database instead of the default DB-IP GeoLite2.

To revert to the default free DB-IP database, simply remove the geoipDataSource = maxmind-lite or geoipDataSource = maxmind line from your panel.ini file, and then reapply the firewall configuration within Plesk.

Importing and Exporting Firewall Configuration

For administrators managing multiple Plesk for Linux servers, the ability to duplicate firewall configurations across different instances is invaluable for maintaining consistent security policies and saving time. The most efficient method for achieving this is by exporting a server's firewall configuration to a file, which can then be imported onto other Plesk for Linux servers. This process can be accomplished seamlessly through both the Plesk graphical user interface (GUI) and the command-line interface (CLI).

Exporting the Firewall Configuration via the GUI

1. On the server from which you wish to copy the firewall configuration, log in to Plesk.
2. Navigate to Tools & Settings, and then select Firewall under “Security”.
3. Ensure that the "Firewall protection" toggle button indicates “Enabled”. If it is not, click it to enable protection, then click Apply. If it’s already enabled, you may skip this step.
4. Click the Export button.

Your firewall configuration will be saved as a .json file, typically found in your web browser’s default downloads directory.

Importing the Firewall Configuration via the GUI

1. On the target server where you want to apply the copied firewall configuration, log in to Plesk.
2. Go to Tools & Settings, and then select Firewall under “Security”.
3. Confirm that the "Firewall protection" toggle button is set to “Enabled”. If not, enable it and click Apply. If it is already enabled, you can skip this step.
4. Click the Import button. A file browser will appear; locate and select the .json file that you previously exported from the source server.

Upon successful import, the firewall configuration contained within the selected file will be applied to the current server, ensuring identical security settings.

Exporting the Firewall Configuration via the CLI

1. Connect to the source server (the one with the desired firewall configuration) via SSH.
2. Execute the following command to export the firewall configuration:

   plesk ext firewall --export > rules.json

   You have the flexibility to name the output file anything you prefer; "rules.json" is provided as a common example.

The complete firewall configuration will be saved to the specified file on your server.

Importing the Firewall Configuration via the CLI

Importing firewall configurations via the command line requires careful execution and the use of two separate SSH sessions to ensure a smooth and safe transition.

1. Establish two separate SSH connections to the target server where you intend to import the firewall configuration.
2. In the first SSH session, run the following command to enable firewall protection. If firewall protection is already active, you can skip this step.

   plesk ext firewall --enable

3. In the second SSH session, execute this command to confirm that firewall protection has been enabled. Again, if it was already active, this step can be skipped.

   plesk ext firewall --confirm

4. Return to the first SSH session and run the command below to import and apply the new firewall configuration. Replace <the file's URL or local path> with the actual path or URL to your .json configuration file.

   plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply

   For instance, you might use:

   plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply

   or if the file is stored locally:

   plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply

5. Crucially, after applying the new configuration, verify immediately that you can still connect to the server via SSH. If connectivity is successful, navigate back to the second SSH session and run the following command to permanently confirm the imported firewall configuration:

   plesk ext firewall --confirm

   Note: It is imperative to confirm the imported firewall configuration within 60 seconds of executing the plesk ext firewall --apply command. Failure to do so will result in an automatic rollback of the changes, and the server’s previous firewall configuration will be restored for safety.

Following these steps will ensure that the firewall configuration from your specified file is successfully applied and made permanent on the target server, maintaining consistent security across your infrastructure.