Applicable to:
- Plesk for Linux
Question
How to manage local firewall rules using Plesk Firewall in Plesk for Linux?
Answer
Note: If Plesk Firewall is not installed, install it using the steps from this KB article.
Note: Before enabling Plesk Firewall, disable firewalld via SSH:
# systemctl stop firewalld && systemctl disable firewalld
Log into Plesk and go to Tools & Settings > Firewall > click Enable Firewall Rules Management > Enable. All predefined by Plesk rules that are required for Plesk functionality will be enabled.
Note: If a custom SSH port is used, after enabling Plesk Firewall it is required to add a rule for this custom SSH port to allow SSH connections. See the instructions below.
To add/remove/modify firewall rules, click Modify Plesk Firewall Rules.
Below is an example of adding a rule that will allow connections to custom SSH port 2222.
-
Click Add Custom Rule.
-
Fill in the fields and click OK:
- Name of the rule: Custom SSH port
- Match direction: Incoming
- Action: Allow
- Ports: TCP 2222
- Sources: Specify IP addresses from which SSH connections will be allowed. In this example, SSH connections to a custom port are allowed from 203.0.113.2.
-
Click Apply Changes.
Use the /usr/local/psa/bin/modules/firewall/settings utility to manage Plesk Firewall in a command-line interface.
For a complete list of available options, run this help command:
# /usr/local/psa/bin/modules/firewall/settings --help
Below is an example of enabling Plesk Firewall:
-
Connect to a Plesk server via SSH.
-
Run the following command to enable Firewall settings:
# /usr/local/psa/bin/modules/firewall/settings -e
-
Then run the below command and confirm the changes within 60 seconds:
# /usr/local/psa/bin/modules/firewall/settings --confirm
All predefined by Plesk rules that are required for Plesk functionality will be enabled.
Below is an example of adding a new rule with the name "My rule" which will deny incoming connections from 203.0.113.2 on ports 2222/tcp, 2222/udp:
-
Connect to a Plesk server via SSH.
-
Create a new rule and apply it by running the below command:
# /usr/local/psa/bin/modules/firewall/settings -s -name 'My rule' -direction input -action deny -ports '2222/tcp,2222/udp' -remote-addresses "203.0.113.2"
# /usr/local/psa/bin/modules/firewall/settings -a
-
Confirm the changes within 60 seconds:
# /usr/local/psa/bin/modules/firewall/settings -c
Before, the article mentioned opening 2 different SSH consoles. This is no longer needed since there is a bug currently addressing this issue. Bug ID #PPPM-12747. As per developers, I am removing these steps. Please read the bug for more details.
Comments
17 comments
Is it not possible to disable only 1 firewall rule?
I have a large amount of blocked spammers ip's but recently switched to a paid DNSBL and would like to just deactivate the 1 rule for testing.
Hi @Sales,
It's possible to delete the rule.
To go Tools&Settings > FIrewall > Modify Plesk Firewall Rules, select the required rule and click Delete:
Here is a short demonstration:
https://cl.ly/3109cb028117
Yes that is possible to delete but not disable. I was looking for a way to deactivate 1 rule temporarily for testing. Because it contains 300+ IP's I would have to add it back 1 ip at a time.
I made an extension that allows me to export the rules and then re import for testing.
Thanks.
Hi,
This is for just one IP address.
Is there any easy way to add file or hundred of IPs at one time there?
Thanks in advance.
Hello @Usta,
Such functionality is yet to be implemented in Plesk.
We have the following feature suggestion. Feel free to comment and vote for this feature. Most popular ones are likely to be implemented.
Meanwhile, the required result may be achieved using iptables directly, for example: https://serverfault.com/questions/161401/how-to-allow-a-range-of-ips-with-iptables
Can i also Import big IP ranges like this
iptables -A INPUT -s 2.0.0.0/24 -j DROP
iptables -A INPUT -s 2.0.1.0/24 -j DROP
iptables -A INPUT -s 2.0.2.0/24 -j DROP
iptables -A INPUT -s 2.0.3.0/24 -j DROP
iptables -A INPUT -s 2.0.4.0/24 -j DROP
iptables -A INPUT -s 2.0.5.0/24 -j DROP
iptables -A INPUT -s 2.0.6.0/24 -j DROP
over SSH when i have firewall on? I a looking for a solution to import Country IP range from countryipblocks.net
Hello Mehmet Yaldiz
If you'll manually add these IP ranges, this will work but when the Plesk firewall will be configured, these rules may be wiped.
Please, vote for the functionality to be able to block IP ranges via the Plesk firewall here.
This is not worked for me - Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
Hello Sushil
The only reason this happens is the traffic being blocked by some firewall. If that's not a firewall on the Plesk server, contact your ISP or server provider.
So, apparently, this thing still is not capable of managing multiple IP addresses... and the more I am trying to advance my infrastructure the more I am noticing how much i might really just need to move on to another panel... especially with the kind of support I have been getting lately, and I'm paying for this support! you have a bunch or 1-month old rookies out there calling themselves engineers.... absolutely horrible
For the folks asking how to add IPs en masse, you can fork and modify our helper script here to help you do this: https://github.com/websavers/Plesk-Firewall-CLI-Helper
We'll gladly accept pull requests for functionality like this. I believe the Plesk firewall command should accept a CSV of IPs to block or allow.
There is an easier way to do this, and thanyou Plesk for maintaining iptables in CentOS 8! It means I can use the same ipset system I have set up in CentOS 7.
Install ipsets. Create your set, for me it's easy because the ipset is for blocking the bad actors from all ports.
Unlike normal iptables chains, which are stored and traversed linearly, IP sets are stored in indexed data structures, making lookups very efficient, even when dealing with large sets
ipset create setname nethash maxelem 200000 (I ran out of room in my first ipset, so created another one this time with 500000 max elements)
so then you just add elements to your set. You can write a shell script to add large numbers of IP addresses at once, like,
#!/bin/bash
FILE=mylist
while read line; do
/path/to/ipset add setname $line
done < $FILE
Now you have a large number of IPs
Now just have a script that runs to insert the ipset into the plesk firewall iptables. If you are running fail2ban you have to run a checking script too, because any time you restart/reload the plesk firewall, it will destroy your ipset rule.
#!/bin/bash
/usr/sbin/iptables -I INPUT -m set --match-set setname src -j DROP
So for me, because I run fail2ban, there is always a jail active, when you run iptables -nL there is always a f2b line third from the top
Example:
Chain INPUT (policy DROP)
target prot opt source destination
f2b-recidive tcp -- 0.0.0.0/0 0.0.0.0/0
So I have a script running every 5 minutes making sure it doesn't look like that, because I want my rule above the f2b #1 rule (if you don't, then the firewall skips to the f2b part and bypasses your DROP line. Your DROP rule must be first, so iptables -nL looks like this: (in this example the fb2-recidive rule just happens to be the first rule exampled.
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 match-set setname src <--- this is what you want -- first rule
f2b-recidive tcp -- 0.0.0.0/0 0.0.0.0/0
......
So every 5 minutes the script runs to check to make sure f2b isn't in the 3rd line. If it is, then the script to run the iptables insert the ipset is run, or you could put the line in the same script. I just prefer them separate.The script also emails us, since we want to know when there has been an occurrence of this so we can double check the firewall.
You can do a lot of things with this IPSET setup to really cut down on hackers and spam. I have nailed down all the bad actions from dovecot and postfix and have scripts running every 15 minutes grepping the log files for the known issues, then for production reasons, after ips are extracted, they are run through some other filtering and then the resulting list of IP addresses is automatically added to the ipset every 15 minutes. I have found it's a really good solution to hackers and spammers. There's a lot you can do with it with some creative scripting.
Hope this helps someone.
actually the line here:
/path/to/ipset add setname $line
should read
/path/to/ipset add setname $line -exist
which tells ipset to add the IP address if it doesn't exist in the set. (no error reporting then, trying to add things that are alreay there)
Forgot to mention to, if you're using
ipset create mysetname nethash maxelem 200000
(or your number of elements)
IPsets will take CIDR notation, so you can have elemnts like
111.222.222.111
or
111.222.222.0/24
or
111.222.0.0/16 or whatever
it doesn't have to be single IP addresses
When I am using the Plesk Obsidian interface I can set up a new rule to block an IP Address, but there is no way of editing the rule, or removing it. The tick box next to the rule name is not active, although the green tick icon is so I can change that to a grey cross, so cannot tick it and then do remove - although it is possible to do this for the rules that were set up by default. When I go in to the rule I can just view the existing list of ip addresses, there is an OK button, but that's useless because I can't edit anything.
Any ideas what is wrong?
For everyone looking to script firewall settings (e.g. for initial server setup or modifying multiple servers at once), the need for a second SSH session is a nuisance that can be overcome like this:
SSH_CLIENT="127.0.0.1 65535 22" /usr/local/psa/bin/modules/firewall/settings --confirm
The values should differ from your actual session, so the IP and pid=65535 is used as a dummy.
To use this for initial enabling of the firewall you need a single iptables rule to not lock yourself out:
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
Thanks Lars Doe -- that's super helpful :)
Did this because i've changed my ssh ports and now im stucked. When i try to apply firewall rules i get this message:
Please sign in to leave a comment.