On October 19, 2021, we have enabled single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
If you had already registered your account at Plesk 360 (formerly known as My Plesk) please use one for login. Otherwise please re-register it using the same email address as your existing Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account.

How to manage local firewall rules using Plesk Firewall in Plesk for Linux

Follow

Comments

19 comments

  • Avatar
    James Rhoton

    Is it not possible to disable only 1 firewall rule?

    I have a large amount of blocked spammers ip's but recently switched to a paid DNSBL and would like to just deactivate the 1 rule for testing.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hi @Sales,

    It's possible to delete the rule.

    To go Tools&Settings > FIrewall > Modify Plesk Firewall Rules, select the required rule and click Delete:

    Here is a short demonstration:

    https://cl.ly/3109cb028117

    0
    Comment actions Permalink
  • Avatar
    James Rhoton

    Yes that is possible to delete but not disable. I was looking for a way to deactivate 1 rule temporarily for testing. Because it contains 300+ IP's I would have to add it back 1 ip at a time.  

    I made an extension that allows me to export the rules and then re import for testing.

    Thanks.

    0
    Comment actions Permalink
  • Avatar
    Usta

    Hi,

     

    This is for just one IP address.

    Is there any easy way to add file or hundred of IPs at one time there?

     

    Thanks in advance.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Usta,

    Such functionality is yet to be implemented in Plesk.

    We have the following feature suggestion. Feel free to comment and vote for this feature. Most popular ones are likely to be implemented.

    Meanwhile, the required result may be achieved using iptables directly, for example: https://serverfault.com/questions/161401/how-to-allow-a-range-of-ips-with-iptables

    0
    Comment actions Permalink
  • Avatar
    Mehmet Yaldiz

    Can i also Import big IP ranges like this

    iptables -A INPUT -s 2.0.0.0/24 -j DROP
    iptables -A INPUT -s 2.0.1.0/24 -j DROP
    iptables -A INPUT -s 2.0.2.0/24 -j DROP
    iptables -A INPUT -s 2.0.3.0/24 -j DROP
    iptables -A INPUT -s 2.0.4.0/24 -j DROP
    iptables -A INPUT -s 2.0.5.0/24 -j DROP
    iptables -A INPUT -s 2.0.6.0/24 -j DROP

    over SSH when i have firewall on? I a looking for a solution to import Country IP range from countryipblocks.net

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Mehmet Yaldiz

    If you'll manually add these IP ranges, this will work but when the Plesk firewall will be configured, these rules may be wiped. 

    Please, vote for the functionality to be able to block IP ranges via the Plesk firewall here.

    0
    Comment actions Permalink
  • Avatar
    Sushil

    This is not worked for me - Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Sushil

    The only reason this happens is the traffic being blocked by some firewall. If that's not a firewall on the Plesk server, contact your ISP or server provider.

    0
    Comment actions Permalink
  • Avatar
    My Domain Labs

    So, apparently, this thing still is not capable of managing multiple IP addresses... and the more I am trying to advance my infrastructure the more I am noticing how much i might really just need to move on to another panel... especially with the kind of support I have been getting lately, and I'm paying for this support! you have a bunch or 1-month old rookies out there calling themselves engineers.... absolutely horrible

    0
    Comment actions Permalink
  • Avatar
    Websavers Inc

    For the folks asking how to add IPs en masse, you can fork and modify our helper script here to help you do this: https://github.com/websavers/Plesk-Firewall-CLI-Helper

    We'll gladly accept pull requests for functionality like this. I believe the Plesk firewall command should accept a CSV of IPs to block or allow.

    0
    Comment actions Permalink
  • Avatar
    Eric Beck

    There is an easier way to do this, and thanyou Plesk for maintaining iptables in CentOS 8!  It means I can use the same ipset system I have set up in CentOS 7.

    Install ipsets.  Create your set, for me it's easy because the ipset is for blocking the bad actors from all ports.

    Unlike normal iptables chains, which are stored and traversed linearly, IP sets are stored in indexed data structures, making lookups very efficient, even when dealing with large sets

    ipset create setname nethash maxelem 200000 (I ran out of room in my first ipset, so created another one this time with 500000 max elements)

    so then you just add elements to your set.  You can write a shell script to add large numbers of IP addresses at once, like, 

    #!/bin/bash

    FILE=mylist

    while read line; do

      /path/to/ipset add setname $line

    done < $FILE

    Now you have a large number of IPs

    Now just have a script that runs to insert the ipset into the plesk firewall iptables.  If you are running fail2ban you have to run a checking script too, because any time you restart/reload the plesk firewall, it will destroy your ipset rule.

    #!/bin/bash

    /usr/sbin/iptables -I INPUT -m set --match-set setname src -j DROP

    So for me, because I run fail2ban, there is always a jail active, when you run iptables -nL there is always a f2b line third from the top

    Example:

    Chain INPUT (policy DROP)
    target prot opt source destination
    f2b-recidive tcp -- 0.0.0.0/0 0.0.0.0/0

    So I have a script running every 5 minutes making sure it doesn't look like that, because I want my rule above the f2b #1 rule (if you don't, then the firewall skips to the f2b part and bypasses your DROP line.  Your DROP rule must be first, so iptables -nL looks like this: (in this example the fb2-recidive rule just happens to be the first rule exampled.

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP all -- 0.0.0.0/0 0.0.0.0/0 match-set setname src  <--- this is what you want -- first rule
    f2b-recidive tcp -- 0.0.0.0/0 0.0.0.0/0

    ......

    So every 5 minutes the script runs to check to make sure f2b isn't in the 3rd line.  If it is, then the script to run the iptables insert the ipset is run, or you could put the line in the same script.  I just prefer them separate.The script also emails us, since we want to know when there has been an occurrence of this so we can double check the firewall.

    You can do a lot of things with this IPSET setup to really cut down on hackers and spam.  I have nailed down all the bad actions from dovecot and postfix and have scripts running every 15 minutes grepping the log files for the known issues, then for production reasons, after ips are extracted, they are run through some other filtering and then the resulting list of IP addresses is automatically added to the ipset every 15 minutes.  I have found it's a really good solution to hackers and spammers.   There's a lot you can do with it with some creative scripting.

    Hope this helps someone.

    0
    Comment actions Permalink
  • Avatar
    Eric Beck

    actually the line here:

    /path/to/ipset add setname $line

    should read

    /path/to/ipset add setname $line -exist

    which tells ipset to add the IP address if it doesn't exist in the set. (no error reporting then, trying to add things that are alreay there)

    Forgot to mention to, if you're using 

    ipset create mysetname nethash maxelem 200000

    (or your number of elements)

    IPsets will take CIDR notation, so you can have elemnts like

    111.222.222.111

    or 

    111.222.222.0/24

    or 

    111.222.0.0/16 or whatever

    it doesn't have to be single IP addresses

    0
    Comment actions Permalink
  • Avatar
    Andrew Paterson (Edited )

    When I am using the Plesk Obsidian interface I can set up a new rule to block an IP Address, but there is no way of editing the rule, or removing it. The tick box next to the rule name is not active, although the green tick icon is so I can change that to a grey cross, so cannot tick it and then do remove - although it is possible to do this for the rules that were set up by default.  When I go in to the rule I can just view the existing list of ip addresses, there is an OK button, but that's useless because I can't edit anything.

    Any ideas what is wrong?

    0
    Comment actions Permalink
  • Avatar
    Lars Doe (Edited )

    For everyone looking to script firewall settings (e.g. for initial server setup or modifying multiple servers at once), the need for a second SSH session is a nuisance that can be overcome like this:

    SSH_CLIENT="127.0.0.1 65535 22" /usr/local/psa/bin/modules/firewall/settings --confirm

    The values should differ from your actual session, so the IP and pid=65535 is used as a dummy.

     

    To use this for initial enabling of the firewall you need a single iptables rule to not lock yourself out:

    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

     

    1
    Comment actions Permalink
  • Avatar
    Websavers Inc

    Thanks Lars Doe -- that's super helpful :)

    0
    Comment actions Permalink
  • Avatar
    Kyllaz

    Did this because i've changed my ssh ports and now im stucked. When i try to apply firewall rules i get this message:

    Warning: The current configuration has not been activated. The system has been reverted to the previous configuration. This has occured because there were connection problems between your browser and the server. Most probably, the reason is that you have arranged the configuration so that connections from your computer to the server are prohibited.
     
    How can i fix this?
     
    0
    Comment actions Permalink
  • Avatar
    meiner nichtdeiner (Edited )

    Use the standard SSH ports again. Plesk only checks these to protect you from locking yourself out.

    Then:

    /usr/local/psa/var/modules/firewall/firewall-emergency.sh

    1
    Comment actions Permalink
  • Avatar
    Kris Lowet

    Is Plesk Firewall compatible with UFW on Debian / Ubuntu?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request