How to manage Plesk Firewall via CLI?

Follow

Comments

15 comments

  • Avatar
    Claudio Rifo

    Is there an official documentation page (Of this CLI tool)?

    The default rules (The ones included on install) always have the same IDs?

    Is there any way to see how the default rules are built (port/protocol)?

     

  • Avatar
    Alexandr Nikolaenko

    Hello Claudio,

    Let me answer your questions one by one.

    1. There is no official documentation of Plesk Firewall Management CLI as it was developed for internal usage. All documented CLI utilities are available at our Documentation Portal;
    2. ID's of Plesk default rules can be changed on activation/disabling Firewall management. "Priority" can be used as anchor if it is required, see point 3.
    3. Firewall rules are stored in "psa.module_firewall_rules" table. Default Plesk rules have values of "priority" in 0-20 range. At "object" the rule is written in service format, but nevertheless is understandable.
  • Avatar
    John Bertin

    When confirming  the changes, I get the following message; 

    "Applying and confirmation of firewall changes should be done via different ssh sessions."

  • Avatar
    Bato Tsydenov

    @John Bertin

    The message is self-explanatory: you should establish another SSH session to the server and confirm changes in the new SSH session.
    I have updated the article accordingly.

  • Avatar
    Francis

    Denied a port "from any" (apply/confirm) and the port ist still able to open. Any suggestion why this could happen? Like the Firewall Rule would not be active...

  • Avatar
    Alexandr Redikultsev

    Hi @Francis,

    Have you applied the changes via the following commands:

    # /usr/local/psa/bin/modules/firewall/settings -a
    # /usr/local/psa/bin/modules/firewall/settings -c

  • Avatar
    Peter Kielbasiewicz (Edited )

    Great article. That is exactly what I was looking for.
    I find my postfix server being targeted by systems trying to access it with dictionary attacks.
    I have enabled fail2ban and DNSBL service but still some servers get through.

    So I added a rule to ban them completely and it is a real pain to do this from the GUI.
    I'd like to fully automate it but with the extra ssh this doesn't seem to be possible.

    Nonetheless the CLI is a great enhancement for my purpose.

    BTW: I did report a bug in October but it is still not solved.
    https://talk.plesk.com/threads/bug-in-plesk-firewall-script-opt-psa-var-modules-firewall-firewall-active-sh.349893/

  • Avatar
    Anzhelika Khapaknysh

    Hi @Peter Kielbasiewicz,

    Thanks for your feedback!

    Regarding the reported bug: PPPM-9487 is still in progress. Currently, I don't have any ETA regarding it.

  • Avatar
    Jose Manuel Pérez

    Great article. But i dont know if exist any method to add a country block

    I had a group called countryblock with all china ips. and added it to iptables with: iptables -I INPUT -m set --match-set countryblock src -j DROP

    But it dissapears when add a rule with control panel. I need to add that rule from CLI, but i dont know how.

  • Avatar
    Francisco Garcia

    Hi @Jose Manuel Pérez, If you add custom rules from CLI, those will be overwritten and removed when you do and apply any change from Plesk > Tools&Settings > Firewall.

    As of now, it's better to have some kind of script with all the custom rules you want to apply and execute them after you do any change in the Plesk firewall (or server reboot, in such case Cron can help with @reboot cron trigger, more info here: https://talk.plesk.com/threads/scheduled-tasks-crontab-with-reboot.289451/ ).

    There's also an open uservoice request here: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/4565504-block-the-ip-of-the-selected-country-in-firewall, where you can add your comments and vote for implementation!

  • Avatar
    Jose Manuel Pérez

    Hi @Francisco Garcia

    I try to execute a sh script using cron reeboot. The script is executed (i know because i have a mount with tmpfs), but the iptables never is updated.

    I tried give a sleep to make sure that iptables is loaded, but no luck. I can see how the sleeps is over, it creates the mounted tmpfs, but no luck with my iptable restriction.

    Any idea?

    So much thanks

  • Avatar
    Ivan Postnikov

    Hello @Jose,

    I can recommend the following:

    1. Make sure that all commands regarding firewall from the script work correctly one-by-one.

    2. Make sure that the script works fine when executed manually.

  • Avatar
    Francisco Garcia

    Hi @Jose Manuel Pérez, please mind also the services start order ;) probably your script is executed before the iptables rules are added, so then they're overwritten.

    Maybe you can test it by adding a sleep of a few minutes before applying your custom rules to the firewall.

    systemctl status psa-firewall

    This is the "service" which is executed when Plesk has to apply the firewall rules, which for example also works on reboots :)

  • Avatar
    Igor Timofeev

    Hello,

    I rent a server from OVH with Plesk 17.8.11. OVH uses a monitoring system, RTM. To implement a restrictive firewall, especially on ICMP, and continue to benefit from OVH monitoring, it is necessary to authorize the IPs that you will find below ...

    Is it possible to add an ICMP rule to Plesk firewall via CLI? If yes, then what is the format of the command?

    Thank you in advance,

    Best regards,

    Igor Timofeev

  • Avatar
    Alexey Lapshin (Edited )

    Hello, @Igor

    The example below showing how to create ICMP rule to allow the ping command to return:

    # firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
    # systemctl restart firewalld.service

    Also it is possible to adjust existing by default "Ping service" rule:
    1. Determine rule ID:

    # plesk db "select id from module_firewall_rules where configuration_id=2 and object like '%ping%'"
    +----+
    | id |
    +----+
    | 52 |
    +----+

    2. Perform required changes:

    # /usr/local/psa/bin/modules/firewall/settings --set-rule -id 52 -direction input -action allow -remote-addresses "203.0.113.2"

    3. Apply them:

    # /usr/local/psa/bin/modules/firewall/settings -a

    4. And confirm:

    # /usr/local/psa/bin/modules/firewall/settings -c

Please sign in to leave a comment.

Have more questions? Submit a request