Articles in this section

See more

How to manage local firewall rules using Plesk Firewall in Plesk for Linux

Avatar
Kuzma Ivanov
Updated
Follow
kb: how-to Plesk for Linux ABT: Group A Ideal

Applicable to:

  • Plesk for Linux

Question

How to manage local firewall rules using Plesk Firewall in Plesk for Linux?

Answer

Note: If Plesk Firewall is not installed, install it using the steps from this KB article.

Note: Before enabling Plesk Firewall, disable firewalld via SSH if it is installed:

# systemctl stop firewalld && systemctl disable firewalld

 

In Plesk, go to Tools & Settings > Firewall > enable Firewall protection > click Apply. All predefined by Plesk rules that are required for Plesk functionality will be enabled.

Note: If a custom SSH port is used, after enabling Plesk Firewall it is required to add a rule for this custom SSH port to allow SSH connections. See the instructions below.


1.png

To add a new firewall rule, click on the + button.


2.png

 

Adding a custom rule in Plesk Firewall

 

Below is an example of adding a rule that will allow connections to custom SSH port 2222.

  1. Click Add a firewall rule button.


    2.png

  2. Fill in the fields and click Save:

    • Name of the rule: Custom SSH port
    • Match direction: Incoming
    • Action: Allow
    • Ports: TCP 2222
    • Sources: Specify IP addresses from which SSH connections will be allowed. In this example, SSH connections to a custom port are allowed from 203.0.113.2.


    3.png

  3. Click Apply Changes.


    4.png


 

Managing firewall rules via a command-line interface

 

Use the /usr/local/psa/bin/modules/firewall/settings utility to manage Plesk Firewall in a command-line interface.

For a complete list of available options, run this help command:

# /usr/local/psa/bin/modules/firewall/settings --help

 

Below is an example of enabling Plesk Firewall:

  1. Connect to a Plesk server via SSH in 2 separate SSH windows.

  2. On the SSH windows A, enable the firewall:

    # /usr/local/psa/bin/modules/firewall/settings -e

  3. On the SSH window B, confirm the changes within 60 seconds:

    # /usr/local/psa/bin/modules/firewall/settings --confirm

    All predefined by Plesk rules that are required for Plesk functionality will be enabled.

 

Below is an example of adding a new rule with the name "My rule" which will deny incoming connections from 203.0.113.2 on ports 2222/tcp, 2222/udp:

  1. Connect to a Plesk server via SSH in 2 separate SSH windows.

  2. On the SSH window A, create a new rule and apply it:

    # /usr/local/psa/bin/modules/firewall/settings -s -name 'My rule' -direction input -action deny -ports '2222/tcp,2222/udp' -remote-addresses "203.0.113.2"

    # /usr/local/psa/bin/modules/firewall/settings -a

  3. Back to the SSH window B, confirm the changes within 60 seconds:

    # /usr/local/psa/bin/modules/firewall/settings -c

 

Comments

10 comments

Sort by Date Votes
  • Avatar
    Ehud Ziegelman

    Hi Kuzma Ivanov,

     

    May I ask, how come two different CLI sets, that do seem to both relate to the Plesk Fire-Wall show results that seem to be different, as below:

     

    systemctl status firewalld
    * firewalld.service
         Loaded: masked (Reason: Unit firewalld.service is masked.)
         Active: inactive (dead)

     

    systemctl status psa-firewall.service
    * psa-firewall.service - Plesk firewall module management
         Loaded: loaded (/lib/systemd/system/psa-firewall.service; enabled; vendor preset: enabled)
         Active: active (exited) since Sun 2023-04-23 18:48:45 IDT; 7h ago
       Main PID: 1017 (code=exited, status=0/SUCCESS)
            CPU: 4min 59.996s

    Notice: journal has been rotated since unit was started, output may be incomplete.
    0
    Comment actions Permalink
  • Avatar
    Bragi Austfjörð

    Adding custom port doesn't work at all. I have tried both method and still unable to open a new port.

    0
    Comment actions Permalink
  • Avatar
    Kuzma Ivanov

    Hello Bragi Austfjörð

    It might be that the port you opened is being filtered not by the local firewall, but an external one. It might be blocked by your hosting or Internet service provider. I'd recommend to contact them to get more information.

    0
    Comment actions Permalink
  • Avatar
    Danny Clowes

    Hello, Bragi Austfjörð

    The reason the custom port options are not working as you need to disable System policy for incoming traffic to Deny all other incoming traffic for your custom rules work. WHITELIST your IP address or will lose access to your Plesk control panel. 

     

    0
    Comment actions Permalink
  • Avatar
    Ehud Ziegelman (Edited )

    I would suggest, to at first, check what you have or don't have, on the server's seen iptables for the port. Possibly Plesk would provide you the CLI to check it.

    IPTABLES is where the server stores such blocking rules.

    Also comes to my mind, a possible need to run the CLI for Plesk repair:

    plesk repair all -y

    BTW, if you are using AWS, you have control of a higher level basic firewall enabling port blocking or restricting, under 'connection'.

    0
    Comment actions Permalink
  • Avatar
    Bragi Austfjörð

    I host my own servers @ home and I have used this port for a long time with CWP and many other hosting panels and the port works on other hosting panels but not for plesk, so no the port is not blocked.

    0
    Comment actions Permalink
  • Avatar
    Bragi Austfjörð

    I have tried this plesk repair all -y still the same. 

    0
    Comment actions Permalink
  • Avatar
    Ehud Ziegelman

    Hi Bragi Austfjörð,

    What I would have done instead of you, is I REMOVE the Plesk FW using the Plesk -> Tools -> Update tool, and then reinstate it. After reinstating it, click the 'enable' and start on a new fresh beginning. I find changes Plesk recently did the the Plesk FW as likely IMHO containing Bugs (product defects). This could be related.

    What I highly recommend is the following:

    1) Obtain a  service of PRIVATE IP, for BOTH your cellular and fixed home internet connection. 

    2) Set the server to use a static IP. This is possible on AWS.

    3) Write down the IPs for the above two, as well as the Server's private and public IP, and restrict on the Plesk FW almost all services (not including 'WWW server', 'DHCP client', 'Samba (file sharing in Windows networks)', 'Ping service', 'System policy for incoming traffic', 'System policy for outgoing traffic', and 'System policy for traffic forwarding' to be accessible ONLY FROM the above four IP Addresses (possibly the SSH port 22, needed also a hosting service range as in AWS light sails access which has a x.x.x.x/24 range used for this).

    4) Add the main port restriction also on the hosting level, which is a higher level from the Plesk server. On AWS LightSail they have 'networks' where you can do so.

    5) Add Google Authenticator Multi Factor Authentication (MFA) for both Plesk (using Google Authenticaiton Plesk extension), WordPress Domains (using miniorange plugin), and AWS builtin option.

    6) Scan the Plesk FireWall once in few days, to see it was not hacked to add permissions, possibly by the Plesk Installer hacked, and injection of IPs that way.

    7) Move on to set email DKIM (this is a server encryption for emails, and replace the Plesk generated key with your own), SPF (this is your declaration that email from your domain or sub domain mail.example should come only from your IPs and possibly AWS SES sending emails on your behalf) for the 4 fixed IPs you have set, and DMARC policy (this is your instruction set on a DNS record, telling other servers what to do if SPF or DKIM fail, and includes your email to receive reports) to call other servers to reject emails pretending to come from you, and found not to pass the SPF and DKIM tests.

    8) Install Fail2ban and set mail alerts.

    9) Possibly add nginx rules, to block various access according to rules and IPs.

     

    Best of luck!

    0
    Comment actions Permalink
  • Avatar
    Support Dutiko

    Hi.
    The firewall doesn't allow custom outgoing ICMP rules.
    wich is very bad for some network specific ICMPv6 reply !

    -1
    Comment actions Permalink
  • Avatar
    Michel vd Lingen (Edited )

    This new Plesk Firewall system is a pain to handle through SSH, during server setup. The old version was easy to handle through SSH.
    I am trying to find a workaround, but also the import function is not working. I am now trying the following command:  /usr/local/psa/bin/modules/firewall/settings --import plesk-firewall-normal.json

    But it simply doesn't do anything, just hangs.

    The only "solution" is to do the firewall setup by hand, so manually from the Plesk interface. This is not an improvement, but a downgrade. Especially when you have to setup multiple servers. We like things automated and for 95% is completely automated, however the Plesk Firewall is a pain to deal with nowadays...

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles