Applicable to:
- Plesk for Linux
Question
How to manage local firewall rules using Plesk Firewall in Plesk for Linux?
Answer
Note: If Plesk Firewall is not installed, install it using the steps from this KB article.
Note: Before enabling Plesk Firewall, disable firewalld via SSH if it is installed:
# systemctl stop firewalld && systemctl disable firewalld
In Plesk, go to Tools & Settings > Firewall > enable Firewall protection > click Apply. All predefined by Plesk rules that are required for Plesk functionality will be enabled.
Note: If a custom SSH port is used, after enabling Plesk Firewall it is required to add a rule for this custom SSH port to allow SSH connections. See the instructions below.
To add a new firewall rule, click on the + button.
Below is an example of adding a rule that will allow connections to custom SSH port 2222.
-
Click Add a firewall rule button.
-
Fill in the fields and click Save:
- Name of the rule: Custom SSH port
- Match direction: Incoming
- Action: Allow
- Ports: TCP 2222
- Sources: Specify IP addresses from which SSH connections will be allowed. In this example, SSH connections to a custom port are allowed from 203.0.113.2.
-
Click Apply Changes.
Use the /usr/local/psa/bin/modules/firewall/settings
utility to manage Plesk Firewall in a command-line interface.
For a complete list of available options, run this help command:
# /usr/local/psa/bin/modules/firewall/settings --help
Below is an example of enabling Plesk Firewall:
- Connect to a Plesk server via SSH in 2 separate SSH windows.
-
On the SSH windows A, enable the firewall:
# /usr/local/psa/bin/modules/firewall/settings -e
-
On the SSH window B, confirm the changes within 60 seconds:
# /usr/local/psa/bin/modules/firewall/settings --confirm
All predefined by Plesk rules that are required for Plesk functionality will be enabled.
Below is an example of adding a new rule with the name "My rule" which will deny incoming connections from 203.0.113.2 on ports 2222/tcp, 2222/udp:
-
Connect to a Plesk server via SSH in 2 separate SSH windows.
-
On the SSH window A, create a new rule and apply it:
# /usr/local/psa/bin/modules/firewall/settings -s -name 'My rule' -direction input -action deny -ports '2222/tcp,2222/udp' -remote-addresses "203.0.113.2"
# /usr/local/psa/bin/modules/firewall/settings -a
-
Back to the SSH window B, confirm the changes within 60 seconds:
# /usr/local/psa/bin/modules/firewall/settings -c
Comments
11 comments
Hi Kuzma Ivanov,
May I ask, how come two different CLI sets, that do seem to both relate to the Plesk Fire-Wall show results that seem to be different, as below:
Adding custom port doesn't work at all. I have tried both method and still unable to open a new port.
Hello Bragi Austfjörð
It might be that the port you opened is being filtered not by the local firewall, but an external one. It might be blocked by your hosting or Internet service provider. I'd recommend to contact them to get more information.
Hello, Bragi Austfjörð
The reason the custom port options are not working as you need to disable System policy for incoming traffic to Deny all other incoming traffic for your custom rules work. WHITELIST your IP address or will lose access to your Plesk control panel.
I would suggest, to at first, check what you have or don't have, on the server's seen iptables for the port. Possibly Plesk would provide you the CLI to check it.
IPTABLES is where the server stores such blocking rules.
Also comes to my mind, a possible need to run the CLI for Plesk repair:
plesk repair all -y
BTW, if you are using AWS, you have control of a higher level basic firewall enabling port blocking or restricting, under 'connection'.
I host my own servers @ home and I have used this port for a long time with CWP and many other hosting panels and the port works on other hosting panels but not for plesk, so no the port is not blocked.
I have tried this plesk repair all -y still the same.
Hi Bragi Austfjörð,
What I would have done instead of you, is I REMOVE the Plesk FW using the Plesk -> Tools -> Update tool, and then reinstate it. After reinstating it, click the 'enable' and start on a new fresh beginning. I find changes Plesk recently did the the Plesk FW as likely IMHO containing Bugs (product defects). This could be related.
What I highly recommend is the following:
1) Obtain a service of PRIVATE IP, for BOTH your cellular and fixed home internet connection.
2) Set the server to use a static IP. This is possible on AWS.
3) Write down the IPs for the above two, as well as the Server's private and public IP, and restrict on the Plesk FW almost all services (not including 'WWW server', 'DHCP client', 'Samba (file sharing in Windows networks)', 'Ping service', 'System policy for incoming traffic', 'System policy for outgoing traffic', and 'System policy for traffic forwarding' to be accessible ONLY FROM the above four IP Addresses (possibly the SSH port 22, needed also a hosting service range as in AWS light sails access which has a x.x.x.x/24 range used for this).
4) Add the main port restriction also on the hosting level, which is a higher level from the Plesk server. On AWS LightSail they have 'networks' where you can do so.
5) Add Google Authenticator Multi Factor Authentication (MFA) for both Plesk (using Google Authenticaiton Plesk extension), WordPress Domains (using miniorange plugin), and AWS builtin option.
6) Scan the Plesk FireWall once in few days, to see it was not hacked to add permissions, possibly by the Plesk Installer hacked, and injection of IPs that way.
7) Move on to set email DKIM (this is a server encryption for emails, and replace the Plesk generated key with your own), SPF (this is your declaration that email from your domain or sub domain mail.example should come only from your IPs and possibly AWS SES sending emails on your behalf) for the 4 fixed IPs you have set, and DMARC policy (this is your instruction set on a DNS record, telling other servers what to do if SPF or DKIM fail, and includes your email to receive reports) to call other servers to reject emails pretending to come from you, and found not to pass the SPF and DKIM tests.
8) Install Fail2ban and set mail alerts.
9) Possibly add nginx rules, to block various access according to rules and IPs.
Best of luck!
Hi.
The firewall doesn't allow custom outgoing ICMP rules.
wich is very bad for some network specific ICMPv6 reply !
This new Plesk Firewall system is a pain to handle through SSH, during server setup. The old version was easy to handle through SSH.
I am trying to find a workaround, but also the import function is not working. I am now trying the following command: /usr/local/psa/bin/modules/firewall/settings --import plesk-firewall-normal.json
But it simply doesn't do anything, just hangs.
The only "solution" is to do the firewall setup by hand, so manually from the Plesk interface. This is not an improvement, but a downgrade. Especially when you have to setup multiple servers. We like things automated and for 95% is completely automated, however the Plesk Firewall is a pain to deal with nowadays...
Hello Kuzma,
to your post:
It might be that the port you opened is being filtered not by the local firewall, but an external one. It might be blocked by your hosting or Internet service provider. I'd recommend to contact them to get more information.
I have the same problem. And its not filtered by something else external. Because when i turn the firewall off, i can login to ssh with my custom port. When i enable the firewall, then its not possible. We need urgently a solution for this problem!! It has to be possible, to login to ssh with a custom ssh port when the firewall is enabled.
Please sign in to leave a comment.