How to manage local firewall rules using Plesk Firewall in Plesk for Linux

Follow

Comments

7 comments

  • Avatar
    Ehud Ziegelman

    Hi Kuzma Ivanov,

     

    May I ask, how come two different CLI sets, that do seem to both relate to the Plesk Fire-Wall show results that seem to be different, as below:

     

    systemctl status firewalld
    * firewalld.service
         Loaded: masked (Reason: Unit firewalld.service is masked.)
         Active: inactive (dead)

     

    systemctl status psa-firewall.service
    * psa-firewall.service - Plesk firewall module management
         Loaded: loaded (/lib/systemd/system/psa-firewall.service; enabled; vendor preset: enabled)
         Active: active (exited) since Sun 2023-04-23 18:48:45 IDT; 7h ago
       Main PID: 1017 (code=exited, status=0/SUCCESS)
            CPU: 4min 59.996s

    Notice: journal has been rotated since unit was started, output may be incomplete.
    0
    Comment actions Permalink
  • Avatar
    Bragi Austfjörð

    Adding custom port doesn't work at all. I have tried both method and still unable to open a new port.

    0
    Comment actions Permalink
  • Avatar
    Kuzma Ivanov

    Hello Bragi Austfjörð

    It might be that the port you opened is being filtered not by the local firewall, but an external one. It might be blocked by your hosting or Internet service provider. I'd recommend to contact them to get more information.

    0
    Comment actions Permalink
  • Avatar
    Ehud Ziegelman (Edited )

    I would suggest, to at first, check what you have or don't have, on the server's seen iptables for the port. Possibly Plesk would provide you the CLI to check it.

    IPTABLES is where the server stores such blocking rules.

    Also comes to my mind, a possible need to run the CLI for Plesk repair:

    plesk repair all -y

    BTW, if you are using AWS, you have control of a higher level basic firewall enabling port blocking or restricting, under 'connection'.

    0
    Comment actions Permalink
  • Avatar
    Bragi Austfjörð

    I host my own servers @ home and I have used this port for a long time with CWP and many other hosting panels and the port works on other hosting panels but not for plesk, so no the port is not blocked.

    0
    Comment actions Permalink
  • Avatar
    Bragi Austfjörð

    I have tried this plesk repair all -y still the same. 

    0
    Comment actions Permalink
  • Avatar
    Ehud Ziegelman

    Hi Bragi Austfjörð,

    What I would have done instead of you, is I REMOVE the Plesk FW using the Plesk -> Tools -> Update tool, and then reinstate it. After reinstating it, click the 'enable' and start on a new fresh beginning. I find changes Plesk recently did the the Plesk FW as likely IMHO containing Bugs (product defects). This could be related.

    What I highly recommend is the following:

    1) Obtain a  service of PRIVATE IP, for BOTH your cellular and fixed home internet connection. 

    2) Set the server to use a static IP. This is possible on AWS.

    3) Write down the IPs for the above two, as well as the Server's private and public IP, and restrict on the Plesk FW almost all services (not including 'WWW server', 'DHCP client', 'Samba (file sharing in Windows networks)', 'Ping service', 'System policy for incoming traffic', 'System policy for outgoing traffic', and 'System policy for traffic forwarding' to be accessible ONLY FROM the above four IP Addresses (possibly the SSH port 22, needed also a hosting service range as in AWS light sails access which has a x.x.x.x/24 range used for this).

    4) Add the main port restriction also on the hosting level, which is a higher level from the Plesk server. On AWS LightSail they have 'networks' where you can do so.

    5) Add Google Authenticator Multi Factor Authentication (MFA) for both Plesk (using Google Authenticaiton Plesk extension), WordPress Domains (using miniorange plugin), and AWS builtin option.

    6) Scan the Plesk FireWall once in few days, to see it was not hacked to add permissions, possibly by the Plesk Installer hacked, and injection of IPs that way.

    7) Move on to set email DKIM (this is a server encryption for emails, and replace the Plesk generated key with your own), SPF (this is your declaration that email from your domain or sub domain mail.example should come only from your IPs and possibly AWS SES sending emails on your behalf) for the 4 fixed IPs you have set, and DMARC policy (this is your instruction set on a DNS record, telling other servers what to do if SPF or DKIM fail, and includes your email to receive reports) to call other servers to reject emails pretending to come from you, and found not to pass the SPF and DKIM tests.

    8) Install Fail2ban and set mail alerts.

    9) Possibly add nginx rules, to block various access according to rules and IPs.

     

    Best of luck!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request