(Plesk for Linux) The Plesk Firewall
Caution: Both the Plesk Firewall and firewalld are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time.
By default, the Plesk firewall configuration consists of policies and rules. Policies are broad in scope and affect all connections to or from the server, depending on the policy itself. For example, you can use System policy for incoming traffic (listed in Tools & Settings > Firewall) to completely block all incoming connections to the server. Rules are narrower in scope and govern incoming connections to individual Plesk services, such as SMTP or MySQL.
Note that rules override policies. For example, if the global policy is to deny all incoming traffic, but a rule allows incoming traffic from a specific IP, the rule takes precedence. You can use this mechanism to easily tighten or relax the security of the server. For example, setting up the policies to forbid all connections to and from the server except for a few allowed IP addresses or ports will result in improved security, but some applications may not be able to work due to the network restrictions. Conversely, allowing all connections by default and using rules to block access to individual services or from individual IP addresses will make your server less secure, but will ensure that you do not run into connection issues. Experiment to find the optimal trade-off between usability and security.
You can manage the firewall in two ways:
- Changing the settings of the default policies and rules.
- Creating custom rules.
To change the settings of the default policies and rules, go to Tools & Settings > Firewall (in the Security group) and click Enable Firewall Rules Management. Confirm enabling rules management, wait for the changes to be applied, then click Modify Plesk Firewall Rules. Click the rule or policy you want to change. You can set a policy to allow or deny connections, and you can set a rule to allow or deny connections, or to allow them from specified addresses only and deny them from all others. Once you have made the changes you wanted, click Apply Changes to make the new ruleset live, or Discard Changes to roll them back.
To add a custom rule, enable firewall rules management as described above and click Add Custom rule. Custom rules are more flexible than the standard ones and can be configured to allow or deny incoming, outgoing, or forwarding connections to or from a specific port or IP address. After you have added one or more custom rules, click Apply Changes to add them to the ruleset, or Discard Changes to discard them. If at a later date you decide to remove one or more custom rules, select the corresponding checkboxes, click Delete, confirm the deletion, then click Apply Changes to remove the selected rules from the ruleset.
When creating custom rules, be careful not to block connections to ports used by Plesk services by mistake.
Note: If you are using Docker containers, Docker firewall rules will not be added to Plesk firewall rules.
Country Blocking
You can use the Plesk firewall to block access to or from IP addresses belonging to a particular country.
Blocking access from a specific country
- Log in to Plesk.
- Go to Tools & Settings > Firewall (under “Security”).
- Click the “Firewall protection” toggle button so that it shows “Enabled”. If firewall protection is already enabled, skip this step.
- Click the
button.
- (Optional) Give your rule a name.
- Set “Action” to “Deny”.
- Under “Sources”, enter the two letter ISO 3166 country code of the country you want to block (for example, to block all incoming connections from Afghanistan, enter AF).
- (Optional) Click “Add one more”, and repeat the previous step to block an additional country. You can block as many countries as you want.
- Click Save once you have added all countries you want to block.
- Click Apply Changes, and then click Apply.
Once the firewall configuration has been applied, all incoming connections to your server from the blocked country or countries will be denied.
By default, Plesk uses the free “IP to Country Lite” database from DB-IP. You can instead use a free or paid database from MaxMind. Before you can do so, you need to obtain a free or paid license from MaxMind and receive your license key.
Switching to the paid GeoIP2 database
-
Add the following lines to the panel.ini file:
[ext-firewall] geoipDataSource = maxmind-lite
to use the free GeoLite2 database, or
[ext-firewall] geoipDataSource = maxmind
to use the paid GeoIP2 database.
-
Log in to the server via SSH, and then run the following command:
LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force
or
LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force
to use the free or paid database from MaxMind, respectively.
Note: The command may finish with a
Set cannot be destroyed
warning. The warning can be safely ignored. -
Go to Tools & Settings > Firewall (under “Security”).
-
Click Apply Changes, and then click Apply.
Note: If the Apply Changes button is missing, create a new firewall rule to trigger the ability to apply changes. You can remove that rule afterwards.
Once the firewall configuration has been applied, the GeoIP2 database will be used instead of GeoLite2.
To switch back to the free database from DB-IP, remove the geoipDataSource = maxmind-lite
or geoipDataSource = maxmind
line from the panel.ini
file, and then reapply the firewall configuration.