(Plesk for Linux) Plesk 防火墙
概要: The Plesk firewall is a tool you can use to improve the security of your Plesk for Linux server by restricting network connections to and/or from the server.
In this topic, you will learn how to add and remove firewall rules and policies, how to block incoming connections from specific countries, and also how to export and import firewall rules to easily replicate firewall configuration between servers.
警告: Both the Plesk firewall and firewalld are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time.
前提条件
Before you can begin, the “Firewall” extension must be installed on the server. If it is not, install the extension from the Extensions Catalog.
Managing Firewall Rules and Policies
默认 Plesk 防火墙配置由策略和规则组成。策略范围较广,会影响与服务器的所有进出连接。流入,您可以使用 接收流量的系统策略 ( 工具与设置 > 防火墙 )阻止到服务器的所有接收连接。规则范围较窄,主要管理单个 Plesk 服务的接收连接,例如 SMTP 或 MySQL。
注意规则会覆盖策略。例如,如果全局策略是拒绝所有接收流量,但是规则却允许来自某个 IP 的接收流量,那么将会遵从规则。您可以使用该机制轻松的收紧和放开服务器的安全保护。流入,设置策略禁止所有进出服务器的连接,某些 IP 地址或端口除外,将会提高服务器的安全度,但是某些应用程序可能会因为网络的限制而无法正常运行。相反,默认允许所有连接,而使用规则来阻止某些单个服务或单个 IP 地址的访问,会降低您服务器的安全度,但是可保障您不会出现连接问题。通过实验找出实用性和安全性之间的最佳平衡点。
您可以通过以下方式管理防火墙:
- 更改默认策略和规则的设置。
- 创建自定义规则。
若要更改默认策略和规则的设置,请进入 工具与设置 > 防火墙 (在 安全性 组里)点击 启用防火墙规则管理 。确认启用规则管理,等候更改被应用,然后点击 修改 Plesk 防火墙规则 。单击要更改的规则或策略。您可以设置一个策略允许或拒绝连接,以及可以设置一个规则允许或拒绝连接,或只允许指定地址的连接,而拒绝其他所有的连接。您进行了所需更改后,点击 应用更改 以令新的规则集生效, 丢弃更改 则会回滚。
若要添加自定义规则,请根据以上描述启用防火墙规则管理并点击 添加自定义规则 。自定义规则比标准规则更具灵活性,可以实现允许和拒绝与指定端口或 IP 地址的接收、发送或转发连接。您添加一个或多个自定义规则后,点击 应用更改 以添加到规则集,或 丢弃更改 以不使用新规则。如果之后您决定移除一个或多个自定义规则,请选择相应的复选框,并点击 删除 ,确认删除,然后点击 应用更改 已从规则集中移除选定的规则。
当创建自定义规则时,请小心不要阻止与 Plesk 服务使用的端口 的连接。
注解: 如果您正使用 Docker containers ,Docker防火墙规则将不会添加到 Plesk 防火墙规则。
Country Blocking
You can use the Plesk firewall to block access to or from IP addresses belonging to a particular country.
Blocking access from a specific country
- 登录到 Plesk。
- 转入 工具与设置 > 防火墙 (在 “安全” 下)。
- Click the “Firewall protection” toggle button so that it shows “Enabled”. If firewall protection is already enabled, skip this step.
- Click the
button.
- (Optional) Give your rule a name.
- Set “Action” to “Deny”.
- Under “Sources”, enter the two letter ISO 3166 country code of the country you want to block (for example, to block all incoming connections from Afghanistan, enter AF).
- (Optional) Click “Add one more”, and repeat the previous step to block an additional country. You can block as many countries as you want.
- Click Save once you have added all countries you want to block.
- Click Apply Changes, and then click Apply.
Once the firewall configuration has been applied, all incoming connections to your server from the blocked country or countries will be denied.
By default, Plesk uses the free “IP to Country Lite” database from DB-IP. You can instead use a free or paid database from MaxMind. Before you can do so, you need to obtain a free or paid license from MaxMind and receive your license key.
Switching to the paid GeoIP2 database
-
Add the following lines to the panel.ini file:
[ext-firewall] geoipDataSource = maxmind-lite
to use the free GeoLite2 database, or
[ext-firewall] geoipDataSource = maxmind
to use the paid GeoIP2 database.
-
Log in to the server via SSH, and then run the following command:
LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force
或
LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force
to use the free or paid database from MaxMind, respectively.
注解: The command may finish with a
Set cannot be destroyed
warning. The warning can be safely ignored. -
转入 工具与设置 > 防火墙 (在 “安全” 下)。
-
Click Apply Changes, and then click Apply.
注解: If the Apply Changes button is missing, create a new firewall rule to trigger the ability to apply changes. You can remove that rule afterwards.
Once the firewall configuration has been applied, the GeoIP2 database will be used instead of GeoLite2.
To switch back to the free database from DB-IP, remove the geoipDataSource = maxmind-lite
or geoipDataSource = maxmind
line from the panel.ini
file, and then reapply the firewall configuration.
Importing and Exporting Firewall Configuration
You may want to duplicate one Plesk for Linux server’s firewall configuration on other Plesk for Linux servers. The easiest way to do so is to export the firewall configuration to a file, and then to import it on each of those Plesk for Linux servers. You can import and export the firewall configuration both via the graphical interface and the command line.
Exporting the firewall configuration via the GUI
- Log in to Plesk on the server whose firewall configuration you want to copy.
- 转入 工具与设置 > 防火墙 (在 “安全” 下)。
- Click Export.
The firewall configuration will be saved to a .json
file. You can find it in your browser’s downloads directory.
Importing the firewall configuration via the GUI
- Log in to Plesk on a server you want to copy another server’s firewall configuration to.
- 转入 工具与设置 > 防火墙 (在 “安全” 下)。
- Click the “Firewall protection” toggle button so that it shows “Enabled”, and then click Apply. If firewall protection is already enabled, skip this step.
- Click Import, and then locate the
.json
file exported on the server whose firewall configuration you want to copy.
The firewall configuration from the file will be applied.
Exporting the firewall configuration via the CLI
-
Log in via SSH to the server whose firewall configuration you want to copy.
-
Run the following command to export the firewall configuration:
plesk ext firewall --export > rules.json
You can give the file any name you want, “rules.json” is just an example.
The firewall configuration will be saved to the specified file.
Importing the firewall configuration via the CLI
-
Log in via SSH to a server you want to copy another server’s firewall configuration to. You need to open two separate SSH sessions to import the firewall configuration.
-
In the first SSH session, run the following command to enable firewall protection. If firewall protection is already enabled, skip this step.
plesk ext firewall --enable
-
In the second SSH session, run the following command to confirm firewall protection. If firewall protection is already enabled, skip this step.
plesk ext firewall --confirm
-
In the first SSH session, run the following command to import and apply the firewall configuration:
plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply
例如
plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply
或
plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply
-
In the second SSH session, run the following command to confirm the imported firewall configuration.
plesk ext firewall --confirm
The firewall configuration from the file will be applied to the server.