Plesk for Linux) Plesk 防火牆
概要: The Plesk firewall is a tool you can use to improve the security of your Plesk for Linux server by restricting network connections to and/or from the server.
In this topic, you will learn how to add and remove firewall rules and policies, how to block incoming connections from specific countries, and also how to export and import firewall rules to easily replicate firewall configuration between servers.
警示: Plesk 防火牆和 firewalld 都是用於管理 iptables 防火牆的工具。同時使用兩個工具會導致出現衝突以及導致 Plesk 正常運行所需的埠關閉。我們建議一次只使用其中一個工具。
前提條件
Before you can begin, the 「Firewall」 extension must be installed on the server. If it is not, install the extension from the Extensions Catalog.
Managing Firewall Rules and Policies
預設 Plesk 防火牆配置由策略和規則組成。策略範圍較廣,會影響與伺服器的所有進出連接。流入,您可以使用 接收流量的系統原則 ( 工具與設定 > 防火牆 )阻止到伺服器的所有接收連接。規則範圍較窄,主要管理單個 Plesk 服務的接收連接,例如 SMTP 或 MySQL。
注意規則會覆蓋策略。例如,如果全域策略是拒絕所有接收流量,但是規則卻允許來自某個 IP 的接收流量,那麼將會遵從規則。您可以使用該機制輕鬆的收緊和放開伺服器的安全保護。流入,設定策略禁止所有進出伺服器的連接,某些 IP 位址或埠除外,將會提高伺服器的安全度,但是某些應用程式可能會因為網路的限制而無法正常運行。相反,預設允許所有連接,而使用規則來阻止某些單個服務或單個 IP 位址的存取,會降低您伺服器的安全度,但是可保障您不會出現連接問題。通過實驗找出實用性和安全性之間的最佳平衡點
您可以通過以下方式管理防火牆:
- 更改預設策略和規則的設定。
- 創建自訂規則。
若要更改預設策略和規則的設定,請進入 工具與設定 > 防火牆 (在 安全性 組裡)點按 啟用防火牆規則管理 。確認啟用規則管理,等候更改被應用,然後點按 修改 Plesk 防火牆規則 。按一下要更改的規則或策略。您可以設定一個策略允許或拒絕連接,以及可以設定一個規則允許或拒絕連接,或只允許指定位址的連接,而拒絕其他所有的連接。您進行了所需更改後,點按 應用更改 以令新的規則集生效, 丟棄更改 則會回滾。
若要添加自訂規則,請根據以上描述啟用防火牆規則管理並點按 添加自訂規則 。自訂規則比標準規則更具靈活性,可以實現允許和拒絕與指定埠或 IP 位址的接收、發送或轉發連接。您添加一個或多個自訂規則後,點按 應用更改 以添加到規則集,或 丟棄更改 以不使用新規則。如果之後您決定移除一個或多個自訂規則,請選擇相應的核取方塊,並點按 刪除 ,確認刪除,然後點按 應用更改 已從規則集中移除選定的規則。
當創建自訂規則時,請小心不要阻止與 Plesk 服務使用的埠 的連接。
備註: 如果您正使用 Docker containers ,Docker防火牆規則將不會添加到 Plesk 防火牆規則。
Country Blocking
You can use the Plesk firewall to block access to or from IP addresses belonging to a particular country.
Blocking access from a specific country
- 登錄到 Plesk。
- 轉入 工具與設定 > 防火牆 (在 “安全” 下)。
- Click the 「Firewall protection」 toggle button so that it shows “Enabled”. If firewall protection is already enabled, skip this step.
- Click the
button.
- (Optional) Give your rule a name.
- Set 「Action」 to 「Deny」.
- Under 「Sources」, enter the two letter ISO 3166 country code of the country you want to block (for example, to block all incoming connections from Afghanistan, enter AF).
- (Optional) Click 「Add one more」, and repeat the previous step to block an additional country. You can block as many countries as you want.
- Click Save once you have added all countries you want to block.
- Click Apply Changes, and then click Apply.
Once the firewall configuration has been applied, all incoming connections to your server from the blocked country or countries will be denied.
By default, Plesk uses the free 「IP to Country Lite」 database from DB-IP. You can instead use a free or paid database from MaxMind. Before you can do so, you need to obtain a free or paid license from MaxMind and receive your license key.
Switching to the paid GeoIP2 database
-
Add the following lines to the panel.ini file:
[ext-firewall] geoipDataSource = maxmind-lite
to use the free GeoLite2 database, or
[ext-firewall] geoipDataSource = maxmind
to use the paid GeoIP2 database.
-
Log in to the server via SSH, and then run the following command:
LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force
或
LICENSE_KEY=<enter your license key here> plesk sbin modules/firewall/ipsets --configure --data-source maxmind --force
to use the free or paid database from MaxMind, respectively.
備註: The command may finish with a
Set cannot be destroyed
warning. The warning can be safely ignored. -
轉入 工具與設定 > 防火牆 (在 “安全” 下)。
-
Click Apply Changes, and then click Apply.
備註: If the Apply Changes button is missing, create a new firewall rule to trigger the ability to apply changes. You can remove that rule afterwards.
Once the firewall configuration has been applied, the GeoIP2 database will be used instead of GeoLite2.
To switch back to the free database from DB-IP, remove the geoipDataSource = maxmind-lite
or geoipDataSource = maxmind
line from the panel.ini
file, and then reapply the firewall configuration.
Importing and Exporting Firewall Configuration
You may want to duplicate one Plesk for Linux server’s firewall configuration on other Plesk for Linux servers. The easiest way to do so is to export the firewall configuration to a file, and then to import it on each of those Plesk for Linux servers. You can import and export the firewall configuration both via the graphical interface and the command line.
Exporting the firewall configuration via the GUI
- Log in to Plesk on the server whose firewall configuration you want to copy.
- 轉入 工具與設定 > 防火牆 (在 “安全” 下)。
- Click Export.
The firewall configuration will be saved to a .json
file. You can find it in your browser’s downloads directory.
Importing the firewall configuration via the GUI
- Log in to Plesk on a server you want to copy another server’s firewall configuration to.
- 轉入 工具與設定 > 防火牆 (在 “安全” 下)。
- Click the 「Firewall protection」 toggle button so that it shows “Enabled”, and then click Apply. If firewall protection is already enabled, skip this step.
- Click Import, and then locate the
.json
file exported on the server whose firewall configuration you want to copy.
The firewall configuration from the file will be applied.
Exporting the firewall configuration via the CLI
-
Log in via SSH to the server whose firewall configuration you want to copy.
-
Run the following command to export the firewall configuration:
plesk ext firewall --export > rules.json
You can give the file any name you want, 「rules.json」 is just an example.
The firewall configuration will be saved to the specified file.
Importing the firewall configuration via the CLI
-
Log in via SSH to a server you want to copy another server’s firewall configuration to. You need to open two separate SSH sessions to import the firewall configuration.
-
In the first SSH session, run the following command to enable firewall protection. If firewall protection is already enabled, skip this step.
plesk ext firewall --enable
-
In the second SSH session, run the following command to confirm firewall protection. If firewall protection is already enabled, skip this step.
plesk ext firewall --confirm
-
In the first SSH session, run the following command to import and apply the firewall configuration:
plesk ext firewall --import -config <the file's URL or local path> && plesk ext firewall --apply
For example
plesk ext firewall --import -config https://example.com/rules.json && plesk ext firewall --apply
或
plesk ext firewall --import -config /tmp/rules.json && plesk ext firewall --apply
-
In the second SSH session, run the following command to confirm the imported firewall configuration.
plesk ext firewall --confirm
The firewall configuration from the file will be applied to the server.