• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Firewall best practices

E

ergos

Guest
Hi all,
I am using the firewall module of Plesk, yes it is very simple but I think it suits my needs.

Do you think this is a good configuration:

plesk admin interface: allow from my ips deny from others
www: allow incoming from all
ftp: allow incoming from my ips deny from others
ssh: allow incoming from my ips deny from others
smtp/pop3/mail/imap: allow incoming from all
mysql: allow incoming from localhost, ip of the server, deny from others
postrgres/samba/tomcat/pleskvpn/dns: deny incoming from all
ping: allow from all
sys policy for incoming: deny all other incoming traffic
sys policy for outgoing: allow all other traffic

Thanks in advance
 
Depends on your setup and needs if that's a good setup.

If you're running a nameserver on your machine it might not be such a good idea to deny access to DNS.

Same goes for FTP for instance: if you're the only one that needs access to your FTP server, well sure, go ahead and limit access. But if you have clients that need to upload websites they won't be happy to find you've blocked them.

If MySQL is only used local then you can also just set your firewall to deny all incoming connections.
 
Originally posted by breun
Depends on your setup and needs if that's a good setup.

If you're running a nameserver on your machine it might not be such a good idea to deny access to DNS.

Same goes for FTP for instance: if you're the only one that needs access to your FTP server, well sure, go ahead and limit access. But if you have clients that need to upload websites they won't be happy to find you've blocked them.

If MySQL is only used local then you can also just set your firewall to deny all incoming connections.
Click to expand...

Thanks for the answer. No I am not running BIND, and also I am the only one for FTP and also MySQL is only local.

But, more in general, may I safely set the System policy for incoming traffic to deny all other incoming traffic?

Thanks in advance
 
the deny all default policy is the best option as opposed to allow all, yes. But keep in mind that this can have consequences with FTP. If you are the only one using FTP and it works for you then you don't have to worry about it and all is well.

If it doesn't work then a simple option is to add a custom rule allowing all from your IP and place it right at the top. Alterntaively you can add a custom rule allowing a set of high ports in to FTL and then configure proftp to only use those high ports for passive ftp.

Just remember to give yourself some form of alternative access in case your IP gets forcibly changed with no notice. So adding a second trusted IP to ssh might be a good idea.

Faris.
 
You must log in or register to reply here.

Similar threads

wakabayashi
Question SMTP Firewall - is it possible to block brutforce attacks?
Replies
3
Views
635
Vladimir C.
V
J
Question Plesk Firewall is blocking requests even with configured rules
Replies
2
Views
1K
Johnny9977
J
TheColin21
Resolved Docker outbound traffic gets blocked after 18.0.67 Update #3
2
Replies
28
Views
12K
Sebahat.hadzhi
Sebahat.hadzhi
S
Issue cannot connect to remote mysql form specific docker container
Replies
0
Views
486
stefanoostwegel
S
V
Issue Smarthost + SRS = relay?
Replies
2
Views
10K
vanlier
V
Back
Top