• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Plesk firewall custom rule Allow incoming from all on all ports

C

Cameron

New Pleskian
Hi, I have a Dedicated Server where the first Firewall rule is called allowme. It is a custom rule which seems to allow access to any TCP or UDP port and any IP address. I didn't set this rule up, it was (I assume) added by my ISP when I purchased the server. Is this bad practice and should I delete this rule?

I don't want to allow anyone except me to be able to upload anything via FTP and I obviously don't want any website on the server to no longer be viewable. If I set the SSH and FTP rules to only allow access to my IP address this has no effect. Is that because the first rule overrules everything else?

Is there a best practice for setting all the various firewall rules?

Thanks
 
Thanks for this. Unfortunately since deleting this rule I can no longer connect to any of my websites with FTP, even if I add my IP address as the only one that can connect in the FTP firewall rule. I added my IP to the SSH rule and that is absolutely fine and I can connect as root no problem, but no FTP.

Any idea what has happened?
 
Yes it's a timeout.

Status: Connecting to xxx.xx.xx.xxx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing of "/httpdocs"...
Command: CWD /httpdocs
Response: 250 CWD command successful
Command: PWD
Response: 257 "/httpdocs" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (xxx,xx,xx,xxx,161,116).
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server

I'm using FileZilla.
 
Cameron said:
Response: 227 Entering Passive Mode (xxx,xx,xx,xxx,161,116).
Click to expand...

The FTP-passive mode uses a address range to communicate with the client.
To communicate with the server in passive mode, the client "asks" the server for a port (after being connectet via port 21), on which it can connect to the server to do some data-stuff. The client then tries to connect over the negotiatet port. And there your log is going to show the problems. these address-range must be opened in the firewall.
You can find the config-file in /etc/proftpd.d/passive-ports.conf - the content should look like this:

Code: 
<Global>
PassivePorts 49152 65535
</Global>
 
Thanks for the response. There is no file of that name in that directory. There is only 50-plesk.conf and ssl.conf in there. Do I need to create this file and specify the port range?
 
Yes, try to create the file 55-passive-ports.conf with the content from the post above in /etc/proftpd.d/
Also ensure that you can find the line
Code: 
Include /etc/proftpd.d/*.conf
in your /etc/proftpd.conf

dont forget to open the ports in the firewall you used in the ports.conf

then restart the ftp
usually the ftp is in inetd-mode. so-> service xinetd restart
 
Thank you, this is perfect. So I needed to create the conf file with the command line, then do the service restart, then in plesk I added a custom firewall rule with this port range, and specify that it can only connect from my IP address. This now works.

If I also set the firewall rule below this one to deny SSH connections except from my IP, is this about as secure as I can make it? Or could someone potentially fake my IP address and still get in?
 
Cameron said:
If I also set the firewall rule below this one to deny SSH connections except from my IP, is this about as secure as I can make it? Or could someone potentially fake my IP address and still get in?
Click to expand...
possible is everything ;)
but, security is not only about good firewall rules. The rules you are using are very strict and do for sure a good job. But you should think about service security as well. What I mean, take care how you configure a service, use long and secure passwords in combination with long usernames, i.e. dont use "admin" better use "this_is08my489long319and918not3to38guess10admin_user". Ensure that your software is always up to date, use IP-Address blacklisting like fail2ban, to improve your firewall you could proceed with spi or dpi etc. etc. etc.

Don't get paranoid ;-)
 
You must log in or register to reply here.

Similar threads

R
Question Disable FTP on single ip address
Replies
3
Views
323
Kaspar
K
F
Question IPv4 forwarding rule
Replies
8
Views
382
alvarezcruz
alvarezcruz
J
Question Plesk Firewall is blocking requests even with configured rules
Replies
2
Views
1K
Johnny9977
J
A
Question Plesk firewall - CrowdSec iptables interaction
Replies
3
Views
487
andg
A
M
Resolved SSH type seems disallowed on migration from WHM to Plesk
Replies
1
Views
217
MHC_1
M
Back
Top