Facebook
Twitter-
The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
-
We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.
Firewall allow specific sourse, deny others not working
- Thread starter Jeroen1
- Start date
@Jeroen1,
The current firewall settings for the VPN allow different IPs to connect to SSH, via the VPN connection.
In short, add a similar rule (to that of the SSH rule) to the firewall, in order to prevent that someone else gets access to SSH.
Note that you have to add your IP as "allow, deny others" to the VPN rule, already present in the Plesk Firewall extension.
By the way, it is more easy to make use of the hierarchical features of the firewall: if you add a custom "allow" rule for your own IP as the first line in the Plesk Firewall extension (i.e. use the Plesk Panel, for the sake of convenience), you won´t have to adjust all the separate firewall rules.
Note that, when using this first line (see above), you should not choose the "allow, deny others" option, since no other IP than your own IP would have access in that case.
Also note that, when using this first line (see above), still have to create lines (with lower priority) to block IPs or IP ranges for specific applications, ports or protocols.
In general, you can use the hierarchical structure to efficiently control access to the server, i.e. more efficient than specifying rules for each application or port or protocol.
In your case, it will be more easy to add your IP as "allow, deny others" to the VPN rule.
However, this will be at the cost of open access to other applications, ports or protocols (other than VPN), unless other firewall rules have already been defined for them.
Hope the above helps.
Kind regards.......
The current firewall settings for the VPN allow different IPs to connect to SSH, via the VPN connection.
In short, add a similar rule (to that of the SSH rule) to the firewall, in order to prevent that someone else gets access to SSH.
Note that you have to add your IP as "allow, deny others" to the VPN rule, already present in the Plesk Firewall extension.
By the way, it is more easy to make use of the hierarchical features of the firewall: if you add a custom "allow" rule for your own IP as the first line in the Plesk Firewall extension (i.e. use the Plesk Panel, for the sake of convenience), you won´t have to adjust all the separate firewall rules.
Note that, when using this first line (see above), you should not choose the "allow, deny others" option, since no other IP than your own IP would have access in that case.
Also note that, when using this first line (see above), still have to create lines (with lower priority) to block IPs or IP ranges for specific applications, ports or protocols.
In general, you can use the hierarchical structure to efficiently control access to the server, i.e. more efficient than specifying rules for each application or port or protocol.
In your case, it will be more easy to add your IP as "allow, deny others" to the VPN rule.
However, this will be at the cost of open access to other applications, ports or protocols (other than VPN), unless other firewall rules have already been defined for them.
Hope the above helps.
Kind regards.......
Hi Trialotto, thanks for your answer!
I have added the IP to the VPN. But now I am still able to connect on ssh via a different IP.
Regarding the hierarchical structure, I guess this means the hierarchy in the ubuntu config file right? Because in the plesk GUI there doesn't seem to be any logical hierarchy.
I have added the IP to the VPN. But now I am still able to connect on ssh via a different IP.
Regarding the hierarchical structure, I guess this means the hierarchy in the ubuntu config file right? Because in the plesk GUI there doesn't seem to be any logical hierarchy.
@Jeroen1,
With respect to
the following.
The Plesk GUI is just a graphical representation of iptables (i.e. the firewall) and a logical hierarchy can be introduced in the Plesk GUI by adding custom firewall rules.
These custom firewall rules will (naturally) be translated to appropriate (hierarchical) firewall rules within iptables, upon activation.
In short, hierarchy is or can be present in both Plesk GUI as iptables.
How to add custom firewall rules? Just open Plesk Firewall extension and select "Modify Plesk Firewall rules".
It is a relatively easy process, but be carefull (before you know it, you made a mistake, sometimes leading to exclusion of access to the Plesk Panel).
With respect to
the following.
First of all, make sure you selected the "allow, deny others" option (and not the "allow" option) for the VPN connection. Verify that (and report back).
Second, you can read some information about VPN in the administrator´s guide, see http://download1.parallels.com/Ples...inistrator-guide/index.htm?fileName=62400.htm
It is quite normal that you log in, as long as you log in via the VPN.
If you want to restrict SSH access via the VPN, a (relatively) complicated set of (custom) firewall rules has to be introduced.
I suggest that you disable the VPN module for Plesk, since it does not add any significant security, if you have a proper firewall configuration.
I also suggest that you install Fail2Ban module, in order to have some specific (bad) IPs automatically blocked for a specific duration (i.e. this reduces the exhaustive task of continuously configuration of the Plesk firewall). Note that Fail2Ban adjusts iptables, implying that has the same effect as manual firewall configuration.
As a final and relevant note, you should deny access to all applications/services that you are not using.
For instance, if you are not using Samba, deny all access (with a firewall adjustment with the Plesk GUI).
Also as an relevant illustration: plesk administrative interface access should, by preference, only be present for the administrator, i.e. allow your own IP, block all others!
Kind regards....
With respect to
the following.
The Plesk GUI is just a graphical representation of iptables (i.e. the firewall) and a logical hierarchy can be introduced in the Plesk GUI by adding custom firewall rules.
These custom firewall rules will (naturally) be translated to appropriate (hierarchical) firewall rules within iptables, upon activation.
In short, hierarchy is or can be present in both Plesk GUI as iptables.
How to add custom firewall rules? Just open Plesk Firewall extension and select "Modify Plesk Firewall rules".
It is a relatively easy process, but be carefull (before you know it, you made a mistake, sometimes leading to exclusion of access to the Plesk Panel).
With respect to
the following.
First of all, make sure you selected the "allow, deny others" option (and not the "allow" option) for the VPN connection. Verify that (and report back).
Second, you can read some information about VPN in the administrator´s guide, see http://download1.parallels.com/Ples...inistrator-guide/index.htm?fileName=62400.htm
It is quite normal that you log in, as long as you log in via the VPN.
If you want to restrict SSH access via the VPN, a (relatively) complicated set of (custom) firewall rules has to be introduced.
I suggest that you disable the VPN module for Plesk, since it does not add any significant security, if you have a proper firewall configuration.
I also suggest that you install Fail2Ban module, in order to have some specific (bad) IPs automatically blocked for a specific duration (i.e. this reduces the exhaustive task of continuously configuration of the Plesk firewall). Note that Fail2Ban adjusts iptables, implying that has the same effect as manual firewall configuration.
As a final and relevant note, you should deny access to all applications/services that you are not using.
For instance, if you are not using Samba, deny all access (with a firewall adjustment with the Plesk GUI).
Also as an relevant illustration: plesk administrative interface access should, by preference, only be present for the administrator, i.e. allow your own IP, block all others!
Kind regards....
Hi,
Yes thats the option I have selected.
Ok, this is my complete setup now. I guess blocking mysql means 'localhost' can still connect, right? (my websites are still working now).
Yes thats the option I have selected.
I have removed the VPN extension via the extension manager. However, the VPN rule is still visible/available in the firewall GUI.
fail2ban is already running, including the ssh jail. Could that be causing the fact I can still login via ssh on a different IP?
Ok, this is my complete setup now. I guess blocking mysql means 'localhost' can still connect, right? (my websites are still working now).
@Jeroen1,
Just change the VPN (firewall) rule to "deny" (from options, select "Deny").
Not very likely, but it can be the case, if you have whitelisted more than your own IP in Fail2Ban.
Note the following remarks and/or suggestions:
a) In order to prevent that you are locking yourself out: create a custom firewall rule, name it "Admin" (or similar), select "incoming" and "allow" and only (!) add your own IP. Put this custom firewall rule at the top, make sure it is the first rule.
b) the firewall rule with name "non-secure admin" does not add much, it can be removed, if you want to.
c) disable access to the mail password change service, change the firewall rule to "deny"
d) disable access to "Parallels products installer", change the firewall rule to "allow, deny all others" and add your own IP (I am missing this and other rules in your firewall setup)
e) trust on Fail2Ban (with standard config) and add some notoriously bad IP addresses to the firewall (note: Fail2Ban is a temporary block, the firewall is permanent), by creating a custom firewall rule with name "Notorious" (or similar) and add the bad IPs manually, with "incoming" and option "Deny" selected AND without any ports added (this implies that the bad/notorious IPs are blocked on all ports)
Furthermore, you should not worry about "localhost connections", this is beyond the scope and functionality of a firewall.
Kind regards...
Just change the VPN (firewall) rule to "deny" (from options, select "Deny").
Not very likely, but it can be the case, if you have whitelisted more than your own IP in Fail2Ban.
Note the following remarks and/or suggestions:
a) In order to prevent that you are locking yourself out: create a custom firewall rule, name it "Admin" (or similar), select "incoming" and "allow" and only (!) add your own IP. Put this custom firewall rule at the top, make sure it is the first rule.
b) the firewall rule with name "non-secure admin" does not add much, it can be removed, if you want to.
c) disable access to the mail password change service, change the firewall rule to "deny"
d) disable access to "Parallels products installer", change the firewall rule to "allow, deny all others" and add your own IP (I am missing this and other rules in your firewall setup)
e) trust on Fail2Ban (with standard config) and add some notoriously bad IP addresses to the firewall (note: Fail2Ban is a temporary block, the firewall is permanent), by creating a custom firewall rule with name "Notorious" (or similar) and add the bad IPs manually, with "incoming" and option "Deny" selected AND without any ports added (this implies that the bad/notorious IPs are blocked on all ports)
Furthermore, you should not worry about "localhost connections", this is beyond the scope and functionality of a firewall.
Kind regards...
@Jeroen1,
Thanks for the "like".
By the way, do not forget to whitelist your own IP in Fail2Ban. This is for certainty: Fail2Ban cannot block your IP then. Otherwise, some erroneous SSH login attempts would normally result in Fail2Ban blocking your IP, but the firewall rule with name "Admin" (i.e. the first line in the firewall) should guarantee some (SSH or other) access.
Kind regards.....
Thanks for the "like".
By the way, do not forget to whitelist your own IP in Fail2Ban. This is for certainty: Fail2Ban cannot block your IP then. Otherwise, some erroneous SSH login attempts would normally result in Fail2Ban blocking your IP, but the firewall rule with name "Admin" (i.e. the first line in the firewall) should guarantee some (SSH or other) access.
Kind regards.....
Ehm, are you talking about a router, or do you have a VPS with dynamic IP and/or a cloud based VPS/VM?
By the way, you can also start a private conversation, if you would like to. Just let me know.
Kind regards....
My IP which I use to login to the plesk VPS is dynamic. So If my IP changes, I will be lockout from plesk by the 'admin' rule.
@Jeroen1,
I presume the "router" has a block range of assigned IP addresses.
If so, you can change the "Admin" firewall rule to allow a CIDR block range, for instance 195.23.0.0/8 (just to illustrate, do not take these values).
This option to add IP blocks allows you to have a firewall rule, even when your IP is dynamic (within certain boundaries).
Note that a normal "router", as supplied by your internet provider, often is more static (than dynamic).
Also note that you can use IP blocks with Fail2Ban (for black- and whitelisting), so the above also applies to Fail2Ban settings.
Kind regards.....
I presume the "router" has a block range of assigned IP addresses.
If so, you can change the "Admin" firewall rule to allow a CIDR block range, for instance 195.23.0.0/8 (just to illustrate, do not take these values).
This option to add IP blocks allows you to have a firewall rule, even when your IP is dynamic (within certain boundaries).
Note that a normal "router", as supplied by your internet provider, often is more static (than dynamic).
Also note that you can use IP blocks with Fail2Ban (for black- and whitelisting), so the above also applies to Fail2Ban settings.
Kind regards.....
Jeroen1,
In general, you should use the (full) IP block that is used by the "router" to assign (dynamic) IPs to the various machines (PC/Desktop/Server etc.).
This also increase the risk and reduces the effectivity of a firewall rule in Plesk.
You are probably able to "log in" into the "router" and change settings, in order to allow a fixed IP for the PC/Desktop/Server being used for logging in into Plesk. Consider that.
I am still not sure why you have a dynamic IP, it seems somewhat strange and unconventional in this case.
Kind regards...
In general, you should use the (full) IP block that is used by the "router" to assign (dynamic) IPs to the various machines (PC/Desktop/Server etc.).
This also increase the risk and reduces the effectivity of a firewall rule in Plesk.
You are probably able to "log in" into the "router" and change settings, in order to allow a fixed IP for the PC/Desktop/Server being used for logging in into Plesk. Consider that.
I am still not sure why you have a dynamic IP, it seems somewhat strange and unconventional in this case.
Kind regards...
I think you misunderstand me. I have an internet connection with an dynamic IP. In the firewall in VPS I have to add an IP to allow login to plesk, SSH etc. This is my current public IP. But if the lease of my internet connection expires, the public IP changes.
The VPS is not in my homenetwork.
So:
Home network WAN is 63.xxx.xxx.022
VPS at hostingprovider 85.xxx.xxx.xxx
In the firewall in the VPS I allow 63.xxx.xxx.022 to login to plesk, ssh, etc. BUT... if 63.xxx.xxx.022 changes to 63.xxx.xxx.020 I cannot login to the VPS anymore.
The VPS is not in my homenetwork.
So:
Home network WAN is 63.xxx.xxx.022
VPS at hostingprovider 85.xxx.xxx.xxx
In the firewall in the VPS I allow 63.xxx.xxx.022 to login to plesk, ssh, etc. BUT... if 63.xxx.xxx.022 changes to 63.xxx.xxx.020 I cannot login to the VPS anymore.
Last edited:
Jeroen1,
There has not been any misunderstanding on my side.
I am pretty sure that you can turn off your modem and find out that, after turning it on again, the assigned IP has not changed.
However, there is no room for "guessing" and/or "being pretty sure", so do the following:
a) maintain the "Admin" firewall rule in such a fashion that it contains only your own IP (not a IP block of form x.x.x.x/x)
b) maintain a "SSH" firewall rule, with only your own IP
c) change the "Plesk administrative interface" rule to "allow all" OR "allow" a IP block range that your confident about (i.e. containing all possible dynamic IPs)
and this way, you can always get access to the Plesk Panel and change the firewall, in order to allow for specific access, if the dynamic IP has changed.
Kind regards....
PS You are probably Dutch and I can be mistaken, but in general the assigned IP does not change that often with Dutch ISPs.
There has not been any misunderstanding on my side.
I am pretty sure that you can turn off your modem and find out that, after turning it on again, the assigned IP has not changed.
However, there is no room for "guessing" and/or "being pretty sure", so do the following:
a) maintain the "Admin" firewall rule in such a fashion that it contains only your own IP (not a IP block of form x.x.x.x/x)
b) maintain a "SSH" firewall rule, with only your own IP
c) change the "Plesk administrative interface" rule to "allow all" OR "allow" a IP block range that your confident about (i.e. containing all possible dynamic IPs)
and this way, you can always get access to the Plesk Panel and change the firewall, in order to allow for specific access, if the dynamic IP has changed.
Kind regards....
PS You are probably Dutch and I can be mistaken, but in general the assigned IP does not change that often with Dutch ISPs.
