Issue Firewall and closing opening ports

[sitenet]

Server operating system version

ubuntu 20.04

Plesk version and microupdate number

18.0.48

Hi, can we install CSF in Plesk? I saw this article How to Install and Configure CSF but seems it's for centos. I am using Ubuntu 20.04.

Which command would let me install? and would we get a CSF web interface in Plesk, like cPanel has for CSF?

CSF is better and I want to close unnecessary ports so I think doing from web interface would be easy. How to do?

 

[IgorG]

You only need to install the necessary perl libraries there. As an example it uses yum, the package manager of CentOS. For Ubuntu, use its package manager, apt and the corresponding names of these perl libraries. wget and vim have the same package names.
The other commands in this article are independent of the Linux version.
CSF has no integration in the Plesk interface.

 

[sitenet]

You only need to install the necessary perl libraries there. As an example it uses yum, the package manager of CentOS. For Ubuntu, use its package manager, apt and the corresponding names of these perl libraries. wget and vim have the same package names.
The other commands in this article are independent of the Linux version.
CSF has no integration in the Plesk interface.

Is the inbuilt firewall in Plesk good enough to block attacks? Site will be behind cloudflare.

Other than the ports listed here Ports Used by Plesk and my custom SSH port, all other ports should be blocked right?

I have to do like this:

So as I understand I have to do twice for each port I wanna block, once for TCP and once for UDP right?

Also in this, why incoming traffic is disabled?

 

[Peter Debik]

Is the inbuilt firewall in Plesk good enough to block attacks? Site will be behind cloudflare.

Plesk is using the firewall that comes with your operating system. Plesk is an easy interface to the otherwise complex firewall software. There is not much quality difference between different OS firewalls. All of them are software/kernel based and are doing their job right.

Other than the ports listed here Ports Used by Plesk and my custom SSH port, all other ports should be blocked right?

No, specifically the ephemeral port range should not be blocked. You need at least 80, 443, 8080, 8443, 8447, 21, 22 open, but also the ephemeral range, as software like FTP only establishes the connection through the services port, but then transmits data through a random port in upper ranges. You might also need 3306 open if you want to access your database server from the outside.

Basically, the default Plesk setting is already a good choice. If you don't use PostgreSQL, you could disable it. IPv6 neighbor discovery is also not needed. Ping service might not be neede. Samba might not be needed and so on. DHCP client might not be needed depending on your DNS management. But there is not so much risk when you leave these open.

 

[Kaspar]

Also in this, why incoming traffic is disabled?

All incoming traffic is blocked, except for rules listening on ports listed as "allowed". That way you don't have to list all ports separately to block them

Other than the ports listed here Ports Used by Plesk and my custom SSH port, all other ports should be blocked right?

No need to list your custom SSH port. The default SSH firewall rule recognizes the port SSH is using. You only need to list block ports for the services you don't use (or only use locally) that are listed as allowed by default. (Samba for example).

EDIT: I was wrong here. You DO need to open the alternative SSH port in the Plesk firewall with a separate rule.

Is the inbuilt firewall in Plesk good enough to block attacks? Site will be behind cloudflare.

The Plesk firewall is solid, but basic in functionality. It blocks or allows for traffic on listed ports. That's all. A tool like fail2ban (which is also present in Plesk) monitors logs of services and blocks clients that repeatedly fail authentication checks. Which is more dynamic in attack mitigation.

 

[sitenet]

Plesk is using the firewall that comes with your operating system. Plesk is an easy interface to the otherwise complex firewall software. There is not much quality difference between different OS firewalls. All of them are software/kernel based and are doing their job right.


No, specifically the ephemeral port range should not be blocked. You need at least 80, 443, 8080, 8443, 8447, 21, 22 open, but also the ephemeral range, as software like FTP only establishes the connection through the services port, but then transmits data through a random port in upper ranges. You might also need 3306 open if you want to access your database server from the outside.

Basically, the default Plesk setting is already a good choice. If you don't use PostgreSQL, you could disable it. IPv6 neighbor discovery is also not needed. Ping service might not be neede. Samba might not be needed and so on. DHCP client might not be needed depending on your DNS management. But there is not so much risk when you leave these open.

Alright, but why System policy for incoming traffic is set to deny by default ? This will prevent people getting into my site right?

Also I found the following ports opened in my server using command 'sudo netstat -ntlp | grep LISTEN' (is this the correct command to find ALL opened ports?) ?

https://imgur.com/c2Pnkzy

If I were to close any of the ports, would I need to go to Firewall -> Modify Plesk Firewall Rules and do this:

https://imgur.com/JJAk5m9

?

 

[sitenet]

All incoming traffic is blocked, except for rules listening on ports listed as "allowed". That way you don't have to list all ports separately to block them

Is this why I am unable to login to my server via console? Getting SSH connection lost.

No need to list your custom SSH port. The default SSH firewall rule recognizes the port SSH is using. You only need to list block ports for the services you don't use (or only use locally) that are listed as allowed by default. (Samba for example).

I would have a custom SSH port. 22 is default so better change it.

I found the following ports opened in my server using command 'sudo netstat -ntlp | grep LISTEN' (is this the correct command to find ALL opened ports?) ?

https://imgur.com/c2Pnkzy

If I were to close any of the ports, would I need to go to Firewall -> Modify Plesk Firewall Rules and do this:

https://imgur.com/JJAk5m9

?

 

[Kaspar]

Is this why I am unable to login to my server via console? Getting SSH connection lost.

I would have a custom SSH port. 22 is default so better change it.

I don't follow?

I found the following ports opened in my server using command 'sudo netstat -ntlp | grep LISTEN' (is this the correct command to find ALL opened ports?) ?

No. The netstat command can be used to see which service is listening on which port.

If I were to close any of the ports, would I need to go to Firewall -> Modify Plesk Firewall Rules and do this:

Yes.

 

[sitenet]

I don't follow?

As incoming traffic was auto disabled by default, I was unable to login to my server via SSH. After enabling incoming traffic, I was able to log in.

No. The netstat command can be used to see which service is listening on which port.

Which command will let me see all open ports? I am using ubuntu 20.04

Btw, would I need to enable UFW firewall or the inbuilt Plesk Firewall is enough?

 

[sitenet]

@Kaspar Can you take a look at the reply? Thanks mate

 

[Kaspar]

Which command will let me see all open ports? I am using ubuntu 20.04

I am not sure if there is a command that specifically will list all open ports. You can however use sudo iptables -S INPUT and sudo ip6tables -S INPUT to list all firewall rules for incoming traffic. Which reflects the rules in the Plesk firewall. The Plesk firewall closes all ports, except for those service listed as Allowed in (or listed as ACCEPT if you use the iptables commands).

As incoming traffic was auto disabled by default, I was unable to login to my server via SSH. After enabling incoming traffic, I was able to log in.

I stand corrected on this. I initially was under the impression that if you configured a different SSH port it wasn't necessary to specifically open that port with a firewall rule. As I (wrongly) thought that the firewall would recognize on which port SSH was running. This is incorrect. You actually do need to open the alternative SSH port in a firewall rule. (No need to open the Firewall for all traffic tough).

Btw, would I need to enable UFW firewall or the inbuilt Plesk Firewall is enough?

I am not familiar with UFW. In general it's not recommended to run two different firewalls as things can get messy. As stated before the Plesk firewall is solid, but basic in functionality. If you feel you need a more elaborate firewall with more option than Juggernaut Security and Firewall might be something for you to look in to.

 

[sitenet]

I am not sure if there is a command that specifically will list all open ports. You can however use sudo iptables -S INPUT and sudo ip6tables -S INPUT to list all firewall rules for incoming traffic. Which reflects the rules in the Plesk firewall. The Plesk firewall closes all ports, except for those service listed as Allowed in (or listed as ACCEPT if you use the iptables commands).


I stand corrected on this. I initially was under the impression that if you configured a different SSH port it wasn't necessary to specifically open that port with a firewall rule. As I (wrongly) thought that the firewall would recognize on which port SSH was running. This is incorrect. You actually do need to open the alternative SSH port in a firewall rule. (No need to open the Firewall for all traffic tough).


I am not familiar with UFW. In general it's not recommended to run two different firewalls as things can get messy. As stated before the Plesk firewall is solid, but basic in functionality. If you feel you need a more elaborate firewall with more option than Juggernaut Security and Firewall might be something for you to look in to.

Gotcha, thanks.

So far I have left the default settings as it is. Let's see how it goes.