• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Firewall best practices

E

ergos

Guest
Hi all,
I am using the firewall module of Plesk, yes it is very simple but I think it suits my needs.

Do you think this is a good configuration:

plesk admin interface: allow from my ips deny from others
www: allow incoming from all
ftp: allow incoming from my ips deny from others
ssh: allow incoming from my ips deny from others
smtp/pop3/mail/imap: allow incoming from all
mysql: allow incoming from localhost, ip of the server, deny from others
postrgres/samba/tomcat/pleskvpn/dns: deny incoming from all
ping: allow from all
sys policy for incoming: deny all other incoming traffic
sys policy for outgoing: allow all other traffic

Thanks in advance
 
Depends on your setup and needs if that's a good setup.

If you're running a nameserver on your machine it might not be such a good idea to deny access to DNS.

Same goes for FTP for instance: if you're the only one that needs access to your FTP server, well sure, go ahead and limit access. But if you have clients that need to upload websites they won't be happy to find you've blocked them.

If MySQL is only used local then you can also just set your firewall to deny all incoming connections.
 
Originally posted by breun
Depends on your setup and needs if that's a good setup.

If you're running a nameserver on your machine it might not be such a good idea to deny access to DNS.

Same goes for FTP for instance: if you're the only one that needs access to your FTP server, well sure, go ahead and limit access. But if you have clients that need to upload websites they won't be happy to find you've blocked them.

If MySQL is only used local then you can also just set your firewall to deny all incoming connections.
Click to expand...

Thanks for the answer. No I am not running BIND, and also I am the only one for FTP and also MySQL is only local.

But, more in general, may I safely set the System policy for incoming traffic to deny all other incoming traffic?

Thanks in advance
 
the deny all default policy is the best option as opposed to allow all, yes. But keep in mind that this can have consequences with FTP. If you are the only one using FTP and it works for you then you don't have to worry about it and all is well.

If it doesn't work then a simple option is to add a custom rule allowing all from your IP and place it right at the top. Alterntaively you can add a custom rule allowing a set of high ports in to FTL and then configure proftp to only use those high ports for passive ftp.

Just remember to give yourself some form of alternative access in case your IP gets forcibly changed with no notice. So adding a second trusted IP to ssh might be a good idea.

Faris.
 
You must log in or register to reply here.

Similar threads

gennolo
Issue Cannot update an existing firewall rule to allow all ips
Replies
2
Views
617
gennolo
gennolo
A
Question Some security questions
Replies
2
Views
177
amba1980
A
Thomas Wilhelmi
Issue Firewall and IPv6
Replies
5
Views
770
Thomas Wilhelmi
Thomas Wilhelmi
gennolo
Resolved Cannot update an existing firewall rule to allow all ips
Replies
3
Views
897
gennolo
gennolo
A
Issue Unable to connect with a mail client ( Outlook/Thurnderbird )
Replies
9
Views
2K
jorge ceballos
J
Back
Top