• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Firewall hardening

CoyoteKG

Regular Pleskian
Hi,

I know it is pretty simple to use Plesk firewall, but I need advice for 3 rules.
This is webserver with few sites, and access to SSH, FTP, MySQL I allowed only from few IP addresses.
Mail ports should be open, and also WWW.
I wan't to close everything else, but I'm not sure can I safely do that with

Domain name server Allow incoming from all
IPv6 Neighbor Discovery Allow incoming from all
Ping service Allow incoming from all

Should I block it, I believe that Ping and Neighbor discovery can with no problem, but what about DNS? What is purpose of this rule?
For domains for these websites hosted on server, I using nameservers from provider where we bought domains.

This is status of current iptables
iptables.JPG
 
Hi Coyote,

if you are not running any DNS service on the server, then you can just block it indeed.
IPv6 can be blocked if you are not on a IPv6 enabled network. (Then you won't have any IPv6 neighbours ;-) )
I always block ping
 
Hi Dennis, thx for suggestions :)
However for hardening I'd look into a few other options as well:
fail2ban (aditional actions taken against violations *login fails, or custom rules*), mod_security (webserver security), mod_evasive (webserver security) and there are a load more :)
 
I already using fail2ban and mod_security, but did not know about mod_evasive. I will read more about this :)
 
Personally I'm running on a Ubuntu server and I'm using a geolocation based on IP to determine beforehand if the connection is allowed.
Afterwards the fail2ban will come into play (for SSH and FTP MySQL connections as an example)
If it pops up some interests, have a look here : Limit your SSH logins using GeoIP » Axllent.org
p.s. this does not work for CentOS and maybe other linux distributions (I'm not sure, I went to Ubuntu for this reason)
 
Back
Top