Firewall settings

[Farshad@]

Hi everywone,

Can anyone tell me how to setup the plesk firewall?

I have this settings:

Plesk administrative interface Allow incoming from all
WWW server Allow incoming from all
FTP server Allow incoming from all
SSH (secure shell) server Allow incoming from all
SMTP (mail sending) server Allow incoming from all
POP3 (mail retrieval) server Allow incoming from all
IMAP (mail retrieval) server Allow incoming from all
Mail password change service Allow incoming from all
MySQL server Allow incoming from all
PostgreSQL server Allow incoming from all
Tomcat administrative interface Allow incoming from all
Samba (file sharing in Windows networks) Allow incoming from all
Plesk VPN Allow incoming from all
Domain name server Allow incoming from all
Ping service Allow incoming from all
System policy for incoming traffic Deny all other incoming traffic
System policy for outgoing traffic Deny all other outgoing traffic
System policy for forwarding of traffic Deny forwarding of all other traffic

Is this ok?

Thanks!

 

[lvalics]

Try to restrict SSH access to IP.
Also if you don't use VPN, Samba, Tomcat Admin or anything else, disable it, drop connection on that ports.

 

[Farshad@]

Ok, It's now:

Plesk administrative interface Allow incoming from all
WWW server Allow incoming from all
FTP server Allow incoming from all
SSH (secure shell) server Allow incoming from xx.xx.xx.xxx
Deny incoming from all others
SMTP (mail sending) server Allow incoming from all
POP3 (mail retrieval) server Allow incoming from all
IMAP (mail retrieval) server Allow incoming from all
Mail password change service Allow incoming from all
MySQL server Allow incoming from all
PostgreSQL server Allow incoming from all
Tomcat administrative interface Deny incoming from all
Samba (file sharing in Windows networks) Deny incoming from all
Plesk VPN Deny incoming from all
Domain name server Allow incoming from all
Ping service Allow incoming from all
System policy for incoming traffic Allow all other incoming traffic
System policy for outgoing traffic Allow all other outgoing traffic
System policy for forwarding of traffic Deny forwarding of all other traffic


I can't change the System policy for incoming and outgoing traffic to Deny, beceause then no one can login to the ftp. Is this a bug? I put the log file below:

connecting to xxx.xxx.xxx.xx:21
Connected to xxx.xxx.xxx.xx port 21
220 ProFTPD 1.2.10 Server (ProFTPD) [xxx.xxx.xxx.xx]
USER xxxxx
331 Password required for filarn.
PASS (hidden)
230 User xxxxx logged in.
PWD
257 "/" is current directory.
SYST
215 UNIX Type: L8
Host type (S): UNIX (standard)
PASV
227 Entering Passive Mode (xxx,xxx,xxx,xx,143,243).
connecting to xxx.xxx.xxx.xx:36851
- -
connecting to xxx.xxx.xxx.xx:36851
Connected to xxx.xxx.xxx.xx port 36851
LIST
150 Opening ASCII mode data connection for file list
Received 1071 bytes in 0.1 secs, (10.46 KBps), transfer succeeded
226-Transfer complete.
226 Quotas off

The log above is for "passive transfer mode", but if I choose "active transfer mode" then it will use just one port (21) and it's still impossible to make a ftp-connection...

 

[JLChafardet]

i would recomend you to set mysql and postgre to only allow conections from localhost (127.0.0.1, and the main server ip addresses)

that way no one will be able to relay it.

I do on my server and works great.

 

[modom]

Hi,

Is that to deny connections from all the IP's on your server or one of these?

network (not usable)
gateway (not usable)
xx.xxx.xx.xx server IP (usable)(main IP, usable)