Issue Firewall stops working

[jola]

Server operating system version

Centos 7.9 ELS and AlmaLinux 9.5

Plesk version and microupdate number

Obsidian 18.0.66

Two of my Plesk based web-servers have recently had problems with the Plesk Firewall. For some strange reason the firewalls have stopped working. It is difficult to notice when this happens. Fortunately I have an ISP that sends me a warning email if I have an open Port 111 to the Portmapper service on any of my web-servers. I got this warning for one of my servers last week. After some digging I realized that the Firewall, which should block Port 111, for some reason was not working properly. I solved it by disabling and the re-enabling the Firewall directly in the Plesk control panel. Today I received a similar warning email about another of my web-servers. Now I knew how to solve it and quickly disabled and re-enabled my Firewall, and that quickly blocked my 111 Port again.

I do not like to not be able to trust that your Firewall is stable and keeps working.

Has anyone else had similar problems with their Plesk Firewall recently?

My Firewall has been rock-solid for many years until this now started to happen, and I'm wondering why it is suddenly starting to break. One of the servers was running on an old CentOS 7.9 ELS based server and one of the servers was recently installed on an AlmaLinux 9.5 based server. Both had the latest version of Plesk Obsidian installed.

 

[scsa20]

The Plesk Firewall utilizes iptables and all the extension does is allows you to use a visual interface for managing it.

With that said, make sure you are not using any other firewall services that manipulates iptables such as firewalld.

Also, if the firewall is getting disabled but the web interface is showing that it's on, there's a chance you might be compromised and you might want to actually look over the server to make sure everything is fine (assuming you don't have any other firewall services that is manipulating iptables that is).

 

[jola]

Thanks for your feedback. I have bunch of Plesk services active that does use the Firewall, like fail2ban and ModSecurity with the Atomic advanced ruleset. I do not think I have done anything outside of this to manipulate iptables. I have a few of my own Firewall rules to block out problematic IP ranges that have overloaded the servers before or have done repeated spam/hacking attempts. I can not see any signs of the servers being compromised. One of the servers runs a very high-volume web-site and is often highly loaded, and one is a brand new development server that has virtually no traffic and no known domain name yet. Both are running on KBE-based virtual servers. The fact that both servers got the same problem just a week in between worries me.

By the way, the web interface shows that the Firewall is active even though it is not working, but if I disable it and the re-enable it in the web interface is starts to work again.

 

[scsa20]

Please make sure you do not have any other third party services such as firewalld (as I've mention before). Fail2Ban and ModSecurity is fine since they add sub info that's outside of the primary iptables but anything that modifies iptables directly (such as firewalld) will cause problems which is evident to the fact that the firewall status in plesk still shows on but if you check the firewall status via ssh might show it off (the plesk firewall has an internal database to show if it's on or off so if the firewall service is disabled outside of plesk the plesk interface itself will not reflect). Thus why I said to make sure all is good and if all is good then there might be someone lurking inside your servers and you would need a deeper dive. Always look through your logs too as it might give you a clue. It's also possible that someone set up a cron job to do something stupid which hopefully logs should point you that that too.

 

[jola]

Thanks, I will continue to monitor these servers closely. It is difficult to debug something when it is working again. I have tried to look in the logs in /var/log/sw-cp-server but I could not find anything that could explain this.

Do you have any recommendation on which logs I should look at to find what might cause the Firewall to stop working?

 

[jola]

Please make sure you do not have any other third party services such as firewalld

I have not done anything with firewalld as far as I can remember. However, I seem to have this service running on my servers:

# systemctl list-units --type=service --state=active | grep firewalld
firewalld.service loaded active running firewalld - dynamic firewall daemon

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
Active: active (running) since Tue 2025-01-07 22:39:29 CET; 1 day 12h ago
Docs: man:firewalld(1)
Main PID: 900 (firewalld)
Tasks: 2 (limit: 349551)
Memory: 45.2M
CPU: 336ms
CGroup: /system.slice/firewalld.service
└─900 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid

Should firewalld not be running at all on my servers?

 

[jola]

Should firewalld not be running at all on my servers?

I'm responding to myself here. Apparently it is not good to both have the firewalld service and the Plesk Firewall active at the same time, see for example (Plesk for Linux) The Plesk Firewall.

However, only one of my two servers that had problems with the firewall actually had the firewalld service active, the new AlmaLinux 9.5 server. I have now disabled firewalld also on this server with:

# systemctl stop firewalld
# systemctl disable firewalld

Note that the Plesk Firewall stopped working when I did this so I had to disable and re-enable it again in the web interface to get it up and running again.

Since only one of my problematic servers had the firewalld service running I doubt if it was only this that caused my problems, but it was good to find out that one of the serves did indeed have the firewalld active, so that potential problem is now at least gone.