• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Issue Help with best practices for plesk firewall security

stas styler

stas styler

Basic Pleskian
Dear pleskers,
I've encountered several attacks on my server that made my server very slow and got all my clients down.
I've managed to respond quick and solve it, but I guess there are people over here that secured their servers even better.

I use atomic advanced mod security + ddos deflate + plesk firewall + restrictive fail2ban.
Do you guys know best practices for plesk firewall? any good rule set? is there any way to add custom iptables rules with plesk firewall on?
 
It is recommended to deactivate all ports that are not needed for conducting business. For example, if you are not using the single sign on service, deactivate the entry in the firewall. You can also add custom rules and chains to iptables by using the standard iptables commands on the Linux console.

It is best practice to block malicious traffic before it reaches your host, e.g. by using a hardware firewall in a router in front of your server.

Some people use Cloudflare to distribute their website globally, so that if your server is under attack, cloudflare can still deliver the site from their mirrors. However, this only works for static content.
 
Peter Debik said:
It is recommended to deactivate all ports that are not needed for conducting business. For example, if you are not using the single sign on service, deactivate the entry in the firewall. You can also add custom rules and chains to iptables by using the standard iptables commands on the Linux console.

It is best practice to block malicious traffic before it reaches your host, e.g. by using a hardware firewall in a router in front of your server.

Some people use Cloudflare to distribute their website globally, so that if your server is under attack, cloudflare can still deliver the site from their mirrors. However, this only works for static content.
Click to expand...

Thanks for your reply.

1.I thought of the same method of using iptables to block any kind of threat, but I read somewhere here that plesk firewall script overrides the rules every time I apply rules through plesk firewall. Is that true? if so, is there any way to make them work together?

2. I'm hosting about 300 websites as a hosting company, cloudflare is working on the website field and not the server field. Every customer is either using my DNS server or cloudflare's it is really up to them. Unfortunately cloudflare doesn't offer dns services for servers...
 
1) Plesk does not overwrite your individual rules.

2) Cloudflare is a content distribution service. Thus an attack that is coming from a certain part of the world will be limited to the proxy cloudflare host and not reach your server unless dynamic content is being attacked (the other mirrors will still deliver your site even if one network segment has issues).
 
If you have a lot of client using WordPress and you are in a position to enforce a WordFence install you could consider the script I wrote that adds rules to the firewall.

It's a learning system that adds IP's to a monthly set. There are 2 sets... An uneven month set and an even month set that are both enforced....
IP's are added as they are found by WordFence to the current month (even or uneven).
On the first day of the month the set of the month that still contained IP's assembled during the previous run will go to a spare set and the current month will be emptied.
That spare set will not be enforced, but used as a reminder.
The assembling of IP's will start again. IP's of the spare set will have a chance again of accessing sites, but if one of those IP's misbehaves (they are coming back after being blocked for at least a month) they well be added to a set that we'll get them permanently blocked.

None of what I wrote was copied although I can easily imagine it has been thought of before. I think it's much more elegant than fail2ban.

It's published in this forum. Another way of protecting your server is using another script of mine that blocks specific countries or the reverse. Blocking the whole world and then letting through some specific countries.

For SSH there's a very effective ruleset that uses the "recent module" of iptables and it will protect you from any bruteforce attack...

Search with iptables and my name in this forum and read.....


My firewall is just a manually maintained text file that's loaded with iptables-restore.

Every new Plesk install I examine what "they" want to open up and adapt if necessary.
 
Last edited:
You must log in or register to reply here.

Similar threads

Sergey K.
Resolved Strange icons for Plesk Firewall
Replies
6
Views
2K
Peter Debik
P
S
Question Best practices for SSH?
Replies
1
Views
580
Maarten.
M
F
Question Plesk Slave DNS & DNS Security
Replies
1
Views
978
Peter Debik
P
M
Issue Can't open Port 25. Please help
Replies
2
Views
550
mhogue
M
michaeljoseph01
Question How to block non-mail traffic to certain ip?
Replies
1
Views
734
MarkM
MarkM
Back
Top