• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question How to block non-mail traffic to certain ip?

michaeljoseph01

New Pleskian
Server operating system version
Ubuntu 20.04.6
Plesk version and microupdate number
18.0.51
I have a single domain on a single cloud VPS server running web and mail service. I have 2 IP addresses on the same WAN adapter. The IP that I want all web traffic to flow through is proxied by cloudflare. The other IP is exposed because I'm running the mail server traffic through it. What would be the best way to block all traffic other than imap or smtp to that one mail server ip address?

Im using cloudflare, the local firewall, mod_security comodo, fail2ban and I just installed immunify360.

Also - I'm actually surprised at just how much malicious traffic I'm seeing considering that my site is a work in progress and has no traffic yet. I'm seeing tons of /.env, xmlrpc, and readme.html/txt requests along with wp-login snooping, including a lot of poking around by a block of IP's that resolve to a group called The Academy of Internet Research llc based out of Hawaii that claims on their website they do whitehat security audits. wtf?

I see that mod_security denies some of these with a 403 like any requests for .env but there's just so many of them in the logs, I see requests from Germany, Iran, China, Russia etc... For now I increased the findtime & bantime windows of the mod_security fail2ban jail, then increased the findtime of the recidive jail and upped the bantime of recidive to 2 weeks in an attempt to shut out the bad actors. Like I said I have no users that need to log in so i'm not too worried about false positives for any of these jails.

What parts of the security stack should I be focusing on?
What are peoples thoughts of the Comodo ruleset vs OWASP?

My thinking right now is that I should probably put more of my attention on cloudflare rules to stop as many bad requests as I can at their edge before the requests even come to my server.

Just a little bit overwhelmed, I'm just getting back into the webmaster game after doing something else for 6 years and don't remember having this much activity on a site that isn't really even linked to yet.
 
I would probably do it on the network level. A generic deny all rule, and then separate rules to open the certain mail ports that are needed. I'd check with the host and see if this is something the can accommodate.

OWASP is a more restrictive rule set in my opinion.
 
Back
Top