Resolved Plesk firewall custom rule Allow incoming from all on all ports

[Cameron]

Hi, I have a Dedicated Server where the first Firewall rule is called allowme. It is a custom rule which seems to allow access to any TCP or UDP port and any IP address. I didn't set this rule up, it was (I assume) added by my ISP when I purchased the server. Is this bad practice and should I delete this rule?

I don't want to allow anyone except me to be able to upload anything via FTP and I obviously don't want any website on the server to no longer be viewable. If I set the SSH and FTP rules to only allow access to my IP address this has no effect. Is that because the first rule overrules everything else?

Is there a best practice for setting all the various firewall rules?

Thanks

 

[WebHostingAce]

Is this bad practice and should I delete this rule?

Yes.

Is that because the first rule overrules everything else?

Yes

Is there a best practice for setting all the various firewall rules?

The default Plesk firewall rules should do the job.

 

[Cameron]

Thanks for this. Unfortunately since deleting this rule I can no longer connect to any of my websites with FTP, even if I add my IP address as the only one that can connect in the FTP firewall rule. I added my IP to the SSH rule and that is absolutely fine and I can connect as root no problem, but no FTP.

Any idea what has happened?

 

[WebHostingAce]

When you are trying to connect to FTP is there any Erorr Message? Or is it a Time Out?

 

[Cameron]

Yes it's a timeout.

Status: Connecting to xxx.xx.xx.xxx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing of "/httpdocs"...
Command: CWD /httpdocs
Response: 250 CWD command successful
Command: PWD
Response: 257 "/httpdocs" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (xxx,xx,xx,xxx,161,116).
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server

I'm using FileZilla.

 

[fanke]

Response: 227 Entering Passive Mode (xxx,xx,xx,xxx,161,116).

The FTP-passive mode uses a address range to communicate with the client.
To communicate with the server in passive mode, the client "asks" the server for a port (after being connectet via port 21), on which it can connect to the server to do some data-stuff. The client then tries to connect over the negotiatet port. And there your log is going to show the problems. these address-range must be opened in the firewall.
You can find the config-file in /etc/proftpd.d/passive-ports.conf - the content should look like this:

<Global>
PassivePorts 49152 65535
</Global>

 

[Cameron]

Thanks for the response. There is no file of that name in that directory. There is only 50-plesk.conf and ssl.conf in there. Do I need to create this file and specify the port range?

 

[fanke]

Yes, try to create the file 55-passive-ports.conf with the content from the post above in /etc/proftpd.d/
Also ensure that you can find the line

Include /etc/proftpd.d/*.conf
in your /etc/proftpd.conf

dont forget to open the ports in the firewall you used in the ports.conf

then restart the ftp
usually the ftp is in inetd-mode. so-> service xinetd restart

 

[fanke]

you can also check the documentation -> http://www.proftpd.org/docs/directives/linked/configuration.html

 

[Cameron]

Thank you, this is perfect. So I needed to create the conf file with the command line, then do the service restart, then in plesk I added a custom firewall rule with this port range, and specify that it can only connect from my IP address. This now works.

If I also set the firewall rule below this one to deny SSH connections except from my IP, is this about as secure as I can make it? Or could someone potentially fake my IP address and still get in?

 

[fanke]

If I also set the firewall rule below this one to deny SSH connections except from my IP, is this about as secure as I can make it? Or could someone potentially fake my IP address and still get in?

possible is everything
but, security is not only about good firewall rules. The rules you are using are very strict and do for sure a good job. But you should think about service security as well. What I mean, take care how you configure a service, use long and secure passwords in combination with long usernames, i.e. dont use "admin" better use "this_is08my489long319and918not3to38guess10admin_user". Ensure that your software is always up to date, use IP-Address blacklisting like fail2ban, to improve your firewall you could proceed with spi or dpi etc. etc. etc.

Don't get paranoid ;-)

 

[Cameron]

Thanks for all your help. I've lot's to learn
Much appreciated!