• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Plesk Firewall Extention Rules Good Practice?

P

Peter Downes

Basic Pleskian
Hi

Whilst trying to configure the MySQL rule on my VPS Plesk Firewall I appear to have broken access via FTP, No encryption, Port 21, Passive . Those connections used to work.

The only way to enable access is to change 'System policy for incoming traffic' from 'Deny all other incoming traffic' to Allow incoming from all.

Is that a good idea? Should it makes me nervous?

I wonder if there is a standard set of good practice rules I can copy....?
 
@Peter Downes

If you use passive port configuration for proftpd, just create a firewall rule that allows some traffic through the ports that you have chosen as passive ports for proftpd.

By default, the firewall does not open up all ports, so it would be as simple as allowing traffic through the passive ports.

That is all, hope the above explains a bit.

By the way, I would strongly recommend to enable the passive ports again, since that would reduce FTP related risks, like hack attacks, brute forcing and so on.

Regards....
 
OK I think I did it. I can now connect with a passive connection.

I added a new custom rule to the Plesk Firewall.
--
Allow incoming from all on port 50000-50500/tcp
--
And then I created a new passiveports.conf in /etc/proftpd.d/ with this settings:
PassivePorts 50000-50500

This thread helped.
https://talk.plesk.com/threads/microupdates-overwrite-passiveports.332608/

trialotto said:
By the way, I would strongly recommend to enable the passive ports again, since that would reduce FTP related risks, like hack attacks, brute forcing and so on.
Click to expand...
@trialotto Hopefully that is errr .... 'everything'?
 
@Peter Downes

Apologies, could have given you a link to a post I wrote myself.

By the way, what do you mean with the question "Hopefully that is errr .... 'everything'?"?

Regards......
 
@trialotto No apology required. You are a great help.
I thought the link may be useful for the next beginner like me.

trialotto said:
By the way, what do you mean with the question "Hopefully that is errr .... 'everything'?"?
Click to expand...

Sorry. I meant to ask 'Have I done everything to reduce FTP related risks now?'
I'm sure the answer is NO!
I just hope I have at least corrected my mistake.
 
@Peter Downes

Normally, I would suggest to add IP addresses to the created (custom) firewall rule, in order to allow only the customers or admins to upload via FTP.

That can seem somewhat rigid, but in most cases, only sysadmins use FTP (read: one should, as a form of "good practice", prevent that customers are able to upload anything to the server, since that could be a potential security risk. Any hack of accounts, or a customer wanting to do bad, can lead to an upload of malicious code).

In addition, can do the following to increase security: go to "Tools & Settings > Security Policy (click) > Secure FTP > FTPS usage policy : Allow only secure FTPS connections (select)".

The latter action is actually required to FORCE that ALL ftp connections ACTUALLY use the passive ports: even though most modern ftp clients do select the secure TLS/SSL connections by default, older ftp clients do not necessarily do so (which implies that a hacker can make use of that).

You now can see why a set of allowed IP addresses in the (custom) firewall rule is more valuable, since any attempt to hack from another IP (other than allowed ones) will not succeed.

Note that you should also consider to do something similar with the regular FTP firewall rule: only allow access for certain IP addresses.

In general, one can make the FTP system as secure as possible by using "allow only from IP" methods on both the regular FTP firewall rule and the (custom) firewall rule (passive ports).

Again, the rigidity of such settings may not be desirable, but it keeps out danger.

Hope the above helps....

Regards
 
You must log in or register to reply here.

Similar threads

E
Resolved NGinx deny rules and Firewall (iptables?)
Replies
4
Views
1K
epertinez
E
WhiteTiger
Issue Firewall blocks port 22 with "Allow" rule
Replies
3
Views
661
WhiteTiger
WhiteTiger
P
Issue block per ip in firewall rules
Replies
2
Views
966
Pavlo.UA
P
Piekielko
Question Firewall after an accidental disaster
Replies
0
Views
561
Piekielko
Piekielko
B
Question What firewall rules are useful?
Replies
3
Views
940
dsherron
D
Back
Top