• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Plesk Firewall Extention Rules Good Practice?

P

Peter Downes

Basic Pleskian
Hi

Whilst trying to configure the MySQL rule on my VPS Plesk Firewall I appear to have broken access via FTP, No encryption, Port 21, Passive . Those connections used to work.

The only way to enable access is to change 'System policy for incoming traffic' from 'Deny all other incoming traffic' to Allow incoming from all.

Is that a good idea? Should it makes me nervous?

I wonder if there is a standard set of good practice rules I can copy....?
 
@Peter Downes

If you use passive port configuration for proftpd, just create a firewall rule that allows some traffic through the ports that you have chosen as passive ports for proftpd.

By default, the firewall does not open up all ports, so it would be as simple as allowing traffic through the passive ports.

That is all, hope the above explains a bit.

By the way, I would strongly recommend to enable the passive ports again, since that would reduce FTP related risks, like hack attacks, brute forcing and so on.

Regards....
 
OK I think I did it. I can now connect with a passive connection.

I added a new custom rule to the Plesk Firewall.
--
Allow incoming from all on port 50000-50500/tcp
--
And then I created a new passiveports.conf in /etc/proftpd.d/ with this settings:
PassivePorts 50000-50500

This thread helped.
https://talk.plesk.com/threads/microupdates-overwrite-passiveports.332608/

trialotto said:
By the way, I would strongly recommend to enable the passive ports again, since that would reduce FTP related risks, like hack attacks, brute forcing and so on.
Click to expand...
@trialotto Hopefully that is errr .... 'everything'?
 
@Peter Downes

Apologies, could have given you a link to a post I wrote myself.

By the way, what do you mean with the question "Hopefully that is errr .... 'everything'?"?

Regards......
 
@trialotto No apology required. You are a great help.
I thought the link may be useful for the next beginner like me.

trialotto said:
By the way, what do you mean with the question "Hopefully that is errr .... 'everything'?"?
Click to expand...

Sorry. I meant to ask 'Have I done everything to reduce FTP related risks now?'
I'm sure the answer is NO!
I just hope I have at least corrected my mistake.
 
@Peter Downes

Normally, I would suggest to add IP addresses to the created (custom) firewall rule, in order to allow only the customers or admins to upload via FTP.

That can seem somewhat rigid, but in most cases, only sysadmins use FTP (read: one should, as a form of "good practice", prevent that customers are able to upload anything to the server, since that could be a potential security risk. Any hack of accounts, or a customer wanting to do bad, can lead to an upload of malicious code).

In addition, can do the following to increase security: go to "Tools & Settings > Security Policy (click) > Secure FTP > FTPS usage policy : Allow only secure FTPS connections (select)".

The latter action is actually required to FORCE that ALL ftp connections ACTUALLY use the passive ports: even though most modern ftp clients do select the secure TLS/SSL connections by default, older ftp clients do not necessarily do so (which implies that a hacker can make use of that).

You now can see why a set of allowed IP addresses in the (custom) firewall rule is more valuable, since any attempt to hack from another IP (other than allowed ones) will not succeed.

Note that you should also consider to do something similar with the regular FTP firewall rule: only allow access for certain IP addresses.

In general, one can make the FTP system as secure as possible by using "allow only from IP" methods on both the regular FTP firewall rule and the (custom) firewall rule (passive ports).

Again, the rigidity of such settings may not be desirable, but it keeps out danger.

Hope the above helps....

Regards
 
You must log in or register to reply here.

Similar threads

R
Question Disable FTP on single ip address
Replies
3
Views
285
Kaspar
K
J
Question Plesk Firewall is blocking requests even with configured rules
Replies
2
Views
1K
Johnny9977
J
A
Issue Firewall enabled but rules still gray
Replies
8
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
A
Resolved Plesk Firewall and Samba
2
Replies
22
Views
3K
Raul A.
R
S
Question Rule to block in plesk firewall all traffic from ports that plesk does not use?
Replies
4
Views
974
SalvadorS
S
Back
Top