• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk Firewall Extention Rules Good Practice?

Peter Downes

Basic Pleskian
Hi

Whilst trying to configure the MySQL rule on my VPS Plesk Firewall I appear to have broken access via FTP, No encryption, Port 21, Passive . Those connections used to work.

The only way to enable access is to change 'System policy for incoming traffic' from 'Deny all other incoming traffic' to Allow incoming from all.

Is that a good idea? Should it makes me nervous?

I wonder if there is a standard set of good practice rules I can copy....?
 
@Peter Downes

If you use passive port configuration for proftpd, just create a firewall rule that allows some traffic through the ports that you have chosen as passive ports for proftpd.

By default, the firewall does not open up all ports, so it would be as simple as allowing traffic through the passive ports.

That is all, hope the above explains a bit.

By the way, I would strongly recommend to enable the passive ports again, since that would reduce FTP related risks, like hack attacks, brute forcing and so on.

Regards....
 
OK I think I did it. I can now connect with a passive connection.

I added a new custom rule to the Plesk Firewall.
--
Allow incoming from all on port 50000-50500/tcp
--
And then I created a new passiveports.conf in /etc/proftpd.d/ with this settings:
PassivePorts 50000-50500

This thread helped.
https://talk.plesk.com/threads/microupdates-overwrite-passiveports.332608/

By the way, I would strongly recommend to enable the passive ports again, since that would reduce FTP related risks, like hack attacks, brute forcing and so on.
@trialotto Hopefully that is errr .... 'everything'?
 
@Peter Downes

Apologies, could have given you a link to a post I wrote myself.

By the way, what do you mean with the question "Hopefully that is errr .... 'everything'?"?

Regards......
 
@trialotto No apology required. You are a great help.
I thought the link may be useful for the next beginner like me.

By the way, what do you mean with the question "Hopefully that is errr .... 'everything'?"?

Sorry. I meant to ask 'Have I done everything to reduce FTP related risks now?'
I'm sure the answer is NO!
I just hope I have at least corrected my mistake.
 
@Peter Downes

Normally, I would suggest to add IP addresses to the created (custom) firewall rule, in order to allow only the customers or admins to upload via FTP.

That can seem somewhat rigid, but in most cases, only sysadmins use FTP (read: one should, as a form of "good practice", prevent that customers are able to upload anything to the server, since that could be a potential security risk. Any hack of accounts, or a customer wanting to do bad, can lead to an upload of malicious code).

In addition, can do the following to increase security: go to "Tools & Settings > Security Policy (click) > Secure FTP > FTPS usage policy : Allow only secure FTPS connections (select)".

The latter action is actually required to FORCE that ALL ftp connections ACTUALLY use the passive ports: even though most modern ftp clients do select the secure TLS/SSL connections by default, older ftp clients do not necessarily do so (which implies that a hacker can make use of that).

You now can see why a set of allowed IP addresses in the (custom) firewall rule is more valuable, since any attempt to hack from another IP (other than allowed ones) will not succeed.

Note that you should also consider to do something similar with the regular FTP firewall rule: only allow access for certain IP addresses.

In general, one can make the FTP system as secure as possible by using "allow only from IP" methods on both the regular FTP firewall rule and the (custom) firewall rule (passive ports).

Again, the rigidity of such settings may not be desirable, but it keeps out danger.

Hope the above helps....

Regards
 
Back
Top