• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Refined question on how to force all traffic through Cloudflare

David Jimenez

David Jimenez

Basic Pleskian
I asked a previous question regarding turning on a firewall in Plesk, which I have since done; however, I get an error message when I try to apply the rule change to the firewall. So, I am hoping that someone here can give me some guidance on what I am doing wrong.

Background: since we started aggressively publishing information from our aerospace and defense team, we have been hit regularly by hackers from the Ukraine and China. To combat this, we added Cloudflare between the Internet and our web server (email server is a separate box). That worked very well with a few page rules and some captchas. The problem is that only inquiries using nameservers go through Cloudflare.

So, the Chinese are now wise to that and are hitting us by using our origin IP address directly. So, it was suggested by Cloudflare that we turn on the Plesk firewall and only accept traffic from the Cloudflare IP addresses.

My approach was to select the WWW Server option in the firewall and then change the settings from Allow Incoming from All to Allow from selected sources, deny from others. I then entered all the IP addresses used by Cloudflare and hit OK, then hit Apply Changes and then Activate.

Unfortunately, when I do that, I get the following warning: Warning: The current configuration has not been activated. The system has been reverted to the previous configuration. This has occured because there were connection problems between your browser and the server. Most probably, the reason is that you have arranged the configuration so that connections from your computer to the server are prohibited.

So, I clearly am doing something wrong. I have administrative privileges, so that can't be the issue. Thoughts?
 
Hi David Jimenez,

at your modification process, did you include as well YOUR current computer IP?
David Jimenez said:
Most probably, the reason is that you have arranged the configuration so that connections from your computer to the server are prohibited.
Click to expand...
If you deny traffic from your own current computer IP in the desired upcoming iptables, you will immidiately stop all traffic between your computer IP and the server and the current process of you modification could never be confirmed ( and as a result being saved! ), because you locked yourself out to comminucate with your server's IP.

But as stated before in your other thread ( I still wondern why you opened a NEW thread with the very same issue ), your modification will result in issues/errors/problems on your server. I still recommend to use Fail2Ban ( maybe with some additional filter - modifications but at least with the "recidive" - jail activated! ), in order to avoid these upcoming issues/errors/problems, reducing the traffic through Cloudflare - IPs only. ;)
 
Yes, my IP address is in the list. I just didn't include it in the post so as to protect my security. I understand you point, but it was my impression that using a simple firewall rule would work fine or should in theory. If you are saying that I cannot accomplish my goal with firewall, then I will move on to Fail2Ban. I did read about it and it sounded like overkill, but if that is the only (or best) solution, I will go that way. Thanks
 
Hi David Jimenez,

David Jimenez said:
Is there a way to force all traffic (domain name and IP address) through Cloudflare?
Click to expand...
I don't know any way to achieve your goal, without issues/errors and problems.


If you desire to do that on your very own risk, just connect as user "root" over SSH and insert the desired rules manually to your iptables, but be aware, that you will get disconnected as soon as you put in rules, which deny your current connection between your computer and your server. ;)
 
Just wanted to raise a point of warning. If you are on a Network Solutions VPS, as I am, you may have issues with running both Plesk Firewall and Fail2Ban. The numiptent is set at 128 and they will not increase this value. So, you run out of that resource very quickly. We had to ditch the firewall and Fail2Ban in order to setup iptables.
 
You must log in or register to reply here.

Similar threads

B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
1
Views
178
Sebahat.hadzhi
Sebahat.hadzhi
P
Issue Certificate problem in Plesk
Replies
5
Views
345
Raul A.
R
M
Question Issues after migrating Prestashop to a new server - getting 302 sometimes
Replies
1
Views
8K
Sebahat.hadzhi
Sebahat.hadzhi
I
Question Configuring Plesk with a Reverse Proxy and Cloudflare
Replies
1
Views
3K
kriteodoro
K
Pascal_Netenvie
Issue Cloudflare and Firewall rules
Replies
3
Views
1K
Pascal_Netenvie
Pascal_Netenvie
Back
Top