By default, and just like cPanel Servers, Plesk does not come packaged with a firewall. A Firewall is essential to keep your Plesk server secure. CSF is a free firewall that can be installed on your Plesk server as an alternative to the Plesk Firewall. With a little configuration, CSF will work as well as paid alternatives like the Juggernaut Security and Firewall extension.
Since cPanel increased the cost of licenses, more and more people have turned to Plesk and other control panels like DirectAdmin to keep costs down. Paying for extensions in your Plesk server can soon mean that the monthly cost of your subscription increases by a lot.
Install CSF Plesk Server
To install CSF on your Plesk server download the files and unzip them
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.shCSF is not configured automatically when installed on a Plesk server like it is on a cPanel server so we need to make some configuration changes. Open up the configuration file and make the following changes.
nano /etc/csf/csf.confEdit the basic settings and ports section to allow the ports required by Plesk.
TESTING = "0"
RESTRICT_SYSLOG = "3"
Allow incoming TCP ports
TCP_IN = "20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880"
Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,80,110,443,43,873,8443"
Allow incoming UDP ports
UDP_IN = "53,111,123,230,631,859,862,2109,5353"
Allow outgoing UDP ports
To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,2109"In the same file, set the correct Email SMTP ports and users. You can use CNTRL+W to search for these sections.
LF_DAEMON = “1”
SMTP_BLOCK = “1”
SMTP_ALLOWLOCAL = “1”
SMTP_PORTS = “25,587”
SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails” SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”Set Notification Settings
In the same file use CNTRL+W to search for these sections and set the correct email addresses.
LF_ALERT_TO = “serverlog@pleskserver.uk”
LF_ALERT_FROM = “csf@pleskserver.uk”Whitelist Plesk Users and Processes
In the /etc/csf/csf.pignore file add the following code to whitelist the required users and processes. Just append this to the bottom of the file.
nano /etc/csf/csf.pignore
user:admin
exe:/var/qmail/bin/qmail-smtpd
exe:/usr/bin/imapd
exe:/var/qmail/bin/qmail-queue
exe:/usr/bin/pop3d
exe:/var/qmail/bin/qmail-send
cmd:qmail-send
cmd:/usr/bin/pop3d Maildir
cmd:/var/qmail/bin/qmail-queue
cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true cmd:/usr/bin/imapd Maildir
exe:/var/qmail/bin/qmail-rspawn
cmd:qmail-rspawn
exe:/var/qmail/bin/qmail-clean
cmd:qmail-clean
exe:/usr/sbin/clamd
cmd:clamd
exe:/var/qmail/bin/splogger
cmd:splogger qmail
exe:/var/qmail/bin/qmail-remote.moved
user:qmaill
user:popuser
user:qmaild
user:qmails
user:qmailr
user:qmailq
user:qscand
exe:/usr/sbin/avahi-daemon
user:avahi
exe:/usr/local/sbin/zabbix_agentd
cmd:/usr/local/sbin/zabbix_agentd
user:zabbix
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi
user:sso
exe:/usr/sbin/sw-cp-serverd
cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config
user:sw-cp-server
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm
user:psaadm
exe:/usr/libexec/mysqld
cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql –pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking –socket=/var/lib/mysql/mysql.sock
user:mysql
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
cmd:hald
user:haldaemon
exe:/usr/bin/postgres
user:postgres
exe:/sbin/portmap
cmd:portmap
user:rpc
exe:/usr/bin/xfs
cmd:xfs -droppriv -daemon user:xfs
exe:/usr/bin/python
cmd:/usr/bin/python
pexe: /usr/lib/mailman/bin/qrunner –runner=VirginRunner:0:1 -s
user:mailman
exe:/usr/java/jdk1.6.0_20/bin/java
user:tomcatThe list is extensive but we have tried to include all services even if you might not need them at the moment. This saves having to edit the CSF configuration at a later time. Now you are ready to start CSF.
systemctl enable csf
systemctl enable lfd
systemctl start csf
systemctl start lfdYou have now configured CSF and LFD to work with your Plesk server. You can control CSF from the command line.
