For security reasons, you can specify access settings for database users, in order to allow or deny remote connections to a database. Remote connections can be allowed from certain IP addresses. For example, if a script running on a remote host accesses a Plesk database by using the credentials of a certain database user, then you can restrict the access of this user to the IP address of that remote host.
Depending on the database server type, Plesk employs different tools for access control:
- Access control lists. For MySQL database users, the access control is handled by the native security mechanism - MySQL access control lists (ACL). Custom rules are added to ACL. If the Plesk firewall is running, then it must allow incoming connections to MySQL. Otherwise, settings for remote connections in ACL will not work.
- Firewall rules. For other database users (PostgreSQL and SQL Server users), remote access is handled by the Plesk firewall. Custom rules are added to the Plesk firewall rules. If the Plesk firewall extension is not installed and the firewall rules management is not switched on, the corresponding options are not displayed in the Plesk UI.
Note: Plesk adds new rules to the firewall only with your approval. Each time a subscriber sets up a custom access control rule, Plesk notifies you about this and prompts you to accept or reject the changes.
The access control options are available at Websites & Domains > Databases when you add or edit a database or a database user. When a customer, a subscription, or a database user is removed, all associated firewall rules are removed too.
Enabling Customers to Set Up Custom Rules
To enable subscribers to customize access to their databases:
- Switch on the permission Remote access for database users in the subscription settings (Subscriptions > click the subscription > Customize).
- Install the Plesk firewall and switch on rules management in Tools & Settings > Security group > Firewall (applicable to PostgreSQL and SQL Server users only).
- Make sure that Microsoft SQL Server is configured to use dynamic ports for remote connections (applicable to SQL Server users only).
Confirming Custom Firewall Rules
After a user has specified custom rules, the Plesk administrator receives the following notification displayed on the Home page of the Server Administration Panel: Remote access rules for database users were modified and are waiting for your approval. Please go to Firewall Settings to review and confirm the rules.
After reviewing the rules, you should decide whether to confirm the addition of the custom rules to the set of system firewall rules. Use Apply Changes or Discard Changes buttons on the Plesk for Linux firewall rules page for not applied configurations (Firewall > Modify Plesk Firewall Rules).