• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Action log discloses potentially sensitive information

Dmytro

Basic Pleskian
Server operating system version
Ubuntu 22.04.5 LTS
Plesk version and microupdate number
Plesk Obsidian 18.0.64
Hi. I'm not sure, but looks like it's not good practice to show for any user in it's Action log information about IP and Username used by provider to communicate with Plesk via API (WHMCS API user for exaple). What do you think?
Maybe we can use some blacklist/stop words to prevent to show some information in Action log?

CdLmrqS.jpeg
 
Hi,

Thanks for your question. Just to clarify, are you concerned about sensitive details like IP addresses or usernames being visible to end users in the Log Browser when providers (like WHMCS) use the API? If so, are you looking for a way to anonymize or hide specific parts of the log, such as certain IPs or usernames, for privacy reasons?

Just want to make sure I fully understand the scenario you're describing.
 
Yes, totally correct! I think it’s better to have some workaround to hide or anonymise api username and ip , in my case it’s whmcs
But it’s only one example of sensitive data , it would be great to have some blacklist what works like “grep -v someword”?
 
Thank you for your suggestion. To get a more accurate answer, I’ll tag the project lead of this extension to see if there’s an existing solution or a potential workaround for this. It might take a little time, but I’ll keep you posted once we have more information.

@AYamshanov – could you please provide some insight here?
 
I personally think this (all) is useful information, as it exactly shows what actions have performed for a subscription/domain. Granted, this data might not mean much to end-users. But filtering it feels like degradation of transparency.

Anyway, just in case you're interested, it's possible to completely hide the action log for end users by adding the following configuration to the panel.ini file.
Code:
[actionLog]
actionLogForEndUsers = false
 
Thank you for your thoughts and especially for the workaround. Unfortunately it looks like “all or nothing” for me.
Action log is really very useful and one of the reason of using it - is to have clear view on all activities within user account.
In other hand I can find many examples of information you are hiding from enduser or filtering in Plesk interface.
But anyway, in this particular case I can’t understand Why any enduser should know my Api username that have administrative privileges? To make it easier to brute force my server?
For me it’s not a transparency, it’s a security breach. IMHO
 
Hi everyone,

Thank you, Dmytro, for the feedback, and thank you, Maarten, for tagging me in this thread.

As an alternative to Kaspar's advice, you might disable NIS2 compliance if you do not need to follow the NIS2 directive requirements (for more information about the NIS2 directive, see NIS2 Directive Compliance). If I am not mistaken, it will disable logging API requests.
Code:
[actionLog]
nis2compliant = false

Also, it is possible to configure what exactly events should be saved to Plesk Action Logs ("Tools & Settings / Log Browser / Action Log / Settings"). When the `nis2compliant` option is disabled, it becomes possible to disable logging DNS changing events.
To increase security, you may configure only a specific set of IP addresses to manage Plesk via API (if it is applicable to your environment).

Unfortunately, there is no ability to mask or to find-and-replace records in the Plesk Action Logs. If this is still a feature you want to have in Plesk, I suggest creating a request in Plesk UserVoice and providing details about why it is important (like in the first post in the thread).
 
Back
Top