• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Action log discloses potentially sensitive information

Dmytro

Dmytro

Basic Pleskian
Server operating system version
Ubuntu 22.04.5 LTS
Plesk version and microupdate number
Plesk Obsidian 18.0.64
Hi. I'm not sure, but looks like it's not good practice to show for any user in it's Action log information about IP and Username used by provider to communicate with Plesk via API (WHMCS API user for exaple). What do you think?
Maybe we can use some blacklist/stop words to prevent to show some information in Action log?

CdLmrqS.jpeg
 
Hi,

Thanks for your question. Just to clarify, are you concerned about sensitive details like IP addresses or usernames being visible to end users in the Log Browser when providers (like WHMCS) use the API? If so, are you looking for a way to anonymize or hide specific parts of the log, such as certain IPs or usernames, for privacy reasons?

Just want to make sure I fully understand the scenario you're describing.
 
Yes, totally correct! I think it’s better to have some workaround to hide or anonymise api username and ip , in my case it’s whmcs
But it’s only one example of sensitive data , it would be great to have some blacklist what works like “grep -v someword”?
 
Thank you for your suggestion. To get a more accurate answer, I’ll tag the project lead of this extension to see if there’s an existing solution or a potential workaround for this. It might take a little time, but I’ll keep you posted once we have more information.

@AYamshanov – could you please provide some insight here?
 
I personally think this (all) is useful information, as it exactly shows what actions have performed for a subscription/domain. Granted, this data might not mean much to end-users. But filtering it feels like degradation of transparency.

Anyway, just in case you're interested, it's possible to completely hide the action log for end users by adding the following configuration to the panel.ini file.
Code: 
[actionLog]
actionLogForEndUsers = false
 
Thank you for your thoughts and especially for the workaround. Unfortunately it looks like “all or nothing” for me.
Action log is really very useful and one of the reason of using it - is to have clear view on all activities within user account.
In other hand I can find many examples of information you are hiding from enduser or filtering in Plesk interface.
But anyway, in this particular case I can’t understand Why any enduser should know my Api username that have administrative privileges? To make it easier to brute force my server?
For me it’s not a transparency, it’s a security breach. IMHO
 
Hi everyone,

Thank you, Dmytro, for the feedback, and thank you, Maarten, for tagging me in this thread.

As an alternative to Kaspar's advice, you might disable NIS2 compliance if you do not need to follow the NIS2 directive requirements (for more information about the NIS2 directive, see NIS2 Directive Compliance). If I am not mistaken, it will disable logging API requests.
Code: 
[actionLog]
nis2compliant = false

Also, it is possible to configure what exactly events should be saved to Plesk Action Logs ("Tools & Settings / Log Browser / Action Log / Settings"). When the `nis2compliant` option is disabled, it becomes possible to disable logging DNS changing events.
To increase security, you may configure only a specific set of IP addresses to manage Plesk via API (if it is applicable to your environment).

Unfortunately, there is no ability to mask or to find-and-replace records in the Plesk Action Logs. If this is still a feature you want to have in Plesk, I suggest creating a request in Plesk UserVoice and providing details about why it is important (like in the first post in the thread).
 
You must log in or register to reply here.

Similar threads

QWeb Ric
Issue Track email delivery -> Action log showing "Domain's disk space limit reached"
Replies
1
Views
685
QWeb Ric
QWeb Ric
K
Resolved Plesk Panel Log and Cloudflare - log doesn't show Real IP
Replies
7
Views
4K
Katog Choling
K
P
Forwarded to devs Event 'CP User Login' triggered despite invalid additional authentication step (MFA)
Replies
2
Views
1K
Kaspar@Plesk
Kaspar@Plesk
P
Question Connecting a second domain
Replies
2
Views
1K
pleskatarian
P
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
2K
HHawk
HHawk
Back
Top