• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Admin Password & Root User Confusion

Catia

Basic Pleskian
I have a vps using ubuntu 16.04 and Plesk Onyx 17.0.17 - the vps came with Plesk installed, and the password I got from the provider (1&1) works both for logging into Plesk as Admin and for root access through SSH. It does NOT work for logging into SSH as admin. I'm a little confused by this setup and I'm not sure if this is a Plesk thing, or a function of how the provider set it up.

Shouldn't root logins be disabled by default in Ubuntu? I'm thinking I should set up a super user and disable root logins before I go live with this server, but I don't want to accidentally lock myself out of Plesk. Is the Plesk admin user also a linux system user named admin? Is the Plesk Admin user actually the root user?

Wondering if anyone can shed some light on this for me and/or give me some guidelines for best practices in terms of security going forward. Thanks!
 
Hi Catia,

I'm a little confused by this setup and I'm not sure if this is a Plesk thing, or a function of how the provider set it up.
The setup has been choosen by your provider and it should help you to administrate the server.

Shouldn't root logins be disabled by default in Ubuntu? I'm thinking I should set up a super user and disable root logins before I go live with this server, but I don't want to accidentally lock myself out of Plesk. Is the Plesk admin user also a linux system user named admin? Is the Plesk Admin user actually the root user?
Yes, most people ( especially linux "gurus" ), tell you, that disabling "root" for SSH should be essential and the "correct" way.
Plesk sometimes has to use "root" - priviliges on your server - you might call root = admin, when you use Plesk, but the Plesk - user admin is not a linux system user ( check that for example at "/etc/passwd" ). For the database management, Plesk replaces root with admin.

Conclusion and own opinion:
Using Fail2Ban on your server and a decent password ( at least 8 positions, large and lower letters, special characters and numbers included ) is really sufficient to secure your server. Even that it "might be a little bit more secure", to deny SSH - access for the system - user "root", you shouldn't make your server management more complicated than it is. It is as well "more secure" to stay at home, instead of leaving it, but I doubt, that such a suggestions will keep you from doing it. ;) )
 
Thanks so much for your suggestions!

I'm not familiar with Fail2Ban - is this installed & configured through Plesk or is it a completely separate program?

So, I'm content to leave the root user setup as is - but do you think it would be prudent to change the password from the default one they assigned to me (which is plenty long and complicated)? If I did opt to change the password, would I need to change that password separately for the Plesk admin user & root system user? And would those passwords need to be the same for Plesk to work properly?

Thanks again for your help!
 
Hi Catia,

I know that a lot of people hate to read documentations, but from my point of view, reading them will mostly explain standarts and initial questions. Pls. consider to read:


... and IF you still have questions, pls. don't hesitate to ask them. ;)


...
but do you think it would be prudent to change the password from the default one they assigned to me (which is plenty long and complicated)?
No.
If the password already meets the above suggestions, there is no need to change it.

If I did opt to change the password, would I need to change that password separately for the Plesk admin user & root system user?

And would those passwords need to be the same for Plesk to work properly?
1.) Yes.
2.) No.
 
Ha! You mean there's actual documentation? Didn't realize that. In other words... RTFM! ;-) Thanks for the link.
 
OK, so the documentation says I should go to Tools & Settings > IP Address Banning (Fail2Ban) (in the Security group) to adjust these settings, but I don't seem to have any option like that in the security group. I've got the following:
Security Policy
SSL/TLS Certificates
Restrict Creation of Subzones
Additional Administrator Accounts
Active Plesk Sessions
Active FTP Sessions
Session Idle Time
Restrict Administrative Access
Prohibited Domain Names

Perhaps I don't have Fail2Ban installed?
 
>> Perhaps I don't have Fail2Ban installed?

It seems like you don't.

Tools & Settings -> Updates and Upgrades -> Add/Remove components

Fail2Ban should be in that list. You can install it from there.

I would also recommend to install the Plesk Firewall. You can find it at 'Plesk extensions' in that same list.
 
Back
Top