• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question AlmaLinux 9 - Hardening SSH Server breaks Plesk

M

marekp

New Pleskian
Server operating system version
AlmaLinux 9
Plesk version and microupdate number
18.0.66 Update #2
Hi to all,
I tried to harden the OpenSSH server. A first attempt was made with
Code: 
sudo update-crypto-policies --set FUTURE
but this breaks Plesk with
Code: 
Certificate signature verification failed; error info: error:03000098:digital envelope routines::invalid digest error:06880006:asn1 encoding routines::EVP lib (Error code: 2)
reverting to
Code: 
sudo update-crypto-policies --set DEFAULT:SHA1
works.

Is this an Plesk Issue or an AlmaLinux 9 Issue?
 
You shouldn't be using the future set since that's meant for testing and what not to begin with (you can read more over at Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms - Red Hat Customer Portal). Even more so since Plesk would only release things based off of current requirements.

Ideally the best way to harden SSH is to ensure the following:
  • Enable Certificate Based Authentication
  • Disable Password Authentication
  • Disable Empty Passwords
  • Disable Root Login
  • Change Default SSH Port
  • Only Allow Selected Users and/or Groups
  • Disable X11 Forwarding
Generally speaking as long as you've done those you should be pretty good in terms of hardening your SSH. Although I'd probably take it a step further by not opening the SSH port to the public to begin with regardless of it being on a new port or not and instead use a zero trust solution like tailscale or set up an instance of teleport to get access to the the server that way.
 
Hi, I had already adjusted sshd accordingly. However, an ssh audit shows that insecure encryption algorithms are still allowed:
“(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [fail] using broken SHA-1 hash algorithm”
“(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm”

But I assume that Plesk still needs SHA1
 
You must log in or register to reply here.

Similar threads

J
Issue Almalinux 9 Plesk Obsidian license issue
Replies
9
Views
2K
enduser
E
A
Question Upgrade Almalinux 8 to 9 with Plesk installed
Replies
6
Views
4K
Sebahat.hadzhi
Sebahat.hadzhi
E
Resolved Almalinux 9 Plesk Obsidian license issue
Replies
4
Views
2K
Peter Debik
P
M
Issue trying to upgrade plesk almalinux 8.7
Replies
1
Views
2K
Peter Debik
P
Zalvatore Dela
Issue Outlook and Gmail block my clients emails! DKIM too long
Replies
8
Views
5K
Zalvatore Dela
Zalvatore Dela
Back
Top