• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Auto Lockout Missing in Plesk 9.x

M

md3vxx

Guest
It appears Auto Lockout (previously available under 'Server' > 'Sessions') is missing in Plesk 9.x. This means there is no way to configure auto lock out of the admin account in the event someone is brute forcing it.

Is there a solution for this issue?

Christopher.
 
To adjust session security parameters:

1. Go to Home > Session Idle Time.
2. Specify the required Session idle time in minutes in the appropriate field. Should a user session remain idle for the time period exceeding the one specified as the Session idle time, the control panel terminates this session.
3. Click OK.
 
Hello,

The "session timeout" feature is for timing out sessions, not protecting against brute force logins.

When the session timeout option is enabled and set to 30 minutes, a admin logins, finishes work but forgets to log out then the session expires and the admin is logged out after 30 minutes of inactivity.

The feature I am referring to automatically locks an account out after X invalid login attempts for a period of time.

See: http://knowledgelayer.softlayer.com/questions/41/Admin+account+locked+out+of+Plesk.

Regards,

Christopher.
 
Status

Does anyone have any ideas on this?

For a public facing Plesk box, this means anyone can sit and brute force the 'admin' account all day with no response from the server.

Why is this feature missing in Plesk 9.2?

Christopher.
 
You can use "IP access restriction management" at least and deny access from the networks that are not specified.

Also you can disallow concurrent sessions for your administrative control panel:

1. On your Home page, click the Server group title. A drop-down menu opens. In this menu, select Server Settings.
2. Clear the Allow multiple sessions under administrator's login check box and click OK.
 
That's not a suitable solution for a public server with multiple customers accessing their Plesk management interface from dynamically assigned public IP blocks.

The question is, why did this feature dissapear without notice?
 
We need this feature

I would also like to see Plesk Panel 9.x lock out the admin account after three failed attempts. Why was it deleted in 9.x and how can we get it back?
 
You must log in or register to reply here.

Similar threads

H
Resolved Wildcard SSL Certificate Auto Renewals not Working for Let's Encrypt with External DNS
Replies
6
Views
3K
NickSick
N
Oscar Segura
Issue Upgrading from Ubuntu 20.04 to 22.04: failed reboot
Replies
0
Views
920
Oscar Segura
Oscar Segura
U
Resolved Bind9 works on debian 10 server and shows as not installed in plesk. And issue with Postfix/Dovecot
Replies
3
Views
1K
Maarten.
M
T
Issue After moving subscription, users receive message "Your subscription was removed", Cannot create new webspace.
Replies
2
Views
1K
thespark
T
futureweb
Issue LE Certs for mail.dom.tld when Plesk is only serving Mail Only Services
Replies
0
Views
724
futureweb
futureweb
Back
Top