1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Auto Lockout Missing in Plesk 9.x

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by md3vxx, Sep 4, 2010.

  1. md3vxx

    md3vxx Guest

    0
     
    It appears Auto Lockout (previously available under 'Server' > 'Sessions') is missing in Plesk 9.x. This means there is no way to configure auto lock out of the admin account in the event someone is brute forcing it.

    Is there a solution for this issue?

    Christopher.
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    To adjust session security parameters:

    1. Go to Home > Session Idle Time.
    2. Specify the required Session idle time in minutes in the appropriate field. Should a user session remain idle for the time period exceeding the one specified as the Session idle time, the control panel terminates this session.
    3. Click OK.
     
  3. md3vxx

    md3vxx Guest

    0
     
    Hello,

    The "session timeout" feature is for timing out sessions, not protecting against brute force logins.

    When the session timeout option is enabled and set to 30 minutes, a admin logins, finishes work but forgets to log out then the session expires and the admin is logged out after 30 minutes of inactivity.

    The feature I am referring to automatically locks an account out after X invalid login attempts for a period of time.

    See: http://knowledgelayer.softlayer.com/questions/41/Admin+account+locked+out+of+Plesk.

    Regards,

    Christopher.
     
  4. md3vxx

    md3vxx Guest

    0
     
    Status

    Does anyone have any ideas on this?

    For a public facing Plesk box, this means anyone can sit and brute force the 'admin' account all day with no response from the server.

    Why is this feature missing in Plesk 9.2?

    Christopher.
     
  5. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    You can use "IP access restriction management" at least and deny access from the networks that are not specified.

    Also you can disallow concurrent sessions for your administrative control panel:

    1. On your Home page, click the Server group title. A drop-down menu opens. In this menu, select Server Settings.
    2. Clear the Allow multiple sessions under administrator's login check box and click OK.
     
  6. md3vxx

    md3vxx Guest

    0
     
    That's not a suitable solution for a public server with multiple customers accessing their Plesk management interface from dynamically assigned public IP blocks.

    The question is, why did this feature dissapear without notice?
     
  7. SteveBSI

    SteveBSI Guest

    0
     
    We need this feature

    I would also like to see Plesk Panel 9.x lock out the admin account after three failed attempts. Why was it deleted in 9.x and how can we get it back?
     
Loading...