• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Auto Lockout Missing in Plesk 9.x

M

md3vxx

Guest
It appears Auto Lockout (previously available under 'Server' > 'Sessions') is missing in Plesk 9.x. This means there is no way to configure auto lock out of the admin account in the event someone is brute forcing it.

Is there a solution for this issue?

Christopher.
 
To adjust session security parameters:

1. Go to Home > Session Idle Time.
2. Specify the required Session idle time in minutes in the appropriate field. Should a user session remain idle for the time period exceeding the one specified as the Session idle time, the control panel terminates this session.
3. Click OK.
 
Hello,

The "session timeout" feature is for timing out sessions, not protecting against brute force logins.

When the session timeout option is enabled and set to 30 minutes, a admin logins, finishes work but forgets to log out then the session expires and the admin is logged out after 30 minutes of inactivity.

The feature I am referring to automatically locks an account out after X invalid login attempts for a period of time.

See: http://knowledgelayer.softlayer.com/questions/41/Admin+account+locked+out+of+Plesk.

Regards,

Christopher.
 
Status

Does anyone have any ideas on this?

For a public facing Plesk box, this means anyone can sit and brute force the 'admin' account all day with no response from the server.

Why is this feature missing in Plesk 9.2?

Christopher.
 
You can use "IP access restriction management" at least and deny access from the networks that are not specified.

Also you can disallow concurrent sessions for your administrative control panel:

1. On your Home page, click the Server group title. A drop-down menu opens. In this menu, select Server Settings.
2. Clear the Allow multiple sessions under administrator's login check box and click OK.
 
That's not a suitable solution for a public server with multiple customers accessing their Plesk management interface from dynamically assigned public IP blocks.

The question is, why did this feature dissapear without notice?
 
We need this feature

I would also like to see Plesk Panel 9.x lock out the admin account after three failed attempts. Why was it deleted in 9.x and how can we get it back?
 
You must log in or register to reply here.

Similar threads

QWeb Ric
Resolved Plesk won't install on Alma 9 because of missing CRB repo
Replies
1
Views
2K
QWeb Ric
QWeb Ric
learning_curve
Resolved Plesk updates when running Ubuntu 24.04.1 LTS - Possible Installer Plesk bug?
Replies
4
Views
2K
learning_curve
learning_curve
M
Resolved Missing HTTP_HOST causes incorrect URL generation in WP Toolkit
Replies
12
Views
3K
Maarten
M
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
3K
scpcomp
S
C
Question Strategic questions
Replies
9
Views
3K
mow
M
Back
Top