Disable non-secure Plesk login port 8880

[qpidity]

Hi,

One failure cited by a recent PCI compliance report was that of the Plesk non-https login at port 8880. I believe we can resolve this by adding a firewall rule to block access to this port but wanted to check first if this will have any negative consequences elsewhere. Or is there a better way to achieve PCI compliance on this point? Any help gratefully received.

Thanks in advance

 

[UFHH01]

I would never follow this advice and rather would question, WHY this should be worth a complaint. I'm sure that they don't complain over an open http - port 80 and in the case of a Plesk - environment, this is nothing more, than an additional non-https-port for Plesk in order to ensure that in case of issues with certificates or any other SSL - related issue, there is always the possibility to login over a non-https-port into the Plesk Control Panel to solve that. If you secure this port with a fail2ban - jail, set the security roules in Plesk at least to "medium" and control your auth - and Panel - logs periodically, such a complaint about that open port is absolut nonsens.

Apart from all, it's pretty easy to block the whole port with "iptables -I INPUT -p tcp --dport 8880 -j DROP" if you insist, that there should be no reason to allow a non-https-login in case of issues/problems. Be aware that your customers/clients then won't be able at all to login to your Plesk Control Panel on a non-https-Port 8880 and only got the https - Port - option on 8443.

 

[qpidity]

Thanks for the advice. What you say makes perfect sense, but since I am the only person who accesses the plesk control panel, I think closing off that non-https login option really is a non-issue for us.

 

[StéphanS]

I would never follow this advice and rather would question, WHY this should be worth a complaint. I'm sure that they don't complain over an open http - port 80 and in the case of a Plesk - environment, this is nothing more, than an additional non-https-port for Plesk in order to ensure that in case of issues with certificates or any other SSL - related issue, there is always the possibility to login over a non-https-port into the Plesk Control Panel to solve that. If you secure this port with a fail2ban - jail, set the security roules in Plesk at least to "medium" and control your auth - and Panel - logs periodically, such a complaint about that open port is absolut nonsens.

Apart from all, it's pretty easy to block the whole port with "iptables -I INPUT -p tcp --dport 8880 -j DROP" if you insist, that there should be no reason to allow a non-https-login in case of issues/problems. Be aware that your customers/clients then won't be able at all to login to your Plesk Control Panel on a non-https-Port 8880 and only got the https - Port - option on 8443.

Sorry to reply to such an old post.
But really, there is a very good reason to close off port 8880 -> MITM / Sniffing attacks!

You don't EVER want to send these credentials over a plain text communications protocol like HTTP :S


The values are not encrypted in the browser via JS or anything like it:

login_name=foo&passwd=bar

If anything is wrong with HTTPS on Plesk, I would not log in to Plesk via HTTP to debug this, I would SSH into the server and read the logs / analyze the system and debug from there.