• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Firewall ports for updating

Thanks again for replying :) I appreciate it!

>> maxretry settings AND the scanning interval settings (which cannot be set via the Plesk Panel, as such a "design flaw")

I can set the maxretry for each individual jail and also the general scanning interval (which is indeed too short by default) both via the plesk panel gui. Maybe you have an older version?

>> There are no real "catches", at least none that you should worry about.

Allright, that's good.

>> However, you have to make sure that you tweak your Plesk instance a bit, for instance

I don't have to tweak SSH? This will still work as usual?

>> That is all, hope the above explains a bit.

Thanks. Under normal circumstances do I have to re-run this command once in a while, or do I run it right now (one time) and that's it?

By the way ... I assume this has nothing to do with the http protocol or anything? I won't be forced to only use https for my websites or something crazy like that? :)
 
@Pleskie,

I am getting some RSI, but hey, it is all in the name of the game.

To respond to your questions, I will quote them and put my remarks below them.

Pleskie said:
I can set the maxretry for each individual jail and also the general scanning interval (which is indeed too short by default) both via the plesk panel gui. Maybe you have an older version?
Click to expand...

No, not really.

Actually, Fail2Ban allows a lot more configuration, such as scanning intervals per jail. This cannot be set via the Plesk Panel, which is inconvenient.

Pleskie said:
I don't have to tweak SSH? This will still work as usual?
Click to expand...

Yes. However, it depends on the SSH client. Just use Putty if you access your Linux machines from a Windows Desktop.

Pleskie said:
Thanks. Under normal circumstances do I have to re-run this command once in a while, or do I run it right now (one time) and that's it?
Click to expand...

No, not "once in a while", only if you have made some changes in the setup of Plesk.

For example, when changing the mail server (QMail/Postfix) or even when running the http2_pref tool.

Pleskie said:
By the way ... I assume this has nothing to do with the http protocol or anything? I won't be forced to only use https for my websites or something crazy like that?
Click to expand...

No, it is (briefly stated) hardening the so-called cipher suites for any TLS/SSL based connection.

Note that SSL connections are rare, given the SSL related vulnerabilities: the PCI compliant settings make sure that vulnerable SSL connections are not possible.

In short, as long as you did not configure connections of a specific type to explicitly use TLS/SSL based connections, the PCI compliant settings do not have an impact.

However, the whole idea behind a secure server is that you would like to have TLS/SSL based connections, for FTP, mail etc.

For that reason, the Plesk manuals also hint that PCI Compliant settings should be accompanied by a configuration that enforces TLS/SSL based connections for specific services.

The only exception is the "web service": HTTPS is not enforced and it is not hinted that you should do so.

Note that you have to take into account that we all have to comply to the HTTP/2 protocol sooner or later, which protocol essentially is a HTTPS based protocol. Another story!

Regards....
 
>> I am getting some RSI, but hey, it is all in the name of the game.

Oops ... sorry :oops:;)

>> This cannot be set via the Plesk Panel, which is inconvenient.

That's correct. I can only set the general interval, but not per jail.

It's all a bit new and technical to me ... but long story short ... if I want to strenghten/secure my server I just should run the pci_compliance_resolver command ... so then that's what I will do :)
Thanks for pointing me to this tool. Not sure if I would've found it myself.
 
Thanks. I executed the command. While executing it said 'WARNING:Ignoring unsuppored protocol' and at the end it said 'service courier-imap is not installed, skip modifying'.
Is that a problem?

Now I'm trying to 'Protecting information about files'.

In your link it says:

1 .Open for editing the Web server's configuration file.
  • On Debian and Ubuntu, it is located at /etc/apache2/apache2.conf.
  • On other distributions of Linux, it is located at /etc/httpd/conf/httpd.conf.
  • Locate the line FileETag INode MTime Size and remove the INode keyword from this line.
Click to expand...
I located the httpd.conf file, but there is no line 'FileETag INode MTime Size'. When I search the file it won't even find the word 'FileETag'. Am I doing something wrong here?
 
@Pleskie

No, to first question and second question.

The manuals are sometimes a little bit odd, that is the nice way to put it. Just forget about the INode comments in the manual.

Ciao
 
Hello, thanks ... but is the INode thing a security risk? The manual says it's a security risk:

To alleviate security risks arising from disclosure of information about files and their properties by Apache Web server, configure the FileETag directive in the Web server configuration file.
Click to expand...
I don't know what to do :eek::confused::(

EDIT:
I found out that this problem is not applicable to newer servers. Problem solved!
 
Last edited:
You must log in or register to reply here.

Similar threads

Lrnt
Resolved Plesk upgrade / Unable to connect to some Plesk ports
Replies
8
Views
372
Kaspar
K
S
Question NTP port
Replies
0
Views
528
stevenm
S
K
Resolved Unable to access Updates page
Replies
2
Views
926
KendalSmithy
K
B
Issue You cannot send emails from Plesk because outbound connections on TCP port 25 is blocked.
Replies
10
Views
2K
jlocana
jlocana
K
Question Open ports on my domain plesk firewall
Replies
5
Views
1K
Kaspar
K
Back
Top