Resolved Firewall ports for updating

[Pleskie]

Thanks again for replying I appreciate it!

>> maxretry settings AND the scanning interval settings (which cannot be set via the Plesk Panel, as such a "design flaw")

I can set the maxretry for each individual jail and also the general scanning interval (which is indeed too short by default) both via the plesk panel gui. Maybe you have an older version?

>> There are no real "catches", at least none that you should worry about.

Allright, that's good.

>> However, you have to make sure that you tweak your Plesk instance a bit, for instance

I don't have to tweak SSH? This will still work as usual?

>> That is all, hope the above explains a bit.

Thanks. Under normal circumstances do I have to re-run this command once in a while, or do I run it right now (one time) and that's it?

By the way ... I assume this has nothing to do with the http protocol or anything? I won't be forced to only use https for my websites or something crazy like that?

 

[trialotto]

@Pleskie,

I am getting some RSI, but hey, it is all in the name of the game.

To respond to your questions, I will quote them and put my remarks below them.

I can set the maxretry for each individual jail and also the general scanning interval (which is indeed too short by default) both via the plesk panel gui. Maybe you have an older version?

No, not really.

Actually, Fail2Ban allows a lot more configuration, such as scanning intervals per jail. This cannot be set via the Plesk Panel, which is inconvenient.

I don't have to tweak SSH? This will still work as usual?

Yes. However, it depends on the SSH client. Just use Putty if you access your Linux machines from a Windows Desktop.

Thanks. Under normal circumstances do I have to re-run this command once in a while, or do I run it right now (one time) and that's it?

No, not "once in a while", only if you have made some changes in the setup of Plesk.

For example, when changing the mail server (QMail/Postfix) or even when running the http2_pref tool.

By the way ... I assume this has nothing to do with the http protocol or anything? I won't be forced to only use https for my websites or something crazy like that?

No, it is (briefly stated) hardening the so-called cipher suites for any TLS/SSL based connection.

Note that SSL connections are rare, given the SSL related vulnerabilities: the PCI compliant settings make sure that vulnerable SSL connections are not possible.

In short, as long as you did not configure connections of a specific type to explicitly use TLS/SSL based connections, the PCI compliant settings do not have an impact.

However, the whole idea behind a secure server is that you would like to have TLS/SSL based connections, for FTP, mail etc.

For that reason, the Plesk manuals also hint that PCI Compliant settings should be accompanied by a configuration that enforces TLS/SSL based connections for specific services.

The only exception is the "web service": HTTPS is not enforced and it is not hinted that you should do so.

Note that you have to take into account that we all have to comply to the HTTP/2 protocol sooner or later, which protocol essentially is a HTTPS based protocol. Another story!

Regards....

 

[Pleskie]

>> I am getting some RSI, but hey, it is all in the name of the game.

Oops ... sorry

>> This cannot be set via the Plesk Panel, which is inconvenient.

That's correct. I can only set the general interval, but not per jail.

It's all a bit new and technical to me ... but long story short ... if I want to strenghten/secure my server I just should run the pci_compliance_resolver command ... so then that's what I will do
Thanks for pointing me to this tool. Not sure if I would've found it myself.

 

[trialotto]

@Pleskie,

Just read this: http://docs.plesk.com/en-US/12.5/ad...ce/tune-plesk-to-meet-pci-dss-on-linux.65871/

If something does look strange in that manual, don´t be surprised, just ask.

Ciao!

 

[Pleskie]

Thanks. I executed the command. While executing it said 'WARNING:Ignoring unsuppored protocol' and at the end it said 'service courier-imap is not installed, skip modifying'.
Is that a problem?

Now I'm trying to 'Protecting information about files'.

In your link it says:

1 .Open for editing the Web server's configuration file.

• On Debian and Ubuntu, it is located at /etc/apache2/apache2.conf.
• On other distributions of Linux, it is located at /etc/httpd/conf/httpd.conf.
• Locate the line FileETag INode MTime Size and remove the INode keyword from this line.

I located the httpd.conf file, but there is no line 'FileETag INode MTime Size'. When I search the file it won't even find the word 'FileETag'. Am I doing something wrong here?

 

[trialotto]

@Pleskie

No, to first question and second question.

The manuals are sometimes a little bit odd, that is the nice way to put it. Just forget about the INode comments in the manual.

Ciao

 

[Pleskie]

Hello, thanks ... but is the INode thing a security risk? The manual says it's a security risk:

To alleviate security risks arising from disclosure of information about files and their properties by Apache Web server, configure the FileETag directive in the Web server configuration file.

I don't know what to do

EDIT:
I found out that this problem is not applicable to newer servers. Problem solved!