1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

hardening plesk server

Discussion in 'Plesk for Linux - 8.x and Older' started by thewolf, May 26, 2006.

  1. thewolf

    thewolf Regular Pleskian

    25
    57%
    Joined:
    Mar 11, 2004
    Messages:
    231
    Likes Received:
    0
    Hi,

    I'm running Plesk 8.0.0 on Red Hat Enterprise Linux 4 for a client who is very concerned about security.

    Is there any good resource to harden a Plesk server?

    Do you have any suggestion?

    Quick question: since the Plesk server is only for serving web sites, I'd like to shut down the unnecessary services: qmail, named, etc.

    I can stop them manually (service qmail stop, etc.), but each time I restart Plesk, it will bring up all services: named, etc.

    Any idea?

    Thanks.
     
  2. faris

    faris Guest

    0
     
    The first thing to do is subscribe to the Atomic Secure Linux channel. Go to www.atomicrocketturtle.com for mroe info. Basically for a very modest annual subscription you get access to pre-compiled kernels that have the grsec patch installed. This is very highly recomended.

    Secondly, go to www.gotroot.com and read the instructions for installing mod_security and using the rules published on that site. This is a "must do".

    The psa startup script does start named, qmail, mysql and others. I think you should be able to modify the startup script, but the simplest thing would be to just do as you say - "service qmail stop" type thing for each thing you don't want running.

    Faris.
     
  3. thewolf

    thewolf Regular Pleskian

    25
    57%
    Joined:
    Mar 11, 2004
    Messages:
    231
    Likes Received:
    0
    How does the grsecurity patch compare to SELinux, supported by RHEL4 with the stock kernel?

    Does mod_security impact performances?

    Stopping qmail/named manually is what I'm currently doing, but each time I restart Plesk or reboot the server, they come back online.
    Where should I look to modify the Plesk script to have it not start them?

    Thanks.
     
  4. faris

    faris Guest

    0
     
    SELinux and the grsec patch are similar. I don't know enough about the specifics to be able to comment with any authority.

    mod_security will consume a lot of resources (lots of memory and plenty of CPU) if you use all the rules, but you can use a smaller subset if you like.

    startup scripts are in /etc/rc.d/init.d I think. See what's there anyway.

    You can also use the ntsysv command (or the more complex checkcfg command) to control what starts up when you boot.

    Faris.
     
  5. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Ive got both SELinux and GRSEC in the ASL kernel. SELinux is more useful as a permissions level enforcement system you'd use to mark up data in Classified environments than an effective server hardening strategy (known as data-labeling). Its also incredibly escoteric, and is where GRSEC was about 10 years ago in terms of making it useful. Try making rules for it sometime!

    GRSEC on the other hand is focused on protecting the stack from buffer overflows (ie exploits in the service, apache, named, php, etc), and enforcing process level ACL's (protecting the system from exploits in applications, like phpBB, formmail, etc)

    For mod_security, we run the full ruleset, over 20,000 rules, on the ART/Gotroot server. The performance impact on that system is negligable, however, we do have 1.5G of ram on the box. If you're running on a Celeron with 512m I reckon you might run into issues.
     
  6. spacedive

    spacedive Guest

    0
     
    both sites, gotroot and atomickrocketturtle
    are down..!
     
  7. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    963
    Likes Received:
    32
    Location:
    Romania
    Also to improve your server, see our signature. There is a HOW TO.
     
Loading...