• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

hardening plesk server

thewolf

Regular Pleskian
Hi,

I'm running Plesk 8.0.0 on Red Hat Enterprise Linux 4 for a client who is very concerned about security.

Is there any good resource to harden a Plesk server?

Do you have any suggestion?

Quick question: since the Plesk server is only for serving web sites, I'd like to shut down the unnecessary services: qmail, named, etc.

I can stop them manually (service qmail stop, etc.), but each time I restart Plesk, it will bring up all services: named, etc.

Any idea?

Thanks.
 
The first thing to do is subscribe to the Atomic Secure Linux channel. Go to www.atomicrocketturtle.com for mroe info. Basically for a very modest annual subscription you get access to pre-compiled kernels that have the grsec patch installed. This is very highly recomended.

Secondly, go to www.gotroot.com and read the instructions for installing mod_security and using the rules published on that site. This is a "must do".

The psa startup script does start named, qmail, mysql and others. I think you should be able to modify the startup script, but the simplest thing would be to just do as you say - "service qmail stop" type thing for each thing you don't want running.

Faris.
 
Originally posted by faris

...
Basically for a very modest annual subscription you get access to pre-compiled kernels that have the grsec patch installed.
...
Secondly, go to www.gotroot.com and read the instructions for installing mod_security and using the rules published on that site. This is a "must do".
...
The psa startup script does start named, qmail, mysql and others. I think you should be able to modify the startup script, but the simplest thing would be to just do as you say - "service qmail stop" type thing for each thing you don't want running.

How does the grsecurity patch compare to SELinux, supported by RHEL4 with the stock kernel?

Does mod_security impact performances?

Stopping qmail/named manually is what I'm currently doing, but each time I restart Plesk or reboot the server, they come back online.
Where should I look to modify the Plesk script to have it not start them?

Thanks.
 
SELinux and the grsec patch are similar. I don't know enough about the specifics to be able to comment with any authority.

mod_security will consume a lot of resources (lots of memory and plenty of CPU) if you use all the rules, but you can use a smaller subset if you like.

startup scripts are in /etc/rc.d/init.d I think. See what's there anyway.

You can also use the ntsysv command (or the more complex checkcfg command) to control what starts up when you boot.

Faris.
 
Ive got both SELinux and GRSEC in the ASL kernel. SELinux is more useful as a permissions level enforcement system you'd use to mark up data in Classified environments than an effective server hardening strategy (known as data-labeling). Its also incredibly escoteric, and is where GRSEC was about 10 years ago in terms of making it useful. Try making rules for it sometime!

GRSEC on the other hand is focused on protecting the stack from buffer overflows (ie exploits in the service, apache, named, php, etc), and enforcing process level ACL's (protecting the system from exploits in applications, like phpBB, formmail, etc)

For mod_security, we run the full ruleset, over 20,000 rules, on the ART/Gotroot server. The performance impact on that system is negligable, however, we do have 1.5G of ram on the box. If you're running on a Celeron with 512m I reckon you might run into issues.
 
both sites, gotroot and atomickrocketturtle
are down..!
 
Back
Top