• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

hello..noob here.

M

mike2010

Basic Pleskian
Im pretty new to Plesk..but so far im liking it a lot. Much better then all other CP's i've tried so far.

Just a question about security.. I pretty much have Root SSH blocked off pretty good. and im the only one that uses Plesk.

Are there additional security recommendations to block plesk login attempts the same way we can do with Root SSH ?

I saw the option in Plesk to limit per IP only.. and my IP almost never changes..but if it happens to one day and I have that enabled, i'd be pretty screwed.

Isnt there other stuff we could do like create .ppk (private keys) ? If it doesnt match up with the computer, the login attempt is blocked.

Or any other type of security recommendations with Plesk is appreciated.


MB
 
There are sooooo many security things to consider.

Myself, I run a dedicated server of my own. SSH port 22 is restricted via the firewall (I use Plesk Firewall) to just 2 IPs, one is mine the other is another IP just incase mine changes. In addition I created an additional SSH user (via root not in Plesk), then disabled root login via SSH and also disabled Protocal 1 and enabled Protocal 2 instead. This means that you have to login as the other SSH user first, then use SU - to login as root. I guess you knew that though.

Users over at the ART forums recommend for additional security you should use keys and not passwords with SSH, but personally I rather use passwords as I have already isolated the port to just 2 IPs only.

Of course for ultimate protection I recommend subscribing to the ASL (Atomic Secured Linux) which will not only keep your servers OS, Plesk and php/mysql up to date (which is essential in security fixes and patches) but also protect your server from attacks like SQL injection, and unsecure scripts.

Hope that helps,

Matt
 
Keys are also not always practical. Example an iPhone.

Also you may have to allow more range of IP addresses particularily if you access via a dynamic ip range.

I think most compromises are poor passwords easily guessed.
 
laughingbuddha said:
There are sooooo many security things to consider.

Myself, I run a dedicated server of my own. SSH port 22 is restricted via the firewall (I use Plesk Firewall) to just 2 IPs, one is mine the other is another IP just incase mine changes. In addition I created an additional SSH user (via root not in Plesk), then disabled root login via SSH and also disabled Protocal 1 and enabled Protocal 2 instead. This means that you have to login as the other SSH user first, then use SU - to login as root. I guess you knew that though.

Users over at the ART forums recommend for additional security you should use keys and not passwords with SSH, but personally I rather use passwords as I have already isolated the port to just 2 IPs only.

Of course for ultimate protection I recommend subscribing to the ASL (Atomic Secured Linux) which will not only keep your servers OS, Plesk and php/mysql up to date (which is essential in security fixes and patches) but also protect your server from attacks like SQL injection, and unsecure scripts.

Hope that helps,

Matt
Click to expand...

I appreciate the response, but I dont see how the above mentioned would prevent login attempts through plesk. Since plesk runs with MYSQL and not SSH.

How to restrict people from attempting to login with plesk..is basically what im asking.

Martin
 
What I mentioned will help prevent the common attacks that occur via SSH port, and will also help to prevent an attacker gaining root access through an unsecured script, or if they happen to gain access through a user account or ftp.

In regards to control panel access, why would you lock that down? Surely your users will want to administer there own domains, and access there web mail, unless you host a single site on that server, which in that case just isolate port 8443 via the firewall to a few IPs only the same as I did for SSH.

Enforce passwords to be complex. I generate all the passwords myself for my clients. Standards like minimum of 8 characters and numbers, and alpha numeric passwords all helps to prevent attacks. This also applies to FTP too.

Further more change your admin password once a month or once every 2 months.

In all honesty I've been running a Plesk VPS for over 2 years and a server for the last 3 months and never had attacker get in via the Plesk login.

If you are still worried about it, then I have seen posts about changing the port number used to access the Plesk CP. You could try that.

Matt
 
laughingbuddha said:
unless you host a single site on that server, which in that case just isolate port 8443 via the firewall to a few IPs
Click to expand...

Yeah, im the only one of the server.

I thought about doing the above.. but if my IP changes, then what ?

Since I already have SSH restricted by IP only as well.

Also you may have to allow more range of IP addresses particularily if you access via a dynamic ip range.
Click to expand...

I have a router on my computer so my IP usually stays the same forever...unless I disconnect the router for a reason. the IP ranges can be completely different as well i've seen over the last few years when occasionally disconnecting the router. Sometimes my IP would start with 24. sometimes it would start with 75.

Is there a walkthrough on how to do Keys with plesk ?

btw, I might check out that ASL. Is it a popular program that most people use ? Never heard of it before.
 
ASL is brilliant, and has a great user base and VERY helpful forum. I can't recommend it enough.

I run ASL on my dedicated server and it has helped protect my server from sql injections and brute force ftp login attempts. There is also kernel hardening and other security fixes that keep not only the OS, but also Plesk secure. In addition I use Qmail Scanner, ClamAV and Spamassassin too which have almost eliminated all my spam problems.

In addition to that, you can also geo block IP addresses. For example, I use to get allot of attacks from China, so I geo blocked China. In some situations (depending on the site) geo blocking isn’t a good idea, but in my case it has helped. If I was running a single site from a server I wouldn’t use geo blocking, but instead lock down SSH, Plesk CP port and FTP to only accept connections from a select number of IPs. In addition I would also turn off webmail and other unused service and ports.

ART/ASL forum can also help with the SSH keys too.

In regards to your IPs, I'm surprised you can't get a static IP. In the UK I have a static IP on my ADSL line which is why I opted for the blocking option on the SSH port 22. Might want to check with your ISP on that.

Matt
 
My datacenter provides vpn access to the private network and provides a private ip ( 10.x ) If you had access to something like this you could have plesk only allow connections from the private network basically requiring you to vpn in before accessing the control panel. I would agree that ASL is the best thing you could do . I am sure other people may have ideas however most people have clients on their servers who need access to the control panels.
 
You must log in or register to reply here.

Similar threads

T
Question Using an external firewall to block Plesk ports
Replies
3
Views
724
thinkjarvis
T
michaeljoseph01
Question How to block non-mail traffic to certain ip?
Replies
1
Views
699
MarkM
MarkM
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
2K
The 8th
The 8th
M
Issue Can't open Port 25. Please help
Replies
2
Views
350
mhogue
M
K
Question Can/should I set a password for the MariaDB "root" user (not "admin")?
Replies
4
Views
1K
King555
K
Back
Top