• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Plesk 8 - Tips needed for secure servers

D

dom974

Guest
Hi everyone,

I know Plesk install is somehow "You install it, it works, you don't touch it anymore"

I want to get a list of things that could help plesk servers being more secured. I know I've just tweaked a small part of plesk configuration, but I definitely need advices from others :)

I'll start with my own settings and if you have more ideas (especially mysql and apache), please post it, it will be useful for all plesk admins.

My advices :

1/ Run apache with mod_suphp
Running php scripts under user permissions is a very good idea

2/ Limit the number of processes for apache and mysql
Otherwise, if you're not load balancing, you could see your server get crashed when there are peaks of visitors

3/ Set Root Login to NO under OpenSSH conf
It will give you another security layer. Remember, if someone obtains your root password ... you're dead :/ Whatever security tool you've installed, root password is the bottom line

4/ Change passwords often (like once a month) with apg
Apg is a password generator tool that can give you easy-to-remember passwords (for exemple, Ez8diR_)

5/ Check your logs and processes each day, just to see if everythings ok
top, ps -aux, tail /var/log ...

6/ run ntpdate once a day
Being on time is important for the time displayed on emails


Well that's just a small list of tips, please give yours !
 
It would be interesting to see which should be changed in this EXCELLENT guide to use it also with Plesk 8.

http://www.grafxsoftware.com/util/PLESK-HOWTO.txt

Most of these things should be routine on each server, but for example, on Plesk 8 rkhunter comes with Watchdog... would like to hear other people's input on this.

Thanks.
 
Instead of 3/ you could also disable PasswordAuthentication after setting up public key authentication. Then even the root password won't get anyone in. (Of course you have make sure you don't lose your key and/or forget your passphrase. You can authorize multiple keys (people) though.)

Instead of 5/ (a lot of work) I'd suggest to use tools like logwatch that e-mail the interesting parts of your logs to you. Optionally use real monitoring software like ZABBIX to monitor things like services, hd usage, load, etc.

Regarding 6/: Plesk already creates a daily cronjob for ntpdate when you enable 'Synchronize system time' under Server -> System Time.

Mount /tmp noexec: http://kb.swsoft.com/article_38_1410_en.html

You also might want to check out ART's (paid) Atomic Secured Linux service. Check out mod_security (which is also part of Atomic Secured Linux).

Also I use Fail2ban (DenyHosts is similar). Make sure your systems are up2date (run Plesk Updater/autoinstaller and yum update regularly). And make backups.
 
thanks for your tips

I didn't think of /tmp noexec

as for fail2ban, the idea is pretty good, i like it a lot :)

dominique
 
1. Do not allow to login in SSH directly with user that have root priviledges. Instead create other low-level user and after you login use the SU command.

2. Set a script that is blacklisting particular IP's that made more than 5 (for example) incorrect SSH login attempts.
This is very important step - when I setuped my brand new server I got hundreds of SSH attempts per day and I didn't even hosted anything yet. There are lots of scanners around

3. Secure passwords is a must

4. Make sure that the sites that you host are secured enough (if they are CMS or forums for example - make sure the are the latest version).
 
Some other toys for the mix here which will be in ASL soon, I use ossec (www.ossec.net) for monitoring multiple systems for security events. Its a combination of a SIM, logcheck, rkhunter, and tripwire all rolled into one. Client server based.

sudosh/eas, its a recording shell. Plays everything back like a VCR (or a TiVo for you kids that dont know what a VCR is). EAS is the client server version of the same thing, so like OSSEC, you can tie it into a remote box.


rkhunter, I modified the hell out of the one on ART. The fedora-extra's version spams the hell out of you, my changes only tell you when somethings wrong. Plus I added in some of breun's fixes to clean up some internal problems with hash tracking.

chkrootkit, not as good as rkhunter in my opinion.


nessus - this is an auditing tool, its good for identifying vulnerabilities in services (ssh, apache, etc), not to be confused with vulnerabilities in applications (phpBB, etc).

nikto - another auditing tool, good for identifying vulnerabilies in applications (phpBB, etc).
 
You must log in or register to reply here.

Similar threads

A
Question Need Help Setting Up Multistore with PrestaShop 8.1 on Plesk
Replies
1
Views
1K
alpinecare
A
T
Issue Stop Plesk Brute Force Attacks NOW: Cloudflare + Windows Server Fix
Replies
0
Views
816
TheHostingHeroes
T
B
Question Unable to Send Emails Using PHPMailer on Plesk Server
Replies
4
Views
2K
King555
K
QWeb Ric
Issue Server pool SSL not showing for selection
Replies
0
Views
543
QWeb Ric
QWeb Ric
D
Issue Installing Mattermost via Docker in Plesk - issues with containers
2
Replies
21
Views
14K
David Borrink
D
Back
Top