Facebook
Twitter
J
Jason FS
Guest
Yes the old fix for Plesk 8.* no longer works as we don't appear to be able to customize the apache configuration of the plesk server (running on 8443).
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
Yes, there is lighttpd (sw-cp-server) is used for Plesk Admin Panel instead Apache. You can try apply these fixes to /etc/sw-cp-server/applications.d/plesk.conf configuration file instead Apache's config file.
G
German Wider
Guest
I am a bit shocked by your and probably Parallel's attitude. Some Plesk users have to maintain PCI compliance - as silly as it may be from time to time. And, yes, while those vulnerabilities aren't always automatically exploited, the affected merchants will still face fees for non-compliance. We all appreciate that it may take some time to test and implement such a fix, but comments like "why do you worry" are sadly not acceptable in PCI context.
It would be great if Parallel would work a bit closer with the scanning vendors. That would cut down on false positives and speed up the fixing of issues. Thanks!
It would be great if Parallel would work a bit closer with the scanning vendors. That would cut down on false positives and speed up the fixing of issues. Thanks!
M
ManagingD
Guest
IgorG - What is the PCI Compliance Plesk Mission Statement?
Regarding IgorG's post and Plesk in general, I believe that the primary Plesk goal should be: "To make the various distros (Red Hat, CentOS, Ubuntu, Debian, etc.) secure and easier to use to support hosting of multiple Internet web sites on a single server by using as much generally available distro software as possible." Unfortunately, it has been my observation that Plesk's use of other than the well tested Apache, sendmail, etc. to internally run the Plesk control panel is bound to break distros, fail PCI compliance and produce processing paradoxes. This thread regarding SSL ciphers, and my other bad Plesk experiences with failed log rotations and loss of logwatch functionality, is proof that Plesk wandering into use of non-distro approved scripts ( e.g., lighttpd, exim, etc.) can and does produce errors and wastes a lot of the time of server admins like me. We should all be riding the horse in the direction it is running. Therefore, if the above mission statement keeps getting ignored, I for one will not need a Plesk license because I will be using a different control panel or learn to run without one at all!
Regarding IgorG's post and Plesk in general, I believe that the primary Plesk goal should be: "To make the various distros (Red Hat, CentOS, Ubuntu, Debian, etc.) secure and easier to use to support hosting of multiple Internet web sites on a single server by using as much generally available distro software as possible." Unfortunately, it has been my observation that Plesk's use of other than the well tested Apache, sendmail, etc. to internally run the Plesk control panel is bound to break distros, fail PCI compliance and produce processing paradoxes. This thread regarding SSL ciphers, and my other bad Plesk experiences with failed log rotations and loss of logwatch functionality, is proof that Plesk wandering into use of non-distro approved scripts ( e.g., lighttpd, exim, etc.) can and does produce errors and wastes a lot of the time of server admins like me. We should all be riding the horse in the direction it is running. Therefore, if the above mission statement keeps getting ignored, I for one will not need a Plesk license because I will be using a different control panel or learn to run without one at all!
Last edited by a moderator:
[Plesk 9.2.3]
I have looked at the config file plesk.conf in the sw-cp-server/applications.d directory.
It refers to another file:
/usr/local/psa/admin/conf/ssl-conf.sh
Now, my extremely limited linux expertise suggests this is a shell script, making straightforward openssl calls. The script disables SSL v2 ciphers, for example. I don't know enough about SSL to know what line to add to this script in order to disable medium strength ciphers also. Anybody here have the expertise to do that? It looks like a one-liner, to fix this compliance, if only someone knows the command to do it.
I have looked at the config file plesk.conf in the sw-cp-server/applications.d directory.
It refers to another file:
/usr/local/psa/admin/conf/ssl-conf.sh
Now, my extremely limited linux expertise suggests this is a shell script, making straightforward openssl calls. The script disables SSL v2 ciphers, for example. I don't know enough about SSL to know what line to add to this script in order to disable medium strength ciphers also. Anybody here have the expertise to do that? It looks like a one-liner, to fix this compliance, if only someone knows the command to do it.
Guys,
Just want to say that problem is well known for Parallels and we are really have hard work regarding resolving this problem with security. We really understand that this problem is very important for you and we use the maximal efforts to troubleshoot and fix it.
Just want to say that problem is well known for Parallels and we are really have hard work regarding resolving this problem with security. We really understand that this problem is very important for you and we use the maximal efforts to troubleshoot and fix it.
C
codesmith
Guest
Hi - confirming that Igor's steps in #23 above did the trick to get us the rest of the way there. I added this line to the
/etc/sw-cp-server/applications.d/plesk.conf
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
So
and restarted the psa service.
Thanks for the help Igor... now if we could only do something about the backup...
/etc/sw-cp-server/applications.d/plesk.conf
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
So
Code:
include_shell "/usr/local/psa/admin/conf/ssl-conf.sh"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
index-file.names = ("index.php")and restarted the psa service.
Thanks for the help Igor... now if we could only do something about the backup...
# /etc/init.d/psa restart
A
ATU
Guest
Help me please
I've been trying to get my PCI compliance test to pass for months. I can't fix this fault.
I added a security certificate and dedicated IP for my website and it's still there.
I upgraded Plesk to 9.3 and it's still is there.
I am trying to learn how to get arround with the shell access in Plesk, but can't find those directories and plesk.conf.
Please help me, tell me what to do. I am tired of getting emails from Security Metrics that tells me I have failed.
Can't they fix this problem?
I've been trying to get my PCI compliance test to pass for months. I can't fix this fault.
I added a security certificate and dedicated IP for my website and it's still there.
I upgraded Plesk to 9.3 and it's still is there.
I am trying to learn how to get arround with the shell access in Plesk, but can't find those directories and plesk.conf.
Please help me, tell me what to do. I am tired of getting emails from Security Metrics that tells me I have failed.
Can't they fix this problem?
A
ATU
Guest
Look familiar?
TCP 8443 pcsync-https 5
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C
/I:N/A:N)
TCP 8443 pcsync-https 5
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C
/I:N/A:N)
A
ATU
Guest
I realize that and if I could find the file, I would edit it, but I don't know how to access that file.
I have a VPS account hosting my website and have been using Plesk for about a year.
Working with this has been my only experiance with Linux. Because of my work, I have always been in the Dos/Window's OS. However, I have been trying to learn as much as I can.
In the Web Hosting Setup, I set the Shell Access to Bin/Bash (chrooted).
Using the Shell Access, if I look in the ETC directory, I only see group ,passwd and termcap which are all binary files.
I see the same thing using WSFTP , there are no other directories.
Am I looking in the wrong place? I just need a little guidance.
I have a VPS account hosting my website and have been using Plesk for about a year.
Working with this has been my only experiance with Linux. Because of my work, I have always been in the Dos/Window's OS. However, I have been trying to learn as much as I can.
In the Web Hosting Setup, I set the Shell Access to Bin/Bash (chrooted).
Using the Shell Access, if I look in the ETC directory, I only see group ,passwd and termcap which are all binary files.
I see the same thing using WSFTP , there are no other directories.
Am I looking in the wrong place? I just need a little guidance.
At the very least you'll need to set the shell on that account to /bin/bash without the chrooted since that prevents you from using any real system commands, then you need to "su - root" and enter the root password to gain root access to the server, then you will be able to see the file in question and edit it.
A
ATU
Guest
Thank you for the direction.
I still don't see the directories. Here is a printout of my terminal session.
Thanks in advance for any assistance.
-bash-3.00$ su - root
Password:
[root@vps ~]# ls -a
. RPM-GPG-KEY.art.txt.1
.. RPM-GPG-KEY.art.txt.2
.autoinstaller atomic-release-1.0-7.el4.art.noarch.rpm
.autoinstaller.old mysqlauth.eI5719
.autoinstallerrc parallels
.bash_history parallels.old
.bash_logout parallels.old2
.bash_profile psa
.bashrc psa-9.2.3-cos4.build92091015.22.i586.rpm
.cshrc psa-autoinstaller-3.5.0-090817.16.i386.rpm
.mysql_history psa-php4-configurator-1.5.1-cos4.build92091015.22.noarch.rpm
.spamassassin psa-php5-configurator-1.5.1-cos5.build92091016.19.noarch.rpm
.ssh psa.old
.tcshrc psa.sql
.viminfo swsoft.old
RPM-GPG-KEY.art.txt yum-2.0.8-2.centos3.noarch.rpm
[root@vps ~]# cd parallels
[root@vps parallels]# ls -a
. PSA_8.6.0 PSA_9.2.3 plesk.inf3 products.inf3 sitebuilder.inf3
.. PSA_9.0.0 PSA_9.2.3_MU ppsmbe.inf3 setemplates.inf3 sso.inf3
[root@vps parallels]# cd
[root@vps ~]# cd psa
[root@vps psa]# ls -a
. PSA_9.2.3 PSA_9.3.0 ppsmbe.inf3 setemplates.inf3 sso.inf3
.. PSA_9.2.3_MU plesk.inf3 products.inf3 sitebuilder.inf3
I still don't see the directories. Here is a printout of my terminal session.
Thanks in advance for any assistance.
-bash-3.00$ su - root
Password:
[root@vps ~]# ls -a
. RPM-GPG-KEY.art.txt.1
.. RPM-GPG-KEY.art.txt.2
.autoinstaller atomic-release-1.0-7.el4.art.noarch.rpm
.autoinstaller.old mysqlauth.eI5719
.autoinstallerrc parallels
.bash_history parallels.old
.bash_logout parallels.old2
.bash_profile psa
.bashrc psa-9.2.3-cos4.build92091015.22.i586.rpm
.cshrc psa-autoinstaller-3.5.0-090817.16.i386.rpm
.mysql_history psa-php4-configurator-1.5.1-cos4.build92091015.22.noarch.rpm
.spamassassin psa-php5-configurator-1.5.1-cos5.build92091016.19.noarch.rpm
.ssh psa.old
.tcshrc psa.sql
.viminfo swsoft.old
RPM-GPG-KEY.art.txt yum-2.0.8-2.centos3.noarch.rpm
[root@vps ~]# cd parallels
[root@vps parallels]# ls -a
. PSA_8.6.0 PSA_9.2.3 plesk.inf3 products.inf3 sitebuilder.inf3
.. PSA_9.0.0 PSA_9.2.3_MU ppsmbe.inf3 setemplates.inf3 sso.inf3
[root@vps parallels]# cd
[root@vps ~]# cd psa
[root@vps psa]# ls -a
. PSA_9.2.3 PSA_9.3.0 ppsmbe.inf3 setemplates.inf3 sso.inf3
.. PSA_9.2.3_MU plesk.inf3 products.inf3 sitebuilder.inf3
B
Bravocowboy
Guest
Plesk 8.6 - can't find a workaround
Thanks to all for your detailed instructions. I've down from a ton of risks to just 4, all having to do with port 8443. Weak + medium ciphers, sslv2, and an old openSSL error.
Modifying /usr/local/psa/admin/etc/httpsd.custom.include hasn't worked.
Also, the psa header for openSSL is reporting the incorrect version that is actually installed.
Blocking all ip addressed except my own for the Plesk Admin ports (8880 and 8443) isn't working. Tried to block with iptables, but either I didn't implement correctly or it's not working. The scanner still has access to port 8443.
*****As a n00b, is there a way to completely block port 8443 during the scan, and then unblock it afterward which I need to get into Plesk? *****
Thanks for any help!
Thanks to all for your detailed instructions. I've down from a ton of risks to just 4, all having to do with port 8443. Weak + medium ciphers, sslv2, and an old openSSL error.
Modifying /usr/local/psa/admin/etc/httpsd.custom.include hasn't worked.
Also, the psa header for openSSL is reporting the incorrect version that is actually installed.
Blocking all ip addressed except my own for the Plesk Admin ports (8880 and 8443) isn't working. Tried to block with iptables, but either I didn't implement correctly or it's not working. The scanner still has access to port 8443.
*****As a n00b, is there a way to completely block port 8443 during the scan, and then unblock it afterward which I need to get into Plesk? *****
Thanks for any help!
Similar threads
- Poll