Question Subdomain security

[vic666]

Server operating system version

Ubuntu 20.04

Plesk version and microupdate number

18.0.57 #5

I'm running various web apps on my domain and several sub domains. It seems that one of these apps (based on PHP) had a vulnerability that was exploited. As a consequence, not only the app of that particular (sub) domain was affected but the main domain and all other sub domains, too. Code was injected all over the place and new files have been created, it's a complete mess.

Is there something I can do to establish a better separation of the main domain and its sub domains? It's bad enough when one app gets hacked, but when one hack can affect all other apps on the domain, that's really bad.

 

[vic666]

I think I can answer my own question. Simply don't use the function "Add Subdomain" and instead add a regular domain that actually points to the subdomain.

I guess the only good reason to even use the function "subdomain" is to avoid restrictions in terms of how many domains can be added to a subscription.

 

[Peter Debik]

The only way to avoid this is to have separate subscriptions for each domain. Subdomain or Domain makes no difference. The issue can occur, because all domains and subdomains share the same system user. For that reason scripts can access all paths inside the same subscription. They cannot access paths outside the subscription, so if you separate domains into different subscriptions, you are much safer.

 

[vic666]

Hi Peter, yes, I figured. Just to be clear, when I say "subdomain", I'm referring to the functionality "Add subdomain" in Plesk. As far as I understand, it's not possible to create a subdomain this way and still add it to its own subscription. So, the only way to do this is to "Add new domain", and then enter the name of the subdomain in question, making sure that a new subscription is created.