Updated Plesk = Enough for Security ? No!

[graffix]

Hello,

after months/years of working with Plesk 6/7.xx is here our statement in security:

All in our Hardware is standard and the OS is Fedora Core2 with yum updated.

We installed on all Server the same Plesk Version 7.xx.
All is updated.

But we have on every 2 weeks problems with security. But we cannot do something, because SW-Soft doesn´t relase faster updates.

So is this good? Im afraid of our HSPc Server with all Customer Details like Credit Card info´s ...´is it secured enough from Sw-Soft?

Plesk is a closed system and manually changes are not allowed or good for this system (this said a supporter of sw-soft).

I think it is very risky to use this solutions for Professionell hosting.
Problems with Qmail or Spamassassin, heavy load, and finally Server slow down or crashes with no logfile entry.

Based on HP Servers with Xeon or Dell Servers with Xeon, who is certified for Unix!

What do you think about this product?
Alternatives?
Your Problems?

We´ve running more as 20 Servers with this product, and no i´m going think for another system, but ...

Regards

 

[zeki79]

hello

i agree with you...
php/spamassassin/perl, the most packages are very old and sw-soft dont release rpms to update the "closed system" plesk ...

 

[graffix]

At the moment, we´re testing VZ boxes for better security. Let us look ...

But Sw-Soft must do a better work for security.

 

[atomicturtle]

Unless you're using one of the monolithic distros (Freebsd, and debian presumably) you can update those packages (php, apache, mysql, openssl, etc) from your vendor; Redhat, Mandrake, SuSE, etc.

Web applications are of course a different issue, which in a hosting environment is probably your single largest security problem. Managing those applications is difficult at best, given that you wont always know what your users are installing, or if you do, updating them without their input can break those apps if they've made any customizations.

The only way to deal with that threat is to model your security in depth, that is that no single thing can be relied upon to resolve threats to your system. Here is a tactical security model I apply to server environments:

Layer 1) Firewalling, this only protects your system against mistakes you have made internally on dangerous services you may be running. It does nothing to protect you against attacks against your web applications.
Layer 2) Disable unused services. If layer 1 fails, layer 2 deals with the above issue, and vice versa
Layer 3) Network Intrusion Detection/Response systems, like snort, mod_security, etc. This detects, and responds (stops) security threats that are *known*. These systems are like anti-virus, they are only as good as your latest update. This layer can deal with *known* threats against web based applications
Layer 4) Update the system. This deals with *known* threats against applications, failures in layers 1-3 would be caught by this against *known* attacks. However, there are absolutely exploits in even the latest versions, we just dont know about them.
Layer 5) Harden the Kernel, grsecurity.net, SELinux, and my ASL project, this deals with both known, and *unknown* attacks against the system and web applications by introducing generic security policies. In some cases these technologies actually will prevent even an exploitable daemon from being vulnerable to attack. In the context of web applications, it is the last line of defense.
Layer 6) Monitoring the system, logcheck, cops, rkhunter, chkrootkit, tiger, titan, etc are all tools to audit the system and report information back to the system administrator.

 

[graffix]

That´s allright, but we cannot do it for more as 25 servers.

My pain is, what is with HSPc Server?

we need a bigger solution for more security.

It is unpossible to secure all server in a row.

I think, that the software is not usable for prof. hosting like big company´s in germany.