Initial Plesk Security Best Practices
Guard against weak passwords
- To prevent – don’t allow customers from using weak passwords, adjust the complexity requirements on:
- Tools & Settings > Security > Security Policy
Set to Strong or Very strong
(Do immediately after installing Plesk on the server; otherwise later it will not affect existing weak passwords leaving them vulnerable)
Protect from Security Threats
Domain name scams
- To Prevent - Don’t allow customers to create DNS subzones in other customers’ DNS zones
- Tools & Settings > Security > Restrict Creation of Subzones
- Select checkbox ‘Forbid users to create DNS subzones in other users’ DNS superzones’
Email interception
- To prevent - Add all domain names that your company uses to the list of prohibited domain names.
- Tools & Settings > Security > Prohibited Domain Names
- Click ‘+ Add Domain Name’ button (use an asterisk {*.example.com}
- Click (Check) ‘Enable’ button
(Do immediately after installing Plesk on the server; otherwise later it will not affect existing fraudulent domains already in existence leaving them vulnerable)
Unrestricted administrative access to Plesk
- To prevent – Restrict the administrator’s access (Default; Access is allowed from all Networks)
- Tools & Settings > Security > Restrict Administrative Access
- Click ‘Settings’ button
- Click ‘+ Add Network’ button
- Allow access from your Corporate network and your support department’s network (any provisioning systems IP’s)
- (Adding a home network is not recommended; Instead use a VPN)
Brute force attacks
- To prevent – (Only available on Linux; Enable ‘IP Address Banning (Fail2Ban) – a service that monitors other services’ log files) {If a user fails to log in to a service 3 times in 600 seconds Fail2Ban will create a firewall rule to block the remote host for the next 600 seconds}
- Tools & Settings > Settings
- Click ‘Enable Intrusion detection’ Checkbox
- Turn on monitoring of specific services on the ‘Jails’ tab
- ‘Select All’ checkbox
- Click ‘Enable
- You can further Ban / Unban and check logs
Web Application Vulnerabilities
- To prevent – Use a web application firewall; ModSecurity (Module for Apache web server)
- Tools & Setting > Web Application Firewall (ModSecurity)
- Click ‘On’ Radio Button – to enable
- To configure: Adjust Rule Sets