It is very important to keep your server secure and safe to prevent unwanted access and from uploading malicious files that may harm your server and make your domain and I.P. reputation poor.
We can prevent these things from happening by following below steps
Step 1 : Restricting Plesk Administrative Access
If Plesk admin password is compromised, then it would be very easy to upload malicious content to the server and it can damage the server and hosted domains.
So to prevent this from happening, we need to restrict the network which can log in to Plesk using Plesk admin credentials, this can be done using below steps
Preventing Admin Access from Specific I.P./Subnets
- Log in to Plesk using admin, go to Tools and Settings > Restrict Administrative Access(Under Security Section).
- Click Settings and select “Allowed, excluding the networks in the list” radio button, and then click OK.
3. Click Add Network and add the I.P. from which you want to prevent connection.
Allowing Admin Access from Specific I.P./Subnets
- Log in to Plesk using admin, go to Tools and Settings > Restrict Administrative Access(Under Security Section).
- Click Settings and select “Denied from the networks that are not listed” radio button, and then click OK.
3. Click Add Network and add the I.P from which you want to allow the connection.
==================================================================
Step 2: Restricting Remote Access via Plesk API
Plesk API is used to interact with Plesk to perform various tasks remotely, such as creating/deleting subscriptions, creating/deleting accounts, etc.
All or particular connections via Plesk API can be prohibited.
The same can be done by editing panel.ini files, locations are below
For Linux : /usr/local/psa/admin/conf/panel.ini
For Windows : %plesk_dir%\admin\conf\panel.ini
To block all connections via Plesk API
[api]
enabled = off
To allow connection from certain I.P.’s via Plesk API
[api]
allowedIPs = IP_addresses
==================================================================
Step 3 : Setting the Password Policy
Keeping the same password or weak password for very long duration is like inviting unwanted access to the server.
So it is very necessary to keep the password unpredictable/complex as much as possible. To do so, we need to set up some password policy which can be done using the below steps
- Login to Plesk, then go to Tools & Settings > Security Policy (under “Security”) and then scroll down to the “Password strength” section.
- In “Minimum password strength”, select the radio button corresponding to the desired password strength policy.
- Click OK.
The same will be applied to
- Passwords used to log in to Plesk.
- Subscription system users’ passwords.
- Database users’ passwords.
- Mailbox passwords.
==================================================================
Step 4 : Enhanced Security Policy
It is enabled by default on version 11 or later.
If you are updating Plesk from an older version then you can enable the same, but this process cannot be undone.
To enable this policy, go to Tools and Setting > Security Policy.
Enabling this feature will result in the following changes
- All the password stored in plesk database will be encrypted using the Plesk secret key.
- Important/Sensitive data like user password cannot be obtained using Plesk API
- Password recovery emails will no longer contain the password in Plain Text. A link will be sent for the same.
==================================================================
Step 5: Custom Handler Policy
By default, IIS handlers defined in customers web.config file, it can overrirde that are pre-defined in webserver level.
To disable this, go to Tools & Settings > Security Policy and select Prohibit the ability to override handlers via web.config.
Note: Doing this may increase the security but it may also make client applications to stop working properly.
Step 6: Securing Plesk and Mail Server using SSL/TLS
SSL certificates provide end to end encryption between client and server, which helps to protect sensitive data.
To secure Plesk and the mail server with a certificate from Let’s Encrypt:
- Install the Let’s Encrypt extension if it is not installed.
- Go to Tools & Settings > SSL/TLS Certificates (under “Security”).
- Click the + Let’s Encrypt button.
- Make sure that the email address in the “Email address” field is correct. This email address will be used to send important notifications.
- Click Install.
At this stage, the certificate from Let’s Encrypt has been generated and used to secure Plesk automatically. - To secure the mail server, click the [Change] link next to “Certificate for securing mail”.
- Select the “Lets Encrypt certificate (server pool)” from the drop-down list, and click OK.
Step 7: Ports that need to be allowed through firewall.
Below are the necessary ports that should be allowed through firewall in order to use plesk uninterrupted. Disallow ports other than the below.
Service namePorts used by serviceThe administrative interface of Plesk over HTTPSTCP 8443The administrative interface of Plesk over HTTPTCP 8880Samba (file sharing on Windows networks)UDP 137, UDP 138, TCP 139, TCP 445VPN serviceUDP 1194WebserverTCP 80, TCP 443FTP serverTCP 21SSH (secure shell) serverTCP 22SMTP (mail sending) serverTCP 25, TCP 465POP3 (mail retrieval) serverTCP 110, TCP 995IMAP (mail retrieval) serverTCP 143, TCP 993Mail password change serviceTCP 106MySQL serverTCP 3306Microsoft SQL ServerTCP 1433PostgreSQL serverTCP 5432Licensing Server connectionsTCP 443Domain name serverUDP 53, TCP 53Plesk Installer, Plesk upgrades, and updatesTCP 8447
