Arama Yap Mesaj Gönder
Biz Sizi Arayalım
+90
X

Select Your Country

Turkey (Türkçe)Turkey (Türkçe) Germany (German)Germany (German) Worldwide (English)Worldwide (English)
X

Select Your Currency

Türk Lirası $ US Dollar Euro
X

Select Your Country

Turkey (Türkçe)Turkey (Türkçe) Germany (German)Germany (German) Worldwide (English)Worldwide (English)
X

Select Your Currency

Türk Lirası $ US Dollar Euro

Knowledge Base

Homepage Knowledge Base General Plesk Security Settings and Measure...

Bize Ulaşın

Konum Halkalı merkez mahallesi fatih cd ozgur apt no 46 , Küçükçekmece , İstanbul , 34303 , TR
Telefon +90 850 888 83 42
WhatsApp +90 850 307 34 58
E-posta [email protected]

Plesk Security Settings and Measures

Why Is Plesk Security So Important?

Plesk is a powerful platform for managing your websites, emails, and other online assets. However, this power comes with a responsibility: keeping your Plesk server and the data on it secure. Cyber attacks are becoming more complex every day, and a security breach can lead to serious consequences, from reputational damage to financial losses. Therefore, it is vital to configure Plesk security settings correctly and keep them up to date regularly.

  • Prevent Data Loss: Security breaches can lead to your website and databases being compromised and deleted.
  • Reputation Management: Losing your customers' trust leads to long-term negative effects for your business.
  • Legal Compliance: Complying with data protection laws such as GDPR requires taking security measures.
  • Prevent Financial Losses: Ransomware attacks and other cybercrimes can cause significant financial losses.

What Basic Security Settings Should I Configure in Plesk?

Here are the basic security settings you should configure in Plesk:

  1. Use Strong Passwords: Create complex and unique passwords for the Plesk administrator, subscriptions, and databases.
  2. Enable Two-Factor Authentication (2FA): Add an extra layer of security by enabling 2FA for the Plesk administrator account.
  3. Configure the Firewall: Close unnecessary ports and prevent unauthorized access using the Plesk firewall.
  4. Keep Plesk and Its Extensions Up to Date: Regularly update Plesk and all its extensions to close known security vulnerabilities.
  5. Use Security Extensions: Protect your server against attacks by installing security extensions such as Fail2Ban and ModSecurity.
  6. Use SSL/TLS Certificates: Encrypt data traffic by using SSL/TLS certificates for all your websites.
  7. Take Regular Backups: Back up your data regularly so you can quickly restore it in the event of a disaster.

How to Enable Two-Factor Authentication (2FA) in Plesk?

To enable two-factor authentication (2FA) in Plesk, follow these steps:

  1. Log in to Plesk as an administrator.
  2. Go to the "Tools & Settings" section.
  3. In the "Security" section, find and click the "Two-Factor Authentication" option.
  4. Download and install a 2FA application (e.g., Google Authenticator, Authy) on your phone.
  5. Scan the QR code in Plesk with the 2FA application or manually enter the key.
  6. Enter the code generated in the 2FA application into Plesk and complete the activation process.

Example: When a user tries to log in to a Plesk account, after entering their username and password, they will need to enter a verification code generated by the 2FA application. This significantly increases the security of the account.

How to Configure Plesk Firewall?

The Plesk firewall is a critical tool to protect your server from unauthorized access. To configure the firewall, follow these steps:

  1. Log in to Plesk as an administrator.
  2. Go to the "Tools & Settings" section.
  3. In the "Security" section, find and click the "Firewall" option.
  4. Enable the firewall.
  5. Open the necessary ports (e.g., 80, 443, 22) and close unnecessary ports.
  6. Define access rules based on IP addresses or networks.
  7. Regularly check the firewall logs.

Important: Incorrectly configuring the firewall can block access to your server. Therefore, be careful and test the changes.

Example: If you want your website to be accessible only from specific IP addresses, you can create a rule in the firewall that allows these IP addresses.


# Allowed IP addresses
ALLOWED_IPS="192.168.1.10 10.0.0.5"

# Block all other IP addresses
iptables -A INPUT -j DROP

# Allow traffic from allowed IP addresses
for IP in $ALLOWED_IPS; do
  iptables -A INPUT -s $IP -j ACCEPT
done

# Allow SSH access only from specific IP addresses
iptables -A INPUT -p tcp --dport 22 -j DROP
for IP in $ALLOWED_IPS; do
  iptables -A INPUT -p tcp --dport 22 -s $IP -j ACCEPT
done

Which Security Extensions Should I Use in Plesk?

Here are some popular security extensions you can use in Plesk:

  • Fail2Ban: Automatically blocks IP addresses by detecting incorrect login attempts.
  • ModSecurity: Works as a web application firewall (WAF) and provides protection against common attacks.
  • ImunifyAV: Scans and cleans your server against malware.
  • Security Advisor: Analyzes your security settings in Plesk and provides improvement suggestions.

Fail2Ban Installation:

  1. Log in to Plesk as an administrator.
  2. Go to the "Extensions" section.
  3. Click on "Extensions Catalog".
  4. Search for the "Fail2Ban" extension and install it.
  5. Configure Fail2Ban settings (e.g., number of incorrect login attempts, blocking time).

ModSecurity Installation:

  1. Log in to Plesk as an administrator.
  2. Go to the "Tools & Settings" section.
  3. Find and click on "Web Application Firewall (ModSecurity)".
  4. Enable ModSecurity.
  5. Select rule sets (e.g., OWASP ModSecurity Core Rule Set).
  6. Regularly check ModSecurity logs.

Why are SSL/TLS Certificates Important for Plesk Security?

SSL/TLS certificates ensure security by encrypting data traffic between your website and your visitors. This is especially important when users enter personal information (e.g., credit card number, password). SSL/TLS certificates can also improve your website's SEO ranking.

How to Install an SSL/TLS Certificate?

  1. Log in to Plesk as an administrator.
  2. Go to the "Websites & Domains" section.
  3. Select the domain name for which you want to install an SSL/TLS certificate.
  4. Click on "SSL/TLS Certificates".
  5. Obtain a certificate from a free certificate provider such as "Let's Encrypt" or upload your own certificate.
  6. Activate the certificate and verify that your website is running with SSL/TLS.

Real-Life Example: An e-commerce site experienced a security breach because it did not use an SSL/TLS certificate, resulting in the theft of customers' credit card information. This situation damaged the company's reputation and caused significant financial losses.

Plesk Security Vulnerabilities and Measures to Take Against Them

Plesk may occasionally encounter security vulnerabilities. Therefore, it is important to regularly update Plesk and its extensions and follow security alerts. Here are some common Plesk security vulnerabilities and measures to take against them:

  • SQL Injection: A type of attack that allows unauthorized access to databases on your website. Against this, you can take precautions by filtering parameters correctly and using prepared statements.
  • Cross-Site Scripting (XSS): Allows attackers to inject malicious scripts into your website. Against this, you can take precautions by properly sanitizing user inputs and using HTTPOnly cookies.
  • Cross-Site Request Forgery (CSRF): Allows attackers to make requests on behalf of an authorized user. Against this, you can take precautions by using CSRF tokens.
  • Brute Force Attacks: Attackers trying to access your account by trying different password combinations. Against this, you can take precautions by using strong passwords and using tools like Fail2Ban.

How to Perform a Plesk Security Audit?

Regularly auditing the security of your Plesk server is important to identify and address potential vulnerabilities. Here are the steps for a Plesk security audit:

  1. Use Plesk Security Advisor: Use the "Security Advisor" tool in Plesk to analyze your security settings and apply improvement recommendations.
  2. Check Logs: Regularly check the logs of services such as Plesk, Apache, Nginx, and MySQL, and identify suspicious activities.
  3. Use Vulnerability Scanners: Scan your server for known vulnerabilities using vulnerability scanners such as Nessus and OpenVAS.
  4. Get Help from Security Experts: If necessary, get help from a security expert to conduct a more comprehensive security audit.

Plesk Backup and Restore Security

Plesk backups are critical to protecting your data. However, backups themselves can also be a security risk. Therefore, it is important to store and restore your backups securely.

  • Encrypt Backups: Prevent unauthorized access by encrypting backups in Plesk.
  • Store Backups in a Secure Location: Store backups in a location different from your server (e.g., in the cloud).
  • Restrict Access to Backups: Ensure that only authorized users can access backups.
  • Regularly Test Backups: Regularly test that backups are working properly and that you can restore your data.

How to Manage User Permissions and Roles in Plesk?

Managing user permissions and roles correctly in Plesk is important to ensure the security of your server. By granting each user only the permissions they need, you can prevent unauthorized access and potential damage.

  • Use Different Roles: Restrict user access by using different roles (e.g., administrator, customer, reseller) in Plesk.
  • Define Custom Permissions: If necessary, provide more granular control by defining custom permissions for users.
  • Regularly Review User Accounts: Regularly review user accounts and permissions, delete unnecessary accounts, and update permissions.

Tips and Tricks for Plesk Security Settings

  • Implement a Strong Password Policy: Enforce the use of strong passwords for users and define password complexity requirements.
  • Set Session Timeout: Ensure that Plesk sessions automatically expire after a certain period of time.
  • Hide Error Messages: Prevent sensitive information (e.g., database name, file path) from being displayed in error messages.
  • Run Plesk on a Custom Port: Run Plesk on a custom port instead of the default port (8443) to make it harder for attackers to target.
  • Conduct Regular Security Training: Increase awareness by organizing regular security training for Plesk administrators and users.

How to Respond to Security Incidents in Plesk?

When a security incident occurs, it is important to respond quickly and effectively. Here are the steps to take for a security incident:

  1. Detect the Incident: Detect the security incident (e.g., unauthorized access, malware infection).
  2. Isolate the Incident: Isolate the affected systems to prevent the incident from spreading.
  3. Analyze the Incident: Analyze the cause, scope, and impact of the incident.
  4. Remediate the Incident: Clean the affected systems, close security vulnerabilities, and make necessary fixes.
  5. Report the Incident: If necessary, report the security incident to the relevant authorities (e.g., data protection agency).
  6. Learn from the Incident: Improve your security measures by learning from the incident to prevent similar incidents from happening in the future.

The following table compares Plesk security measures in terms of cost and effectiveness:

Security Measure Cost Effectiveness
Strong Passwords Low High
Two-Factor Authentication Low High
Firewall Low High
Plesk and Extension Updates Low High
Fail2Ban Low Medium
ModSecurity Medium High
SSL/TLS Certificates Low/Medium High
Regular Backups Medium High
Security Audit Medium/High High

The following table summarizes the risk levels and potential impacts of common Plesk security vulnerabilities:

Vulnerability Risk Level Potential Impacts
SQL Injection High Theft, modification, or deletion of database data
Cross-Site Scripting (XSS) Medium Compromising user accounts, malware infection
Cross-Site Request Forgery (CSRF) Medium Performing unauthorized actions, changing user settings
Brute Force Attacks Medium Account compromise, denial of service
Insecure File Upload High Malware infection, server control compromise
Outdated Software High Exploitation of known vulnerabilities

 

Can't find the information you are looking for?

Create a Support Ticket
Did you find it useful?
(1860 times viewed / 133 people found it helpful)

Categories

Server/VPS/VDS (67)SSH (23)Domain Name Registry (15)General (577)Reseller Hosting (1)

Most Recently Added Topics

What is Notion? A Guide to Project Management, Note-Taking, and Information OrganizationWhat is Google Meet? A Guide to the Free and Easy Remote Meeting PlatformWhat is Zoom? A Guide to Remote Meetings and Video ConferencingWhat is Microsoft Teams? A Guide to Enterprise Communication and Remote CollaborationWhat is TeamViewer? A Guide to Remote Support and Remote Desktop AccessWhat is AnyDesk? A Guide to Remote Desktop Access and Remote SupportWhat is Xming? A Guide to Displaying X11 Applications on WindowsWhat is UltraVNC? A Remote Desktop and Screen Sharing Guide for WindowsWhat is HyperTerminal? Classic Terminal Software for Serial Port and Modem ConnectionsWhat is RLogin? A Guide to the Advanced Japanese Terminal Client

Call now to get more detailed information about our products and services.

Top