Skip to content
This repository has been archived by the owner on Apr 20, 2024. It is now read-only.

Latest commit

 

History

History
168 lines (145 loc) · 5.62 KB

README.md

File metadata and controls

168 lines (145 loc) · 5.62 KB
Raw

Optimizing and Securing a Linux Plesk Server


Ban IP Addresses and Networks

Plesk reference document (73381)

  1. If not already installed, install Fail2ban
sudo plesk installer --select-release-current --install-component fail2ban
  1. Go to Tools & Settings and then to IP Address Banning (Fail2Ban)
  2. Click on the Settings tab and then select the Enable intrusion detection checkbox
  3. Set the settings that suit your needs:
    • IP address ban period: time interval in seconds for which an IP address is banned. When this period is over, the IP address is automatically unbanned
    • Time interval for detection of subsequent attacks: time interval in seconds during which the system counts the number of unsuccessful login attempts and other unwanted actions from an IP address
    • Number of failures before the IP address is banned: number of failed login attempts from the IP address
  4. Click on the Apply button
  5. Click on the Jails tab
  6. Select all the jails that you want to enable and then click on the Switch On button
  7. Click on the OK button

Web Application Firewall

Plesk reference document (73383)

  1. If not already installed, install ModSecurity
sudo plesk installer --select-release-current --install-component modsecurity
  1. Go to Tools & Settings and then to Web Application Firewall (ModSecurity)
  2. Click on the General tab
  3. Select the On checkbox right to the Web application firewall mode section
  4. Click on the Settings tab
  5. Under the Rule sets section select the Atomic Basic ModSecurity radio button
  6. Select the Update rule sets checkbox and define a Daily update in the select
  7. Under the Configuration section select the Tradeoff radio button
  8. Click on the Apply button
  9. Click on the OK button

Configure FTP passive ports

Plesk reference document (213902285)

  1. Connect to the server thru SSH
  2. Edit the /etc/proftpd.conf file
sudo vi /etc/proftpd.conf
  1. Insert the following line inside the Global section
<Global>
...
PassivePorts 30000 31000
</Global>
  1. If not already installed, install Plesk Firewall
sudo plesk installer --select-release-current --install-component psa-firewall
  1. If not already enabled, enable Plesk Firewall Tools & Settings > Firewall and click on the Enable Firewall Rules Management button, and then click on the Enable button.
  2. Once changes are applied, click on the Modify Plesk Firewall Rules button and then on the Add Custom Rule one.
  3. Specify the following information in the web form:
    • Name of the rule: FTP Passive Ports
    • Match direction: Incoming
    • Action: Allow
    • Add port or port range: set passive ports range specified in /etc/proftpd.conf, for example 30000-31000 and leave the TCP option selected, then click the Add button
    • Click on the OK button
  4. Click on the Apply Changes button
  5. Click on the Activate button
  6. Test your configuration

Harden Nginx

Disable Server Tokens

  1. Connect to the server thru SSH
  2. Edit the /etc/nginx/nginx.conf file
sudo vi /etc/nginx/nginx.conf
  1. Insert the following line in the http section
http {
    ...
    # avoid sending Nginx version number in error pages and server header
    server_tokens off;
    ...
}
  1. Save the file and test Nginx configuration
sudo nginx -t
  1. Restart Nginx Web server for the changes to take effect
sudo systemctl restart nginx

SSL/TLS Optimization

  1. Connect to the server thru SSH
  2. Edit the /etc/nginx/conf.d/ssl.conf file
sudo vi /etc/nginx/conf.d/ssl.conf
  1. Replace the content with the following lines
# Enable only secure cipher suites
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
# Disable SSL 3, TLSv1, and TLSv1.1
ssl_protocols TLSv1.2 TLSv1.3;
# Server ciphers should be preferred over client ciphers when using TLS protocols
ssl_prefer_server_ciphers on;
# Enable session reuse to improve https performance
ssl_session_cache shared:SSL:60m;
ssl_session_timeout 1d;
ssl_session_tickets off;
  1. Save the file and test Nginx configuration
sudo nginx -t
  1. Restart Nginx Web server for the changes to take effect
sudo systemctl restart nginx

Gzip Compression

  1. Connect to the server thru SSH
  2. Create the gzip.conf file
sudo touch /etc/nginx/conf.d/gzip.conf
  1. Insert the following lines
gzip on;
gzip_disable "MSIE [1-6]\\.(?!.*SV1)";
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp image/svg+xml;
gzip_vary on;