If you’ve been a long time user of Parallels Plesk, then I’m sure you’ll be keen to know what’s contained in the latest version, version 12.
So over the coming weeks, I’ll be taking you through it, from top to bottom, looking at all the changes, the new features, the updates and the new versions, giving you a complete, birds-eye overview of what it is and a look at how to use it.
Whether you’re hosting your own site or helping others host theirs; whether you’re a designer, developer, devops or systems administrator or even a casual home user, with a small, simple, website, there’ll be something for you.
So bookmark this page, and let’s really get hands on with the new version of one of the best control panels on the market today; Today, in light of the recent Heartbleed security vulnerability, let’s focus on security.
Like any technology, especially in the current day and age, it has to have an emphasis here, especially if its primary focus, or location, is the internet. Parallels Plesk 12 is no exception.
Gladly, version 12 comes with a raft of changes and new features which ensure it has security firmly at the core of the latest release, including:
- Security policies
- SSL Certificates
- Restrict creation of subzones
- Add additional administrator accounts
- Restrict administrative access
- Prohibited domain names
- Outbound Email Limiting
In today’s post, we’ll look at some of the key features, specifically ModSecurity, Fail2ban, and Outbound Email Limiting, so that you know both what they are and why they make version 12 a worthy release.
One of the key additions to Plesk 12 is ModSecurity, which is a free, web application firewall, designed to help detecting and preventing attacks on web applications, such as WordPress and Joomla.
According to the ModSecurity wiki:
ModSecurity provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.
But what is a Web Application Firewall (WAF)? According to OWASP (the Open Web Application Security Project), a WAF is:
…an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customising the rules to your application, many attacks can be identified and blocked. The effort to perform this customisation can be significant and needs to be maintained as the application is modified.
A key advantage of ModSecurity, is that it runs in all of the most common web servers, including Apache, IIS (Internet Information Services for Windows) and NGINX. Together, these three web servers support over 85% of the world’s websites.
That’s great, but what does it mean to you? It means a couple of things. If you’re hosting a company or personal website with WordPress; if you’ve deployed a new online shop, using such software as Magento and Shopify, or if you’ve developed a new web-based application for your business (or for yourself personally), ModSecurity is peace of mind.
When it’s hosted through Plesk 12, the infrastructure is there to detect and prevent attacks, in real-time, helping your site stay online, serving customers. You have peace of mind, knowing that systems administrators have a solid tool helping them ensure your site’s always online.
Ok, let’s have a look at how to configure ModSecurity in Plesk 12. From the Web Host Edition dashboard, click on Tools & Settings, under Server Management, in the navigation list on the left hand side.
Following this, click Web Application Firewall (ModSecurity), under Security in the first column, shown in the screenshot above. From there, you’ll be taken to the Web Application Firewall screen where we see, in the screenshot below, that the firewall is disabled.
There’s three default options for the firewall: Off, Detection only and On. To keep things simple, we’ll choose Detection only, then we’ll change to the Settings tab as in the screenshot below.
Here, we see the rulesets which are packages containing files with specific security rules; and the firewall configuration which allows for configuration based on speed, thoroughness or a custom setup. I’m going to keep the default ruleset of OWASP ModSecurity Core Rule Set (CRS) and configuration at Fast. However, you can change it as best suits your needs. Clicking OK, activates the settings and takes us back to the admin dashboard.
scans log files and bans IPs that show the malicious signs, such as too many password failures. Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, along with other, configurable, actions.
What’s Fail2ban does is provide for the creation of rules to detect if a malicious user is attempting to break in to your site and how to respond if they are. What’s more, whether it’s your main website, FTP and Email accounts, you’re covered.
For example if an intrusion is detected, the firewall configuration could automatically update blocking the source of the intrusion. Let’s have a look at how you can setup the rules and responses for Fail2ban in Plesk 12.
Open Fail2ban Settings
Ok, to get started administering Fail2ban, from the Web Host Edition dashboard, click on Tools & Settings, under Server Management, in the navigation list on the left hand side.
From there, click IP Address Banning (Fail2Ban), under Security in the first column, shown in the screenshot above. From there, you’ll be taken to the Settings tab of the IP Address Banning menu.
Enable Intrusion Detection
First, we need to check Enable intrusion detection and click ok to enable intrusion detection. We’ll then be redirected to the Jails tab, where we’ll see a list of available, but disabled jails.
Configure the Jail
For this example, I’m going to be configuring and enabling the plesk-apache jail. Click on plesk-apache and you’ll be redirected to the Edit Jail, where we can edit the configuration.
You can see that there are a number of configuration options, including:
- Filter: The filter to apply for this jail
- Action: Where we can add 1 or more options to take when required
- Log path: The available log files
- IP address ban period: How long to ban the IP address for
- Maximum number of failed login attempts
I’ve added a second rule, to the existing one, which will send an email notification via sendmail when an Apache authorisation fails.
You can see that it’s added the rule in, providing defaults for the destination, sender and sendername along with a name for the filter. I’ve left all other options with the defaults. Clicking OK, we’re redirected back to the Jails list.
Enable the Jail
To enable the jail, I click the checkbox next to plesk-apache, as in the screenshot below, and click Switch On in the admin toolbar above. With that, the rule is now in effect.
Outbound Email Limiting
The third feature I’ll be talking about today is outbound email limiting. This was implemented in Plesk 12.0, as a way for systems administrators to protect their server’s IP addresses from being put into spam blacklist, due to outgoing spam.
If your business has a mailing list, and if it doesn’t, it really should, this is a feature you want. The last thing you want is to be blacklisted and not able to contact your list. We all know how quickly things can change at Google.
Limits can be defined in three ways:
- For Individual Mailboxes
- For a Single Domain: securing all mailboxes and website on it
- For Multiple Domains: all mailboxes and websites, from all domains
So you can see that whether you’re a small user, growing their first blog, or you’re a power user, hosting a number of domains for a variety of clients, email limiting can be configured for your needs.
I hope that you can see from this, rather brief list, that Plesk 12 is a product which you can rely on, to take your security needs seriously. If you’d like to see more coverage of the security settings and options, don’t worry, there’s more information to come in future posts.
But if you don’t want to wait till then, you can have a look at the Parallels Plesk 12 Preview today, whether downloading or trying it online, for free. It’s a really thorough release, which I’m sure you’ll get a lot out of.