PLESK 8.0.0 8.0.1 8.1.0 And 8.2.0 Security

Sep 29, 2007

This is a new one - please check http://kb.swsoft.com/en/2169 ASAP if you running PLESK of selected versions.

7.5.4, 8.1.1 and 8.2.1+ is NOT affected.

View 0 Replies


ADVERTISEMENT

Plesk Security Flaw

Jan 17, 2007

I just discovered something on my Plesk 8.1 server:

I'm the server admin and I host my domain name: mydomain.com. in the Plesk CP.

I have other "clients". Those clients are allowed to create subdomains.

The problem is, if the customer wants to, they can go to the subdomains settings in their client CP and insert a subdomain such as support.mydomain.com(yes a sub domain on my domain name) and then they could redirect it to another site or upload their own personal files.

This is a huge security issue. Has anyone delt with this?

View 14 Replies View Related

[Plesk] Horde/Kronolyth Security

Jun 14, 2008

I just had a ticket from one of my clients, he is able to see the calendar of another domain!

After some research I found out that more than 60 clients are able to view his calendar!

SQL view:
[url]
(There was a list of e-mail addresses at the last, but I left them out for privacy reasons.

This should never have been able to have happened! How do I prevent his calendar to be shared?

View 3 Replies View Related

Plesk 12.x / Linux :: How To Test WAF (mod Security)

Oct 8, 2014

I have Parallels Plesk 12.0.18 with CentOS 6.5 (Final)

WAF is On, with Atomic Basic ModSecurity rule set.

I was wondering if my sites were protected and I went to the Atomic wiki.

When I run a test from a non-whitelisted system following these instructions (STEP 10) [URL].... I always receive 404 error with all of my sites.

I also tested with:

[URL]...

Results: The sites load normally. (the call not even appears in the logs)

I've unistalled and reinstalled mod_security several times with the same results.

Is there any "official" way to check if WAF is protecting Plesk 12?

I asked same question in Atomic forum and they said:

you'd need to ask parallels about this, we made the ruleset available to them, but they implemented it using their own design. They might not be using 403 error codes like we do.

View 13 Replies View Related

Windows 2008 Server + Plesk: Security

Jun 17, 2009

I would like to setup a new dedicated server with the following:

- Windows Server Standard 2008 64bit Edition

- Plesk control panel

Questions:

Anyone know of a thorough tutorial on securing/optimizing a Windows 2008 server (even with Plesk) for a shared hosting environment?

Other?'s:

Considering Plesk's rip-off pricing, any free and quality alternatives to their products?

- plesk dr.web antivirus

- acronis trueimage backup

- plesk powerpack (I guess $24.99/mo lease isn't too horrible)

I basically want to replicate a Cpanel shared/reseller hosting environment, but with Plesk since Cpanel for Windows is not yet available and been delayed forever.

View 1 Replies View Related

Plesk 12.x / Linux :: After Mod Security Logrotate New Log Is Empty

Jul 6, 2014

Plesk 12 on Centos 6.5

I added the following to my /etc/logrotate.conf

/var/log/modsec_audit.log {
missingok
daily
rotate 4
compress
}

I'm not exactly sure if the above is the correct syntax, but the result was that two days later my current modsec_audit.log was Gzipped and a new modsec_audit.log was created.

The problem is that nothing was logged to this new file.

From the Plesk 12 control panel I turned off mod security and then turned it back on again and hey presto, the new logfile started to log events.

This leaves the problem of why nothing was recorded when the file was created.

View 2 Replies View Related

Plesk 12.x / Linux :: FTP Very Slow (with Firewall / Mod Security Enabled)

Jun 26, 2014

After upgrading to Plesk 12 the FTP connection has become very slow. Mode Security, Fail2Ban and Plesk Firewall have been enabled, the security is set to force sFTP and maximum security and in /etc/proftpd.d/ a conf file has been added to set the passive ports that have been opened in the Plesk Firewall (60000 to 62000)

Turning off the Mod Security does not solve the slow connection.

What can we do to detect the cause of the problem?

View 3 Replies View Related

Plesk 11.x / Linux :: Add Strict Transport Security (HSTS) To Panel

Mar 4, 2014

I have tried this on Plesk 11.5 and Plesk 12.0.10 Preview running on Ubuntu 12.04.4 LTS...

Locate the file

/etc/sw-cp-server/conf.d/plesk.confClick to expand...

View 3 Replies View Related

Plesk 12.x / Linux :: Disable Outlook Or Thunderbird Security Warning

Jul 12, 2014

How can I do to send email without the security warning?

I want the clients sending mails no longer have a security warning.

I tried with SSL port 465

I tried with port 587 TLS> Mail settings for the entire server> Enable Send Message

View 1 Replies View Related

Plesk 11.x / Windows :: Webadmin Not Working - Security Error Shown

Jan 24, 2014

After click webadmin its shows a security warning conform box as following on Firefox ...

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?

And if click " OK" the page display " Server not found " error

[URL] ...

View 1 Replies View Related

Plesk 12.x / Linux :: For Security Reason Backup Is Performed On Behalf Of Subscription System User

Aug 24, 2014

I thought this problem was fixed in Plesk 11.5 but I'm still getting the following backup warnings in Plesk 12..."For security reason backup is performed on behalf of subscription system user...."

My phpbb forum creates cache files which have apache ownership and Plesk backup manager gives warnings that it cannot backup the files due to ownership errors.

I have searched for days for a solution without success. If I change the permissions to owner instead of apache the forums don't function correctly.

Is this a Plesk bug that is still evident in Plesk 12?

View 10 Replies View Related

Joomla Security / Linux Security

Apr 4, 2008

I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.

When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.

However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.

Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.

View 10 Replies View Related

Web Security

Jul 16, 2009

I have regarding hosting/designing my application. Users of my website upload highly sensitive files to the server. I'll use SSL but will that be enough since the files are not encrypted on the server. I tried to encrypt the files but that is adding a huge overhead.

My first question is - is it a good idea to store the files on the server rather than a database? My other question is regarding hosting; I'm thinking of building my own server and host it in a colo. Is colo more secure than dedicated hosting? Currently i'm still in the process of developing my App and my environment is Windows Server 2008/SQL Server 2005.

View 13 Replies View Related

Mod Security

Feb 9, 2007

Is there any problems with having duplicate rules in different files as I have downloaded some rules and am going to make them all into one file to give me the best protection, but this is going to take time and I really need some sort of protection now

View 2 Replies View Related

Security

Aug 25, 2007

after install ConfigServer Firewall i get the following ...

ConfigServer Security & Firewall - csf v2.89 >>
PHP Check >>
Check php for register_globals >>
WARNING >> You should modify the PHP configuration (usually in /usr/local/lib/php.ini) and set:
register_globals = Off

unless it is absolutely necessary as it is seen as a significant security risk

must i modify it?or not? put in ur consideration i tried to download it to modify an error occured!

View 2 Replies View Related

How Much Security

Aug 24, 2007

I am on a shared server account with Lunar Pages basic hosting plan.

The only script file I have up running is db Masters FormM@iler. It runs on Cpanel. I deleted whatever other scripts I could find on my server. The site is just basic html pages with jpgs and a gif.

Is there much else I really need to do to secure the server or is that more in Lunar Pages' hands?

If there is still more I can do to secure the server, and is it a small amount that's easy to do or would it be wise to just hire someone else to put in a few hours making sure everything is truly set up securely?

View 5 Replies View Related

Security

Apr 23, 2007

I have a vps that has been exploited, and the hosting company is giving me advise on what to do to fix the security problems, but i need a good server administrator/company to help me with this. can anyone recommend a company that will go thru my server,

View 8 Replies View Related

On Becoming A Security

Mar 27, 2007

I'm inheriting a website that is currently a mess. It was designed in Joomla, but everything about the site by the original designer, is completely a mess. Files weren't placed in their proper directory hiearchy, the site has been hacked into a few times...basically a big headache.

I'm willing to learn and my first goal is the redesign the site. Currently, I'm looking at choosing a CMS or just rebuilding it in Joomla. The problem is that the site is a big part of the business, so any down time is not good.

I have some questions I hope you experienced folks can help me with...

Does CMS choice have any bearing on whether or not its a security vulnerability? If so, which one's are "less a target" of getting hit?

I just want to design the site from scratch and make it secure as possible from suggestions on various forums. I don't want to be a security admin, but is that what I'll end up having to do to run a site like this?

What are my options between "doing it myself" vs "hiring a third party"?

The company is right now in a tween stage. Fast growth but not enough to hire a security guy, based on my talks with the CEO. I disagree with this, but what can I do in the meantime to plug the site holes?

I'm almost wanting to go commercial so I don't have all the headaches, but the company wants to save money. What can be done in those situations?

Before I go out and spend money on books, what do you recommend I buy to start getting my feet wet in what may become a future in IT security?

This is from someone who's just inherited a dedicated server with a swiss cheese website. What is the first order of business for someone who is in the dark and will not get much support in regards to spending more money?

how do I secure my site "on my own"?

View 5 Replies View Related

Php Security

Feb 26, 2007

I noticed that my vps had utilized 250 gig of traffic in one day [i average 5 gig per MONTH] with cpu usage of close 100%; my hosting company pinpointed one php file which had allowed an outside varibale to be placed in "include" function so that the outside php code was being run;

Is there any program/scripts that can immediately email me if cpu usage stays high
the nic card is being utilized too much memory usage exceed certain levles this way, i would know i have been hijacked in time and try to find the culprit i use knownhost with cpanel/linux mysql and php.

View 5 Replies View Related

Security

Jul 21, 2007

i have an unix server [don't know what version i think it's FreeBSD ]

[url]

and i use WS_FTP to upload the files to my server.. but i have a big problem all my files are encrypted with some problems but when people use getrigh browser or some kind off program to acess my server instead of a normal browser it appears the list of files i have upload and they can download them and when i set password for images etc it's all safe, but people can't acess parts of the site without password... i want to know if there's some way of protect my file without interfering with the normal browser acess.

View 9 Replies View Related

Security

Jul 24, 2007

when we run server with shared hosting. we mostly facing issue os security like c9shell scripts.. as well as ppl hacked database or changed index.html. we do enable php open base dir as well as mo security firewall we do search which user is using find command who is uploading file... but is there any other way to secure server for such hacking issue..

View 5 Replies View Related

Security

Mar 26, 2007

I have run rkhunter and got message saying that /bin/dmesg [BAD]

# rpm -qf /bin/dmesg
util-linux-2.12a-16.EL4.20
# rpm -V util-linux-2.12a-16.EL4.20
.M...... /usr/bin/chsh

It looks like RPM damaged? How can I confirm it?

View 2 Replies View Related

Security

Jul 10, 2007

When securing a vps system, do things like Enable Shell Fork Bomb/Memory Protection use much memory or any other secuirty measure?

View 3 Replies View Related

Security

Oct 31, 2007

We have a e-commerce web site that has the latest shopping cart software ( that is known to be secure) ssl cert, etc.

We got a call today from a guy who says that he used his brand new card on our web site and that the card was stolen and used on anothoer site within hours. We have checked every file on the web site, logging into serevr root and checking everything and cant find any evidence of a hack or security breach of any kind.

can someone recommend a reliable company that can go in and check things out for us to see if they can find anny security issues, or evidence of a breach? There must be a company out there that does this sort of thing

View 4 Replies View Related

Web Hosting Security

Apr 8, 2008

I am conducting some research into potential risks that web hosts have to deal with on a daily basis. What potential security risks are there for web hosts ? And how do they overcome these issues?

View 6 Replies View Related

Shell And Php Security

Jun 7, 2009

For security reason I have these php functiosn disabled:

show_source, system, shell_exec, exec, popen, proc_open, procopen, passthru

Can anyone please tell me whether if it will prevent shell scripts from working?

They can still upload the shells but cant read/write/execute commands in 777 directories?

View 6 Replies View Related

IP Security Policies

Jul 16, 2009

I want to setup a Windows 2003 security policy to filter traffic.

I want to let most of the world through to port 80 so maybe just ban a few nuicance IP's.

But then I have a POP / IMAP server, VPN, SMTP, etc that I want to block all but UK IP addresses.

I know I can do this through the MMC snap in but this is 1000's of IP's.

Is there a way I can import a list/range of IP's that I want to block from a country IP database?

View 14 Replies View Related

Security Leak Between The NIC

Oct 9, 2009

I have a Linux server in which i have two NIC's one is for the LAN and other is for the Internet

[root@nebula etc]# ifconfig
eth0 inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0

eth1 inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0

How can i test security between the Internet Nic and the LAN Nic to be sure no security leaks exist.

I can only access the server remotely no GUI but can install packages.

View 4 Replies View Related

CentOS Security

Mar 23, 2009

I am getting more into it and looking for the best way to harden it and secure it. Also some information about what processes to turn off and how to better setup my IP Tables.

View 8 Replies View Related

WHMCS Security

Apr 24, 2009

So I've been using WHMCS for a while, and there's something I'm a little concerned about with the whole keeping customers credit cards for recurring payments.

I've downloaded a backup copy of the database and I see that the passwords and credit card information is encrypted. That's all nice and handy but the CC hash is also stored right in the configuration file. That means that if someone gains access to the server and just grabs the database + config file they would then be able to view all that info correct? Maybe someone who knows a little more about WHMCS can tell me if this is correct or not?

View 1 Replies View Related

CSF Security Check

Apr 20, 2009

I'm running CSF on a Cpanel server and have questions about new features in CSF

Apache Check

Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)

Results

Cipher list []. Due to weaknesses in the SSLv2 cipher you should disable SSLv2 in WHM > Apache Configuration > Global Configuration > SSLCipherSuite > Add -SSLv2 to SSLCipherSuite and/or remove +SSLv2. Do not forget to Save AND then Rebuild Configuration and Restart Apache, otherwise the changes will not take effect in httpd.conf

Can someone explain this in laymen terms? I know this is new in Cpanel. I'm already running Apache 2.2, PHP 5.2.9 with suPHP enabled and mod_security as well (these rules: [url]

Also, what exactly are these CSF checks?

Check csf PT_SKIP_HTTP option
This option disables checking of processes running under apache and can limit false-positives but may then miss running exploits

Check csf SAFECHAINUPDATE option
This option closes a window of opportunity that opens when dynamic chain updates occur

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved