Feature Suggestions
Please provide here your suggestion for new functionality for Plesk. We encourage you to review and vote for suggestions of others. The top-ranked suggestions are likely to be included in the next versions of Plesk.
Please write in English so that voters from all over the world can read and support your request.
Off-topic posts will be removed from here
137 results found
-
Backport Fail2Ban IPv6 Support to Plesk Onyx 17.x
As of now, feature with 178 votes is available in Plesk Onyx 17.9 Preview only: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/17924536-fail2ban-now-supports-ipv6-please-upgrade
It would be awesome to have this feature available on earlier versions of Plesk Onyx without the necessity to wait until Plesk Onyx 17.9 becomes stable.
94 votesPlesk Onyx was end of life in April 2021. IPv6 support for Fail2Ban is available in all current and supported Plesk versions.
-
steering allowed SSLCiphers (negative >noCBC; positive >only GCM) for all System-layers (mail, Plesk-Login, Apache, Nginx) via Plesk
Optimizing the Quality of SSL-/TLS-Encryption at Plesk-driven Servers is very complicated...
... while the importance of a high-level encryption - not only since Edward Snowden - is of considerable importance.
please investigate:
and
http://www.kuketz-blog.de/nsa-abhoersichere-ssl-verschluesselung-fuer-apache-und-nginx/ (best article / only available in german)
Please implement the possibility for defining/steering not/allowed Ciphers and not/allowed SSL-protocols directly via PleskPanel.
This function should include ALL System-layers like: mail, webmail, Plesk-Login, SSH, PHP- or JAVA-Apps/Tomcat, Apache, Nginx, ...
THANK YOU VERY MUCH
30 votesOver the course of nine years this feature request has only received a handful of votes - although we had merged it with a similar request to get the full number of votes for both. We basically understand the need for top level security, but this feature seems not to be popular among users.
Even the rather extreme kuketz-blog article says: "The technology for protection against spying is available – but hardly anyone uses it." which is another indication that hardly anyone is interested in specific configurations that harden servers to the extent where powerful players have difficulties reading traffic.
Plesk allows using a "perfect security" configuration, but it seems that only very few individuals are actually interested in it and understand why this can make sense in some cases. As a responsible administrator who wants to provide perfect security to users you can implement it into your server along…
-
Adding google recaptcha to plesk login area, or any captcha validation
Adding google recaptcha to plesk login area, or any captcha validation
23 votesWe are not sure why solving a captcha can be a better solution than the existing solution of a Fail2Ban jail monitoring login attempts. After all, with a captcha, users are forced to fulfill an extra step, do extra input and clicks just to login. It would make the login process more difficult for them and slow the process down while at the same time it does not provide any extra security. Moreover, many captcha solutions have violated EU GDPR. Also, with a captcha, this will not prevent bots from hammering the server with requests, hence causing unnecessary cpu load.
Instead, Plesk has a very secure and effective solution to block bots from testing passwords: Please use the existing "plesk-panel" Fail2Ban jail (Tools & Settings > IP Address Banning).
-- PD
-
mod_evasive in Plesk
Add mod evasive as module for Plesk
22 votesYou can enable EPEL yum repository and install and configure mod_evasive for your Apache. But in latest Plesk Onyx versions it’s better and effective using ModSecurity Plesk feature for protecting attacks.
—
IG -
Prevent decryption of passwords for customers/mail users/...
At the moment, user/customer/... passwords are stored in the database in a way that they can still be decryted using the server's private key (see for instance http://serverfault.com/questions/425116/possible-to-get-cleartext-password). This is for instance used by the program mailauthview. Thus, once somebody knows the key and has access to the database, (s)he can decrypt all passwords.
I would like to prevent the ability of decrypting passwords at all. Since many people use the same passwords across different accounts, I'd like to prevent the risk that user passwords unintentionally could get revealed if somebody gets access to the server.
11 votesThank you for your input!
Unfortunately, we have to close your request, because over the years it has not become quite popular for further implementation.
—
IG -
opcache memory per vhost instead of shared
Currently Opcache is written in a shared memory it should be stored in the user's home folder. One client can see the all the scripts stored from all the sites hosted in the server.
9 votesThank you for your input!
Unfortunately, we have to close your request because it has not become quite popular for further implementation over the years.
—
IG -
Add the option to forbid execution of files in Plesk for Windows
In Plesk for Windows, add options to forbid executing .exe, .bat and other executable files in order to prevent starting of malicious scripts.
It should be added to domain and server-wide levels.6 votesNo further information on where in Plesk for Windows one can directly execute files, neither on where should .exe, .bat, .com be blocked was provided. We must decline this request.
-- PD
-
Don't show version on the login mask.
I recommend to don't show any information about the version of Plesk or other software before the user logged in.
6 votesThis feature request has only received very few votes over the course of 7 years. Also, there is no urgent technical requirement for it as the previous statement by Plesk mentioned:
-----
You wouldn't need to worry too much on version exposure: 1) should there be any vulnerability discovered, we will fix it for each and every supported version. Just stay up2date 2) hiding version gives only false sense of security - attacker can still apply all known vulnerabilities disregarding your actual version. There were just few vulnerabilities about Plesk and it is easy to run them all (though it won't give an impact as all of them are addressed already). It is even easier than capturing a version from a file. If you remain heavily concerned, we can recommend applying Two-Factor authentication via Clef or Google Auth extensions at http://ext.plesk.com or maybe restricting Plesk control panel access to certain…
-
Allowing customers to whitelist IP address's from their control panel.
Giving the customer the option to whitelist any IP address from their control panel.
At the moment, if a customer wants to whitelist an IP address they cannot without server admin whitelisting the IP across the server.
cPanel have this option with Mod Security Manager.
5 votesAllowing endusers to allowlist themselves can result in significant security risks. For example malicious users could use this tactic to drive brute-force attacks against the server or other users on the same server which cannot be noticed when that malicious user has whitelisted his own IP.
No arguments have been given why it is not risk to allow endusers to allowlist themselves. We must decline this request.
-- PD
-
Add the possibility to protect Plesk panel with Web Application Firewall (ModSecurity)
Plesk should provide a way to secure the Plesk administration panel with the Web Application Firewall (ModSecurity).
Currently, when Plesk is accessed via 8443, Apache is not handling any request. However, when Plesk is accessed via port 443, Nginx is working as a proxy.
This setup should be changed, Apache should work as a proxy to be able to filter the HTTP request with ModSecurity, adding an additional security layer.
5 votesWe do not see how this feature could improve Plesk security. All Plesk panel functions are behind a login, and the login can effectively be protected with the existing Fail2Ban jail. Also, this request only received very few votes through many years. We must decline it.
-- PD
-
nftables support (firewall)
Since 2014, with Linux kernel 3.13 and later, a new system for providing filtering and classification of network packets, datagrams and frames was introduced: nftables
It is stateful and more modular than iptables and does support IPv6.
As there are already packages for Archlinux or RHEL and so for CentOS and you can install on your own (of course), it would be great if in an upcoming (major) release iptables is replaced by nftables. Or a switch is implemented to use either the one or the other.
More information on:
https://wiki.nftables.org
http://netfilter.org/projects/nftables/
https://wiki.archlinux.org/index.php/nftables5 votesThank you for your input!
Unfortunately, we have to close your request because it has not become quite popular for further implementation over the years.
—
IG -
fail2ban notification
Make Fail2Ban send notifications when the server is under attack
4 votesUpd: Sorry, we are closing the request as no information were provided for over a month.
—
IG -
A feature that enables storing logs, complaint and non-complaint to GDPR in Windows.
The idea is to have non-compliant GDPR logs so debugging can be done and compliant GDPR logs that don't contain IPs for example.
4 votesIt’s pointless. Once we have non-compliant GDPR logs, it makes no sense to have compliant GDPR logs.
—
IG -
Manage all Firewall rules via Plesk GUI on Plesk for Windows
Ability to manage all Firewall rules via Plesk GUI on Plesk for Windows
4 votesUpd: Sorry, we are closing the request as no information were provided for over a month.
—
IG -
Extend Fail2Ban rules for Wordpress xmlrpc.php
Extend the Fail2Ban Rules for Wordpress xmlrpc.php, because of many bruteforce attacks on this.
4 votesWe have recommendations regarding this issue https://support.plesk.com/hc/en-us/articles/115002643313-WordPress-site-is-slow-Lots-of-log-entries-POST-xmlrpc-php-HTTP-1-0-499
So, you can always create own necessary fail2ban rule.
—
IG -
Filter POST and PUT requests, but keep GET available
It is needed to block PUT and POST requests from specific country, but keep GET available. For example, I do not want China to send POST and PUT to my server, but they are free to send GET in order to receive website's content.
4 votesThis feature request did not become popular over many years. We must decline it. It is also very specific and maybe directed in fighting malicious traffic? Instead, we suggest using https://httpd.apache.org/docs/2.2/mod/mod_ext_filter.html to filter requests. We're also working on GeoIP protection which will cover most use cases.
-- PD
-
Anonymize current log files, not only rotated ones.
Implement anonymization for current log files, not only for rotated ones on Linux.
4 votesSorry, but it is impossible because of different important Plesk features like Fail2ban, for instance, can work only with active logs .
—
IG -
Implement client SSL certificates for authentication into mail
There is an option in Outlook, mail.app and other clients "authenticate using certificate". HOwever Plesk does not allow to use this client based method of authentication.
4 votesThank you for your input!
Unfortunately, we have to close your request, because over the years it has not become quite popular for further implementation.
—
IG -
to make an extension for administrative purposes adding IP's in the Firewalling option
My list of IP's is growing, I like to have an option to write down these entries, for example.
IP A belongs to company a
IP B belongs to company b
IP C belongs to person a4 votesThank you for your input!
Unfortunately, we have to close your request, because over the years it has not become quite popular for further implementation.
—
IG -
Allow for E-Mail Notifican of Fail2Ban IP addresses that get blocked
Most fail2ban implementation have functionality that will allow for an alert email of IP's getting banned. This would be helpful for system administrators to review and take further action.
4 votesThank you for your input!
Unfortunately, we have to close your request, because over the years it has not become quite popular for further implementation.
—
IG
- Don't see your idea?