Change admin username
It should be possible for the admin user to change his user login name. The name "admin" is not very secure, because it's easiert to hack via brute force. The hackers know, the name is "admin". If the user would be able to change his login name, it would increase the security of Plesk Panel.
We have serious doubts this function can really increase server security:
1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.
As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.
As for concerns that default password requirement is set in “weak”, that fail2ban module is not enabled by default or may consume extra resources, etc – they are much irrelevant here. If someone is not willing investing some time into setting better password, into changing password policy or into installing/enabling server protection – changed admin name will again be only a false sense of security. If a password is “1234567”, then login doesn’t really matter.
@abc Good catch about root password. If you file that as a separate request, we are likely to improve it
I somewhat disagree with the official Plesk opinion. I agree that a strong password is a must. However, to log in, an attacker needs to know both - user name and password. If the user name is already known (and maybe the password is reused somewhere else), it is much easier to log in...
Thus, please make sure to implement this feature.
In addition, disabling a login with the Unix root credentials should be standard as well (can only be disabled via panel.ini).
Chris Cooper commented
+1 for Andy's comment. The ability to change the default username from "admin" is a must for PCI compliance and is a basic rule of thumb for general security.
Andy Bird commented
it does not really matter PCI requirements state that vendor supplied default user accounts must be changed before any system can be put into production. We need to be be able to change this from admin
Of course searching for a needle (password) in a house (username) is difficult, and yes, you can make the needle smaller (longer password) to make it harder to find. But not telling the thief which house the needle is in adds an undeniable factor of complexity to the task. Don't believe me? Go find the needle, it's in one of the houses on this planet.
the username admin is a puplic known name and should be changeable!
Jan L commented
I agree with Tobi and Sergey - you always should use strong passwords and fail2ban. Additionally, I highly recommend the Google Authenticator for Second-Factor-Authentication. There is a new version coming up in the next days that allows remembering devices, so that Plesk only asks you for the access token on unknown devices or after a certain time interval.
Is this request not much better? https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/4505273-protect-plesk-gui-11-5-30-with-basic-auth-login
You want change the username, I'm here with Sergey. Make your password longer and stronger have the same effect as take another username.
But what is with security bugs in plesk gui? Bugs that give attackers access to pleski gui?
I would like to add a second protection layer. fail2ban is nice, but I get with fail2ban hundreds of fail login every day and fail2ban NOT protects for security bugs in plesk gui. With "basic auth" you can prevent attackers directly from access your plesk gui at all. THATS much better in my eyes. In plesk 11.x and 12.0 this working, but in Plesk 12.5 not anymore. I would like this as optional feature, that admins can enable.
I have very serious beliefs that this CAN INCREASE server security, ESPECIALLY IF using a double login process where only the username is accepted in the first part of the process, and then after a proper username accepted, the password. Many would be likely to miss the username to begin with, and never make it to the password. AND, I think the same would be good for ssh root login, change the name, and make it a double process, (for those using password autho).
I do use the "Restrict Administrative Access" option, and like it. But what is wrong with more stringent lines of defense? And what admin would use 1234567 as a password? That to me seems to be a null point.
I personally use login names with many accounts that I have that are much like a password, something like: juB2rxI#p0L is a secure username. One must first get my username before getting to the password option, which is just as difficult to do, (if not more so), good luck with that! SO NO, a changed login name is NOT necessarily likely to be a vocabulary word, especially if there is a notation given to admins at that time, (from the panel), to make it difficult login name. And, by the way, it is a fact that the longer a login name or password is the more difficult it is to *****.
If Plesk is not willing to invest some time into setting more stringent security defenses, why have a forum for suggestions? I think the DIRECTOR above might be a little bit lazy.
flytigo 12 commented
flytigo 12 commented
Amin Taheri commented
Agree - +1
We cant use Fail2Ban (It tanks our server due to # of domains/customers) and being able to change the username would be great since it takes the guess work out of brute force attacks.
it also seems like a very easy thing to allow for - even if it does (in your opinion) only make people feel better, if people are asking for it, perhaps its better business to give it to them than to argue with them about why they think they want it?
David Venancio commented
I am very sorry, but I have to disagree totally.
If we can change the "admin" username, of course it will add more complexity to brute force attacks.
Statistically can even change the fact that Joomla will be less targeted than it is now.
I am afraid you are misinformed about locking admin or perhaps have much outdated information.
In case someone is trying to bruteforce your password, you remain safe:
- Plesk won't lock you if someone will try to bruteforce your password. Instead Plesk will add small delay on every false attempt, which doesn't make much difference for legitimate user (you), but makes any bruteforce nearly impossible as it would take too long.
- The Fail2ban module will lock a particular IP. So intruder will be locked, but you will be able to login safely. Except (of course), when intruder works from the same computer as you are, which could be the case when you decide to test your Plesk for bruteforce resistance (so you were the "intruder"). But in the real world it is much unlikely scenario
Some may also complain that bruteforcing itself can be considered DDoS attack, however different login name doesn't help here either - whether login is "admin" or not, the system will consume roughly the same resources on validating the attempt.
So the summary is:
- alternative login just cannot add more security than password already does. Adding extra symbol in password is equally effective as adding extra symbol in login name.
- intruders cannot lock you from logging in. They can only lock themselves
I can understand the fear when people see their servers are scanned, however looks like many people are looking for a false cure - scans won't disappear just because of the login changed. It doesn't take too much effort to try different login names in those bruteforce scripts.
Many internet services would use emails as login names. As those emails are often publicly known it should have been considered as a huge security threat, but of course everyone recognizes that it is not a weak login that compromises security - but a weak password does.
If you don't feel safe about your server, make sure you
1) have fail2ban module fully enabled. it will lock any bruteforce intruder quickly
2) have 2-factor auth extension installed. i.e. Clef. Here is an overview of available solutions: http://devblog.plesk.com/2015/02/passwords-in-plesk-just-say-no/
3) enable strong passwords in settings or just make sure your password is strong enough - not a dictionary word, not derived from a dictionary word, and includes digits and special characters.
Those things really improve security.
Hope it helps
Andrea, you have to watch your language here.
It cannot be really critical whether hacker has as login as a starting point or not - anyway they know your server IP. If your password is secure, you are safe. Add dp12kln88d as a prefix to your password and you will have those extra "497....eee..." combinations. No difference. You can add much more into your password actually.
Security is obtained via password, not via login.
For those concerned for brutefocring - just enable fail2ban in Plesk and an intruder will be blocked after first few attempts.
Andrea, i agree.. a more secure username is "not important." ???
Or if i wanted to piss off a web admin if i am having an argument with them.. then i go to their control panel and just toss random junk at their "admin" account so that it locks them out on purpose. that is the point right ? cant brute force it so it locks you out ? and what if that is my intent ? to lock out the real admin ? i would be happy to do that all day, keep someone locked out of their own system. all i need to know is their admin account login is named "admin"
Andrew Cranson commented
You can already add additional admin users, if required, since Plesk 11.5:
Increasing server security is not the only reason to allow an alternate administrative username. How about auditing. If you have multiple people using a system you have multiple usernames to keep track of them.We are assuming there is always one administrator?
Andrew Cranson commented
Which service are you talking about? Plesk itself locks you out for a while by default after a small number of incorrect logins as admin or root (both work by default btw). Other services managed by Plesk prohibit using admin as a username, e.g FTP. You could use admin@domain as an email login if you setup admin@ as a mailbox but it wouldn't be logical any other way.
I'm unsure if the Plesk API locks you out after a few incorrect attempts but the API is disabled by default and needs enabling by command line so when enabling it you have a great opportunity to check the admin password is strong, and the API is restricted to certain IP's. Where you have to leave it open simply enable fail2ban.
I still don't see any significant advantage to having this feature and think it's time best spent on other improvements.
Just have a look at the logs that show how the lower life forms are tying to enter your server: Username "admin" (or root depending on the service) is their way to go. I wonder why "admin" is even allowed by Plesk? Now "all there is to it" is finding a password for "admin". Not allowing "admin" will reduce the chance of entering the server with brute force by a zillion times.
I would agree that "real" system admins would tackle this themselves. But Plesk could help educate people when needed, right? Why is the default password strength set to "weak"? Let me guess: "admin" + "1234567"? (I sure hope those despicable life forms don't read this comment :-) )
Fail2Ban is not installed by default (and even if installed later it is not activated by default). And in a way this feature is an indispensable but costly/active substitute for a password-like username.
Not using "Admin" is a great free/passive safety improvement and a giant leap backwards for those pesky brute-force life forms.
O, and on the help page of this new feature ;-) you might as well add that it is best not to use your real name, your domainname, or "root" either. Even better: Treat it as a second password.