Protect plesk gui 11.5.30 with "basic auth" login (optional)
Hi,
I'm the only one with access to plesk gui and want a additional "basic auth" protection for 11.5.30. I have MANY access from foreign IPs to my plesk login! Every day IPs testing direct script access (old security holes?). A "basic auth" login will protect the gui for new security leaks.
11.0.9 use as internal web server lighttpd. There you can make this simple steps to protect gui:
go to: /etc/sw-cp-server/applications.d/plesk.socket.sh
add:
# Limit access to Admin
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/opt/psa/admin/htdocs/.htpasswd"
auth.require = ( "/" =>
(
"method" => "basic",
"realm" => "Your Title",
"require" => "valid-user"
),
)
add "mod_auth" to the first line in plesk.conf and restart the server /etc/init.d/sw-cp-server restart
11.5.30 now use nginx as internal web server.
I would like to have a KB article or in documentation:
http://download1.parallels.com/Plesk/Doc/en-US/online/plesk-administrator-guide/index.htm?fileName=72042.htm a way to add "basic auth" in internal web server(nginx) of plesk.
http://kb.parallels.com/en/111283
section: "config files"
this path not exists in 11.5.30 anymore (only in 11.0.9)
"www: /etc/sw-cp-server/applications.d/plesk.conf"
Can anybody help here?
Azurel
shared this idea
Now fail2ban component protects Plesk.
-
Actually Plesk never used basic auth for panel.
You might be confusing it with password protected directories at user sitesPlesk doesn't show a part of password, but a small piece of hash (which will be eliminated soon).
-
Azurel
commented
Here fail2ban not help!
Plesk Onyx shows part of password in browser: https://talk.plesk.com/threads/security-thread.342665/#post-823772
please remove "completed" and give a option or tutorial to protect plesk panel with basic auth, like before in older plesk panels.
-
Tobi
commented
+1
-
Azurel
commented
No, fail2ban not protects plesk at all. I have daily many panel.log entries with:
ERR [panel] [Action Log] Failed login attempt with login 'admin' from IP XX.XX.XX.XXfail2ban not protect again a bot network (many different IPs).
fail2ban not protect again security bugs in plesk.A basic auth give a security layer before anyone can access to plesk. Please create a KB so anyone can add this security feature for plesk 12.5 manually. thanks :)
topic: https://talk.plesk.com/threads/plesk-12-5-protect-with-htaccess.339393/
-
Sergey Ugdyzhekov commented
Plesk 12.0 supported Fail2ban so your Plesk servers will be protected.
-
Azurel
commented
The question exists here: http://forum.parallels.com/showthread.php?291451-Protect-plesk-panel-11-5-with-htaccess%28auth-basic%29&p=701459&viewfull=1#post701459
The product support gave a wrong answer. A htaccess-file have nothing todo with nginx. I only use the term "htaccess" in the topic, because to describe the type of login. :)
-
Azurel
I will help you if you ask your question on forum.parallels.com :)
