Jon

My feedback

  1. 309 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      35 comments  ·  Feature Suggestions » Security  ·  Flag idea as inappropriate…  ·  Admin →

      We have serious doubts this function can really increase server security:
      1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
      2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.

      As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.

      As for concerns that default password requirement is set in “weak”, that fail2ban module is not…

      Jon commented  · 

      I have very serious beliefs that this CAN INCREASE server security, ESPECIALLY IF using a double login process where only the username is accepted in the first part of the process, and then after a proper username accepted, the password. Many would be likely to miss the username to begin with, and never make it to the password. AND, I think the same would be good for ssh root login, change the name, and make it a double process, (for those using password autho).

      I do use the "Restrict Administrative Access" option, and like it. But what is wrong with more stringent lines of defense? And what admin would use 1234567 as a password? That to me seems to be a null point.

      I personally use login names with many accounts that I have that are much like a password, something like: juB2rxI#p0L is a secure username. One must first get my username before getting to the password option, which is just as difficult to do, (if not more so), good luck with that! SO NO, a changed login name is NOT necessarily likely to be a vocabulary word, especially if there is a notation given to admins at that time, (from the panel), to make it difficult login name. And, by the way, it is a fact that the longer a login name or password is the more difficult it is to *****.

      If Plesk is not willing to invest some time into setting more stringent security defenses, why have a forum for suggestions? I think the DIRECTOR above might be a little bit lazy.

      Jon supported this idea  · 
    • 286 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        open discussion  ·  39 comments  ·  Feature Suggestions » Security  ·  Flag idea as inappropriate…  ·  Admin →
        Jon commented  · 

        I would be happy to have a quick way within the panel to block a IP or IP block, such as what I have to login via ssh and do via IP tables... Like
        iptables -I INPUT 34 -s 14.0.0.0/9 -j DROP

        Jon supported this idea  · 
      • 5 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          2 comments  ·  Feature Suggestions » Security  ·  Flag idea as inappropriate…  ·  Admin →

          You wouldn’t need to worry too much on version exposure:
          1) should there be any vulnerability discovered, we will fix it for each and every supported version. Just stay up2date
          2) hiding version gives only false sense of security – attacker can still apply all known vulnerabilities disregarding your actual version. There were just few vulnerabilities about Plesk and it is easy to run them all (though it won’t give an impact as all of them are addressed already). It is even easier than capturing a version from a file.

          If you remain heavily concerned, we can recommend applying Two-Factor authentication via Clef or Google Auth extensions at http://ext.plesk.com or maybe restricting Plesk control panel access to certain IPs only and only enter it via VPN. The last option is the least convenient and the most secure.

          Jon supported this idea  · 
        • 12 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            open discussion  ·  1 comment  ·  Feature Suggestions » Security  ·  Flag idea as inappropriate…  ·  Admin →
            Jon supported this idea  · 
          • 59 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              13 comments  ·  Feature Suggestions » Security  ·  Flag idea as inappropriate…  ·  Admin →
              Jon supported this idea  · 

            Feedback and Knowledge Base