Andrew Cranson

My feedback

  1. 14 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    open discussion  ·  3 comments  ·  Feature Suggestions » Panel/Mail  ·  Flag idea as inappropriate…  ·  Admin →
    Andrew Cranson supported this idea  · 
  2. 417 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    53 comments  ·  Feature Suggestions » Security  ·  Flag idea as inappropriate…  ·  Admin →

    We have serious doubts this function can really increase server security:
    1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
    2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.

    As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.

    As for concerns that default password requirement is set in “weak”, that fail2ban module is not…

    An error occurred while saving the comment
    Andrew Cranson commented  · 

    You can already add additional admin users, if required, since Plesk 11.5:
    http://download1.parallels.com/Plesk/PP12/12.0/Doc/en-US/online/plesk-administrator-guide/60327.htm#

    An error occurred while saving the comment
    Andrew Cranson commented  · 

    Which service are you talking about? Plesk itself locks you out for a while by default after a small number of incorrect logins as admin or root (both work by default btw). Other services managed by Plesk prohibit using admin as a username, e.g FTP. You could use admin@domain as an email login if you setup admin@ as a mailbox but it wouldn't be logical any other way.

    I'm unsure if the Plesk API locks you out after a few incorrect attempts but the API is disabled by default and needs enabling by command line so when enabling it you have a great opportunity to check the admin password is strong, and the API is restricted to certain IP's. Where you have to leave it open simply enable fail2ban.

    I still don't see any significant advantage to having this feature and think it's time best spent on other improvements.

    An error occurred while saving the comment
    Andrew Cranson commented  · 

    The risk can be mostly mitigated by using Fail2ban. I'm not sure how important this really is - and think it would add to confusion both for customers and support.

  3. 345 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  73 comments  ·  Feature Suggestions » Plesk (general)  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Andrew Cranson commented  · 

    SNI doesn't work for us until Windows XP is gone - there's too many users still using XP or older browsers on other OS's who access websites we host.

    For us it's definitely about different domains on different IP's for SSL.

    An error occurred while saving the comment
    Andrew Cranson commented  · 

    We need this for SSL for sure; SNI is still very problematic due to so many people using old OS/browsers. This is quite a frequent problem for us.

    Andrew Cranson supported this idea  · 

Feedback and Knowledge Base