Enhancing Security
When you share a single physical server between many users, you consider all security aspects thoroughly. Although Plesk provides an acceptable security level, there are suggested ways to improve it. This chapter provides instructions on protecting Plesk server and hosted domains from unauthorized access.
Restricting Script Execution in the /tmp Directory
To secure the Plesk server, it is recommended to create /tmp as a separate partition and mount it with noexec and nosuid options. These options do the following:
-
noexecdisables the executable file attribute within an entire file system, effectively preventing any files within the file system from being executed. -
nosuiddisables the SUID file-attribute within an entire file system. This prevents SUID attacks on, for example, the/tmpfile system.
To secure the /tmp partition of your Plesk server:
- If
/tmpis a separate partition on the server, you only need to edit/etc/fstaband add thenoexecandnosuidoptions for/tmp. Then remount the partition. - If the
/tmpdirectory resides on the/partition:- Create a partition for
/tmp, for example with a size of 512 MB:# mkdir /filesystems
# dd if=/dev/zero of=/filesystems/tmp_fs seek=512 count=512 bs=1M
# mkfs.ext3 /filesystems/tmp_fs
- Add the following line to
/etc/fstab:/filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 1 1
- Move the current
/tmpdirectory content to another location. - Mount the new
/tmppartition:# mount /tmp
- Move the content from the old
/tmpdirectory to the new one.
- Create a partition for
Configuring Site Isolation Settings
If you offer shared hosting services, one of the most important security aspects is site isolation. This means that users must not be able to access other users’ files and databases.
Customers' files are usually located in separate directories owned by the corresponding system users, so other customers cannot access them by SSH or FTP. The main issue with site isolation is that the server sometimes executes all scripts of the same type (for example, Perl scripts) on behalf of the same system user. This means, for example, that if a customer's Perl script creates a file in the /tmp directory, another customer's Perl script can access this file because the system executes both script on behalf of the same user.
For PHP scripts, you can solve the site isolation problem by running PHP as a FastCGI or CGI application. In this case, the system executes each user's PHP scripts on behalf of the corresponding system user and thus isolates scripts owned by different users. In turn, if Plesk runs PHP as an Apache module, all PHP scripts are executed on behalf of the apache user. This weakens the site isolation.
Some other scripts, such as those written in Perl and Python, are always executed by Plesk on behalf of the same system user. So, in order to provide the best site isolation, you should either prohibit their execution on the server or manually configure the system to execute them securely. Refer to the corresponding documentation for instructions on configuring secure execution of such scripts.
By default, no server-wide site isolation settings are applied: for each subscription, its site isolation settings are defined by its service plan (if the subscription is synced with it) or its own settings (if the subscription is customized and locked).
Note: Customers can change their site isolation settings only if they have the permission Hosting Settings Management.
To define the server-wide site isolation settings:
- Open for editing the file
PRODUCT_ROOT_D/admin/conf/site_isolation_settings.ini, where$PRODUCT_ROOT_Dis/usr/local/psafor RPM-based systems and/opt/psaon DEB-based systems.This configuration file specifies the list of allowed values for hosting settings:
[hosting]
;php = on
;php_handler_type = fastcgi
;python = off
;perl = off
;fastcgi = any
;miva = off
;ssi = any
;ssl = on
;shell = /usr/local/psa/bin/chrootsh
;asp = any
;php_safe_mode = on
By default, all lines are commented out with semicolons (;), so no server-wide settings apply.
- To define a server-wide setting, uncomment the corresponding line by removing the semicolon (;) and edit the line. For example, to prohibit executing Perl scripts on your server, remove the semicolon from the line
;perl = off.You can set the following values for the settings:
-
onandofffor scripting options. -
module,fastcgi,cgi,orfpmforphp_handler_type. - A line from
/etc/shellsfile forshell. -
anyfor any option if the option value is not restricted (with one exception: ifphp_handler_type = any, the customer is restricted from changing PHP versions and handlers).
In addition, there are the following restrictions on the use of these values:
- If
phpisoff,php_handler_typeandphp_safe_modemust be set toany. - If
fastcgiisoff,php_handler_typemust not be set tofastcgi.
-
However, you can grant the permission to override the server-wide settings to certain subscriptions or service plans. To do this, select the option Setup of potentially insecure web scripting options that override provider's policy in the subscription or service plan settings, Permissions tab.
Note: You can grant the permission Setup of potentially insecure web scripting options that override provider's policy in a plan only after you grant the permission Hosting settings management.
Protecting from Running Tasks on Behalf of root
By default, Plesk allows utilities or scripts to be run on behalf of root in two cases:
Scheduling tasks with the cron manager
- Handling events with the Event Manager tool
This makes Plesk server vulnerable to malicious software. To eliminate these vulnerabilities, create the following files and leave them empty:
$PRODUCT_ROOT_D/var/root.crontab.lock prevents users from running cron tasks and viewing the list of tasks scheduled on behalf of root.
$PRODUCT_ROOT_D/var/root.event.handler.lock prevents users from creating event handlers functioning on behalf of root.
The $PRODUCT_ROOT_D is /usr/local/psa for RPM-based systems or /opt/psa on DEB-based systems