Restricting Administrative Access
summary: If the Plesk administrator password is compromised, a third party can access Plesk and damage the server and the hosted websites. You can enhance security and reduce the chances of unauthorized access to Plesk by restricting administrative access.
In this topic, you will learn how stop anyone from logging in to Plesk as administrator from one or more specific IP addresses, and also how to make it so that logging in to Plesk as administrator is only possible from one or more specific IP addresses.
In Plesk, you can either prevent administrative access from specific IP address or addresses, or restrict administrative access to specific IP address or addresses. Anyone trying to log in to Plesk as an administrator from a disallowed IP address will see an error message. Restricting administrative access to Plesk does not prevent resellers or customers from logging in to Plesk, even from disallowed IP addresses.
Note: Restricting administrative access from a specific IP address does not block incoming connections to the server. It does not prevent, for example, attempts to connect via SSH or RDP. Make sure that the Plesk administrator password does not match the server’s ‘root’ or ‘administrator’ user password.
The first option is more permissive. If you notice suspicious activity originating from a specific IP address (for example, by reviewing Fail2Ban logs), you can prevent anyone using that IP address from having administrative access to Plesk.
To prevent administrative access to Plesk from specific IP addresses:
- Log in to Plesk.
- Go to Tools & Settings > IP Access Restriction Management (under “Security”).
- Click Settings, select the “Allowed, excluding the networks in the list” radio button, and then click OK.
- Click Add Network and specify the IP address or addresses from
which administrative access to Plesk must be blocked:
- Individual IP addresses (for example, 192.168.1.110)
- Subnets of IP addresses (for example, 123.0.0.1/16 or 123.123.*.*)
- Click OK.
Now, administrative access to Plesk is possible from all IP addresses except for those that you have explicitly disallowed.
The second option is more restrictive. It minimizes the chances of unauthorized access to Plesk, but may make it difficult to access Plesk from an unusual location (for example, if you need to access Plesk while traveling). Limiting administrative access to specific IP addresses is also likely to disrupt your ability to manage Plesk via Plesk Mobile, as mobile phones usually do not have static IP addresses.
To limit administrative access to Plesk to specific IP addresses:
- Log in to Plesk.
- Go to Tools & Settings > IP Access Restriction Management (under “Security”).
- Click Settings, select the “Denied from the networks that are not listed” radio button, and then click OK.
- Click Add Network and specify the IP address or addresses from
which administrative access to Plesk must be allowed:
- Individual IP addresses (for example, 192.168.1.110)
- Subnets of IP addresses (for example, 123.0.0.1/16 or 123.123.*.*)
- Click OK.
Now, administrative access to Plesk is possible only from the IP address or addresses you have explicitly allowed.
When you limit administrative access to Plesk, you can accidentally disallow administrative access from your own IP address:
- By adding your own IP address to the list when preventing administrative access to Plesk from specific IP addresses.
- By forgetting to add your own IP address to the list when limiting administrative access to Plesk to specific IP addresses.
To prevent such mistakes, Plesk informs you that you will not be able to log in to Plesk with administrator’s rights from your IP address with the following error message:
If you have locked yourself out of Plesk, follow the steps in the following KB article to regain access.
If desired, you can edit or remove IP addresses you have added to restrict administrative access. To edit an IP address, click it, change the IP address value, and click OK. To remove an IP address, select its checkbox, click Remove, and then click Yes to confirm the removal.