Article overview

Help article

Plesk Tutorial Series 2: Securing your VPS

This is the second part of our Plesk Tutorial Series. If you're configuring a new VPS we recommend starting with part 1.

Automated bots continuously scan IPs for vulnerabilities. To prevent security issues on your VPS, configuring the security of your VPS is the first thing we do after the installation.

Given the large number of IPs used by bots, we cannot include all attacking IPs in our own firewall, nor do we receive reports of attempts to penetrate your VPS. As such, it's important to have solid security on your VPS.

Security measures

To secure your VPS we go through the following steps:

  • Change your SSH Port.
  • Fail2Ban brute force security.
  • Limit access to Plesk to specific IPs.
  • Anti-virus / malware security with ClamAV
  • Plesk Security Policy
  • Securing localhost & mail with SSL.
  • This is relatively complex material. If you use the steps below to secure an existing (instead of new) VPS, then always create a snapshot of your VPS first before you follow the steps below.That way you always have a snapshot to fall back on if it turns out that a change creates a problem.

Change your SSH port

The root user does not have SSH access to your VPS by default. Additionally, we recommend changing your SSH port. This is a form of 'security through obscurity'; by changing your SSH port, you make your VPS invisible to most of the attacking bots (if not all bots). An additional advantage is that your log files remain organized and you get a clearer picture when your VPS is actually attacked directly, instead of randomly by a bot.

 

Step 1

Connect to your VPS via the VPS console in your control panel or via SSH. Check your used ports with the command below.

netstat -tulpn | less

An overview as shown in the screenshot below appears. In this overview, the port numbers are the numbers in the row 'Local Address' behind the colon.

netstat output


 

Step 2

Choose a random port number between 0 and 65535 that is not shown in the overview (for example 47592) and press 'q' to stop netstat.


 

Step 3

Open the SSH configuration file with the command below. You can also use vim for this. 

nano /etc/ssh/sshd_config

 

Step 4

The configuration file opens, and you will see the code below, among other things.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp
#PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment or delete the # in front of '#Port 22' and change the number to the number you chose under step 2, for example:

port 47592

Save the file and close the file by pressing ctrl + x > y > enter in succession.


 

Step 5

Add the chosen port to your firewall with the command below. Replace 47592 with the port number you selected in step 2.

firewall-cmd --permanent --zone=public --add-port=47592/tcp

Firewalld manages iptables in Plesk. Commands for iptables that you might already be familiar with, such as 'systemctl status iptables' do not work.


 

Step 6

CentOS comes with SELinux, an extra Linux security feature to protect against misconfigurations. By default, SELinux doesn't accept SSH connections on the port you just configured. You add this port to SELinux using the command:

semanage port -a -t ssh_port_t-p tcp 47592

Replace 47592 by your chosen port number.


 

Stap 7

Restart your firewall configuration and SSH with the following commands:

firewall-cmd --reload
systemctl restart sshd

You can then check that SSH uses the new port with the command:

ss -tnlp | grep sshd
Fail2Ban bruteforce security

Bots try to enter automatically by performing brute force attacks on your VPS in different areas, such as SSH, Postfix (outgoing mail server), and Plesk. Fail2Ban offers good protection against this. Fail2Ban protects your VPS by banning IPs that try to abuse your VPS, for example in too many wrong password attempts, searching for exploits, etc. We therefore recommend Fail2Ban wholeheartedly.

 

Step 1

Log in to Plesk and navigate to 'Tools & Settings'> 'Updates and Upgrades'.

plesk tools and settings updates and upgrades


 

Step 2

Click on ‘Add/Remove Components’.

plesk add and remove components


 

Step 3

Select the dropdown icon for Fail2Ban and select 'Install'. Click on 'Continue' to install Fail2Ban.

plesk add fail2ban


 

Step 4

You will see a confirmation of the installation.

plesk added fail2ban

Now return to 'Tools & Settings'> 'Updates and Upgrades'. You will see that a new option has been added under 'Security' called 'IP Address Banning (Fail2Ban)'. Click here to configure Fail2Ban.

plesk ip address banning


 

Step 5

You enable Fail2Ban by ticking 'Enable intrusion detection'. By default, attacking IPs are banned from your VPS for ten minutes. We recommend setting this to one hour as in the screenshot below, but you are free to adjust this as you wish.

plesk fail2ban settings


 

Step 6

Switch to the 'Jails' tab. A jail can be viewed as a piece of additional configuration within the general configuration of Fail2Ban, in which the security of a service is specified. Select all jails and click on 'Switch On'.

plesk fail2ban jails


 

Step 7

Finally, click on 'Trusted IP Addresses'> 'Add Trusted IP' to protect your IP address from which you connect to your VPS. This way you prevent that if you make a mistake in your password, you accidentally ban yourself.

plesk fail2ban trusted ips

Enter your IP address and click on ‘OK’.

Allow only specific IP adresses access to Plesk

Our VPSs with Plesk standardly use 'iptables' as a firewall and are managed from 'firewalld'. In Firewalld, you can choose to allow specific IPs only to connect to port 8443. Port 8443 is the port you connect to when you use Plesk.

 

Step 1

Connect with your VPS via the VPS console in your control panel or via SSH. To start, close port 8443 with the command below (i.e. delete port 8443 from the list of open ports):

firewall-cmd --zone=public --remove-port=8443/tcp

 

Step 2

With the commands below, you create an exception for your own IP address so that only your own IP can connect to port 8443.

sudo firewall-cmd --permanent --zone=public --add-rich-rule='
rule family="ipv4"
source address="1.2.3.4"
port protocol="tcp" port="8443" accept'

Replace 1.2.3.4 with your actual IP address. You can repeat these steps to give more IPs access.


 

Step 3

Reload firewalld to process the changes.

sudo firwall-cmd --reload

 

Additional tips:

  • To modify or verify your configuration directly, you can use the following command:
    nano /etc/firewalld/zones/public.xml
    You will see the overview below.
    firewalld configuration
    You can undo the above rules by removing the part from <rule till </rule> and adding the following line:
     
    <port protocol="tcp" port="8443"/>
  • You can also use the steps in this section to close other ports. Do this only when you are very certain, for example if an IP attacks a specific port.
Anti-vius / Malware protection with ClamAV

ClamAV is a free, open source anti-virus program for the detection of trojans, viruses and malware on your VPS.

In our ClamAV tutorial for CentOS 7 we show you how to install ClamAV, ensure that ClamAV starts automatically, and ClamAV scans your VPS daily

Plesk security policy

Plesk offers the possibility to set how strict the FTP(S) and password protection is. We recommend being strict in this and not to allow unsafe connections. You adjust this as follows:

 

Step 1

Log in to Plesk and navigate to 'Tools & Settings'> 'Security Policy'.

plesk security policy


 

Step 2

Enhanced security mode must be enabled (green checkmark) to use this functionality. We recommend using the following settings:

  • Secure FTP: Allow only secure FTPS connections.
  • Password Strength: Strong

plesk security policy settings

Securing localhost / e-mail with Let's Encrypt or your own certificate

Your localhost and mail are automatically protected with a self-signed SSL certificate that uses TLS v1.2.

SSL is based on trust. Self-signed certificates are less suitable than Let's Encrypt, or your own SSL certificate, since there is no CA authority issuing the certificate. In the SSL system trust in a self-signed certificate is therefore more limited.

As such, we recommend using Let's Encrypt or your own SSL certificate. How you do this is explained in our article ‘Installing an SSL certificate in Plesk’. In this article we also explain how you secure your website. We get back to this in part 5 of this tutorial series, in which you upload your website and database.


 

You have set up solid security for your VPS to keep out pesky bots with the above steps! Click here to continue to Part 3: Updating your VPS.

 

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us