Sometimes it begins with an email.
In 2014, an email was sent to a promising up and coming SaaS provider that said:
“We have full control of your account. For a large fee, we will return all privileges and leave. Failure to pay these demands will result in the deletion of all of your information. Any attempt to remove our access will result in total deletion of your data.”
Code Spaces’ Amazon EC2 control panel had been hacked and the attackers had access to everything. The company found the unauthorized accounts and deleted them. However, the hackers had created backup access and began to systematically dismantle Code Spaces’ business. In less than 12 hours, every backup, snapshot, repository and volume had been erased from existence, and shortly thereafter, Code Spaces dissolved.
By their very nature, control panels have unfettered access to your entire system. And although some control panels are highly secure, such as Plesk, it doesn’t mean you should take a back seat to your security.
To help prevent the above scenario from happening to you, I put together a quick checklist, and although I provide how to get all of these steps done in Plesk, you can just as easily apply this checklist to your own environment. That being said, Plesk makes it much easier.
Restrict Admin Access
Studies have shown that when admin access is restricted based on role and usage, the risk of malware greatly reduces. The first part of the process involves figuring out which users actually need admin rights and which do not. Your blog writers should probably have zero access to the system. Your devs should probably have access to databases and possibly the ability to install programming environments. By compartmentalizing administration activities and restricting roles, you make sure that if a user is compromised the damage that can be caused is minimized.
Restricting admin access greatly reduces risk when a user account has been compromised. It also reduces the opportunity for malware to be installed on your server. Though it may add some inconvenience, the security gains alone justify the few added hoops your employees will have to endure.
Restrict Remote Access
Remote access is a good thing. Being able to admin your system from around the world comes in handy and sometimes can be necessary for your business’ survival. However, remote access needs to be restricted so that only you and those authorized by you can access the system. The easiest route is to restrict IPs. By adding only yours and your colleagues IPs you make it so only they can access the admin. However, if you are trying to connect from somewhere other than where those IPs are (office, home, etc), you will be unable to access your system. In those cases, you should setup a VPN and whitelist the IPs of your VPN. When you need to access admin, you just need to connect your device to your VPN then connect.
By restricting remote access you can help reduce the attack surface, while also helping to prevent brute force logins.
Set Minimum Password Strength
For years, security experts have been saying enough with passwords we need something stronger. And although I agree with this, we still live in an era of typed out passwords. Therefore it would behoove you to make sure everyone who has a password creates something far stronger than 123456. Seriously, we’ve been over this before (link to password infographic). And honestly, while you are looking at passwords add two factor.
- Minimum password strength
- Add Two Factor Authentication
The stronger the password the harder to crack. Setting a minimum password strength insures your employees create difficult passwords. By adding two-factor, you give your password a fighting chance.
Turn on Enhanced Security Mode
In Plesk, this is a default setting. Still, you should check to make sure it’s checked. Enhanced security protects information stored in the Plesk database. So any sensitive or personal information you place within Plesk will be protected. This is not to be confused with information you place in an application like WordPress.
Super-easy way to ensure Plesk passwords are encrypted and that sensitive data cannot be accessed using the API.
Using Secure FTP
FTP is still the fastest and most convenient way of uploading files.
Again another easy way to increase the security of your server. Do it and enjoy.
Getting SSL Certifications
SSL ensures a secure connection between your audience and your site. It doesn’t mean your website is on lockdown. It doesn’t mean you have bulletproofed your server. It just means the connection is secured. That being said, you should use SSL to secure your connection. SSL also has helpful benefits for other areas, as well — especially when it comes to your marketing efforts with search engines
Having the S designation on your link (https as opposed to http) is almost standard. Also, there is no sense in locking down your site if the transmissions can be intercepted.
The Plesk firewall is enabled on all fresh installs. That being said, you should still give it a once over to make sure it’s blocking the traffic you want blocked and allowing the traffic you want to allow.
Plesk uses a default firewall with standard settings. It doesn’t hurt to get familiar with the firewall and the settings, and you may see something that needs to be changed. Plesk’s software firewall is good for most applications, but it is rarely the best. For sites that require lots of security, I would strongly suggest having a hardware firewall and some form of software firewall, such as Plesk’s firewall.
Updated: January 2019