I am just configuring my new Plesk server before putting any clients on.
I am in a bit of a dilemma, I am trying to get the balance right for security of the server and usability for my clients.
If I only allow FTP access with Plesk there is always a risk of someone getting the password, if I also allow chrooted access using FTP passwords to SSH I can also encourage users to start using SFTP for improved security, but then this leaves SSH open to hackers (I think, not sure how secure the chrooted environment is).
If I change the ssh port to another port then in the Plesk Control Panel for the domain user the ssh java based terminal does not work. :confused:
Your comments would be apreciated how best to setup Plesk.
I have also removed the DrWeb Antivirus, and installed ClamAV, I am trying the Plesk Firewall, but I prefer APF although I am not sure if I have to remove the Plesk Firewall or just stop the service via the Plesk admin panel.
There are some bad header errors due to faulted installation when the server was re-imaged with Plesk, If I cannot get these errors solved I might also change this to Clamd.
Comments Please....
Full Version: Ex Ensim now Plesk Question re FTP or SSH with Plesk?
set their shell as nologin, sftp should still function fine, but also keep your sshd version updated. Frequently check your logs for ssh crackers, i see those darn things all the time. I had been on one server, where the guy was cracking password for a week, and the admin never noticed, or took actions to prevent it.
Also, if you do change the port, so they can sftp, have them download an sftp client, that way they arent dependant on the java junk. I googled for sftp client, and found: http://www.bitvise.com/tunnelier.html?gcli...CFR1ESgodhWx-fg
dont let complicating things for users a bit get in the way of security, i gaurantee it will be more of a headache than its worth in the long run.
Also, if you do change the port, so they can sftp, have them download an sftp client, that way they arent dependant on the java junk. I googled for sftp client, and found: http://www.bitvise.com/tunnelier.html?gcli...CFR1ESgodhWx-fg
dont let complicating things for users a bit get in the way of security, i gaurantee it will be more of a headache than its worth in the long run.
Yeah, thank for your advice, I didn't realise that with 'nologin' they could still use sftp to login with FTP user and passwords.
I reccommend all my customers to download the WinSCP3, I use it myself, and I think it is a really great client!
As for changing the ssh port again, I will leave that on port 22 for the moment, but I keep monitoring my logs, there are a few attempts each day, but nothing to worry about (at the moment) my biggest problem is people ftying to access via smtp they are running scripts to make it look like coming from different IP addresses. (Don't know yet how to solve this problem)
I reccommend all my customers to download the WinSCP3, I use it myself, and I think it is a really great client!
As for changing the ssh port again, I will leave that on port 22 for the moment, but I keep monitoring my logs, there are a few attempts each day, but nothing to worry about (at the moment) my biggest problem is people ftying to access via smtp they are running scripts to make it look like coming from different IP addresses. (Don't know yet how to solve this problem)
QUOTE (faze)
set their shell as nologin, sftp should still function fine, but also keep your sshd version updated.
AFAIK, this is not correct. giving a user a shell of /sbin/nologin is the same as /bin/false except that when they do try to login by ssh it tells them they don't have access rather than just refusing.
here's what "man nologin" has to say about it:
QUOTE
NOLOGIN(
BSD System Manager’s Manual NOLOGIN(
NAME
nologin - politely refuse a login
SYNOPSIS
nologin
DESCRIPTION
nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field
for accounts that have been disabled.
If the file /etc/nologin.txt exists, nologin displays its contents to the user instead of the default message.
SEE ALSO
login(1)
HISTORY
The nologin command appeared in 4.4BSD
BSD System Manager’s Manual NOLOGIN(
NAME
nologin - politely refuse a login
SYNOPSIS
nologin
DESCRIPTION
nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field
for accounts that have been disabled.
If the file /etc/nologin.txt exists, nologin displays its contents to the user instead of the default message.
SEE ALSO
login(1)
HISTORY
The nologin command appeared in 4.4BSD
so, you need to give at least chrooted shell access for sftp to work. sftp is invoked as a subsystem when someone is connected through ssh. (and, of course, your version of plesk has to put sftp in a site's chroot, which the current version does by default.)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.