Securing the /tmp Partition
It is recommended to create /tmp as separate partition and mount it with the noexec and nosuid options.
The noexec option disables the executable file attribute within an entire file system, effectively preventing any files within that file system from being executed.
The nosuid option disables the SUID file-attribute within an entire file system. This prevents SUID attacks on, say, the /tmp file system.
To secure the /tmp partition of your Parallels Plesk Panel server:
If /tmp is a separate partition on the server, you only need to edit /etc/fstab and add the noexec and nosuid options for /tmp. Then remount the partition.
If the /tmp directory resides on the / partition:
Create a new partition for /tmp, for example with size 512 MB:
# mkdir /filesystems
# dd if=/dev/zero of=/filesystems/tmp_fs seek=512 count=512 bs=1M
# mkfs.ext3 /filesystems/tmp_fs
Add the string into /etc/fstab:
/filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 1 1
Move current /tmp directory content to another location.
Mount new /tmpp partition:
# mount /tmp
Move content from old /tmp directory to the new one.
Tags: /tmp, Partition, Securing
SELinux Policy for Your Parallels Plesk Panel Server
To configure SELinux you need to know the rules that should be added into the system policy.
SELinux reports all denied messages into the /var/log/audit/audit.log file and these messages can be easily converted into the rules using the /usr/bin/audit2allow utility.
cat /var/log/messages | /usr/bin/audit2allow
Also, /var/log/messages.* files can be examined for the SELinux deny messages.
Tags: Panel, Parallels, plesk, Policy, SELinux, server
Configuring Firewall Pleask firewall ports
Make sure these ports are opened for all Parallels Plesk Panel services to work with a firewall:
* 20 for ftp-data;
* 21 for ftp;
* 22 for ssh;
* 25 for smtp;
* 53 for dns (TCP and UDP);
* 80 for http (web server and Parallels Plesk Panel updater);
* 106 for poppassd (for localhost only);
* 110 for pop3;
* 113 for auth;
* 143 for imap;
* 443 for https;
* 465 for smtps;
* 587 for mail message submission;
* 990 for ftps;
* 993 for imaps;
* 995 for pop3s;
* 3306 for mysql;
* 5224 for (outgoing connections only) plesk-license-update;
* 5432 for postgres;
* 8443 for plesk-https;
* 8880 for plesk-http;
* 9080 for tomcat;
* 5224 for license updates.
Tags: firewall, Pleask, ports
Protect Server Files by Default
One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.
For instance, consider the following example:
1. # cd /; ln -s / public_html
2. Accessing http://localhost/~root/
This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server’s configuration:
Order Deny,Allow
Deny from all
Tags: Files, Protect, server
Protecting System Settings in Apache
To run a really tight ship, you’ll want to stop users from setting up .htaccess files which can override security features you’ve configured. Here’s one way to do it.
In the server configuration.
This prevents the use of .htaccess files in all directories apart from those specifically enabled.
Tags: Apache, Protecting, Settings, System
