Miscellaneous Items to Do on a New Plesk Server

In this blog entry I'll collect a few minor items where I feel, that Plesk is not quite up where it should be.

Before Anything Else: Fix SSH

Edit /etc/ssh/sshd_config and make the following changes (in the order of the parameters in the file):

  1. You may want to change the Port 22 to some other number to keep the script kiddies from filling your system log with their pathetic break-in attempts.
  2. Set Protocol 2 — we never want to use the old unsafe protocol version 1.
  3. Set LoginGraceTime 20s — 20 seconds should be enough for logging in, there's no need to wait any longer.
  4. Set MaxAuthTries 2 — 2 attempts should be enough for logging in, drop the connection after the second failure.
  5. Set ClientAliveInterval 60 — this keeps your connection open, even if you occasionally take a minute to do some planning or thinking, by sending a packet every 60 seconds.
  6. Set ClientAliveCountMax 3 — if three consecutive ClientAlive packets go unanswered, the connection can be dropped.
  7. Set MaxStartups 1 — one pending unauthorized connection (login session) is enough at any one time. Allowing more connections would only help the crackers.

To facilitate logging in among well-known hosts, create a private/public key pair with

ssh-keygen -t rsa

Deploy the public key into the .ssh/authorized_keys file of the target host.

Set the Color of the Command Prompt

In /root/.bashrc

# yellow:
#export PS1="\[\e[1;33m\]\$? \A \h:\w # \[\e[0;37m\]"

# purple:
#export PS1="\[\e[1;35m\]\$? \A \h:\w # \[\e[0;37m\]"

# red:
#export PS1="\[\e[1;31m\]\$? \A \h:\w # \[\e[0;37m\]"

and uncomment one of the lines.

Hide the BIND version number

Add

     version "";

to the options clause in /var/lib/named/etc/named.conf. This avoid helping crackers to scan for specific BIND versions that they might be able to exploit.

If you update Plesk, this may get overwritten.

Lenti