[PLUG] PLESK - was Joe Jobbed

Ronald Chmara ron at Opus1.COM
Sat Oct 6 22:25:50 UTC 2007


On Oct 5, 2007, at 9:58 PM, m0gely wrote:
> Ronald Chmara wrote:
>> Plesk is incompatible with secure servers, because it just about
>> *requires* one to run vulnerable software, in order for Plesk to keep
>> working right, and does not self patch so more secure versions in a
>> timely manner.
> What is a secure server?

Well, an impossible goal, but one that can always be chased after...

> By your other post, it seems more that the
> level of security on a server is by effort of the admin to keep it  
> up to
>   date in the context of security.

I highlighted binary updates, but yes, there is so much more. There's  
iptables, log monitoing, change management (tripwire), password  
rotations, weak password checking, service monitoring, disabling un- 
needed binaries/services/accounts... it's a long list.

>   Why does running Plesk not allow
> this?

These are *some* of the packages that have to be constantly monitored  
and upgraded when using Plesk:
http://download1.swsoft.com/Plesk/Plesk8.2/Doc/plesk-8.2-unix- 
installation-guide/18518.htm

(They don't mention managing MySQL in that program list, for  
example... which *must* be running on a Plesk machine.)

Plesk simply loads too many fragile, explosive, packages, and simply  
cannot afford (business-wise) to keep rebuilding and updating all of  
them, without having to do a nightly download/rebuild on *all* of the  
machines it's installed on. So, when a zero-day on PostNuke comes  
out, Plesk users have to get packages built and installed  
immediately... which ain't gonna happen.

As a different, *much* more simple, example of what I think is  
fundamentally wrong with Plesk, an admin-level db password is stored  
on the hard-drive.

....In plaintext.

This kind of architectural/security "no-no" is so jaw dropping, eye- 
popping, just plain *bad* enough that it can make experienced admins  
weep.

(Of course, it's also helped me un-bonk some plesk problems for  
clients, so FYI, the plesk mysql master user is "admin", the pass is  
'hidden' in /etc/psa/.psa.shadow )

> Security
> requires multi-facet, multi-level prevention, and sometimes running
> something that has a bad track record is mitigated by other counter
> measures.

I agree, and yet, the weakest link in the chain is where something  
usually breaks....I usually hear this solution referred to as "belt- 
and-suspenders" security, where *two* systems have to blow up as the  
same time, for example, both a hardware firewall and iptables, or  
plesk and tripwire.

> SWsoft does provide means for keeping Plesk up to date.

Yes, but to keep all of Plesk's internal *packages* up to date is the  
challenge, especially with so many known "bad actors" in there.

> The
> level of effectiveness could be argued, but it's something.  You're  
> not
> wrong, I just think there's more to it.

You are right, I was trying to simplify a great deal, and may have  
over-simplified a tad.

-Ronabop



More information about the PLUG mailing list