Login
Menu

How to ban root access via the SSH Terminal extension for the Plesk administrator

Home / How to ban root access via the SSH Terminal extension for the Plesk administrator

How to ban root access via the SSH Terminal extension for the Plesk administrator

This article will show, how to ban root or Administrator users from accessing Plesk. Plesk 18.0.38 and upgrades version include the SSH Terminal extension. To register as the root user to the SSH interface, the Plesk administrator can use this extension .

By default Plesk runs utilities or scripts for the root user in the scenarios as follow:

1st Scenario:

The task will be executed as root if a Plesk administrative manager creates a timed job and decides to run as root.

2nd Scenario:

If an event manager is set up by a Plesk administrator and the assumed root command is run, the event handler is activated.

3rd Scenario:

When the Plesk administrator and/or subscription owners are using the SSH terminal extension.

Have a look at the three root removal procedures:

Procedure 1:

Files are created in the $PRODUCT ROOT D/var/ folder. It is the most reliable system-wide way to disable the root access including scheduled tasks, event handlers and the SSH terminal.

1. The Server as the root user will be joined by SSH.

2. Create a fresh file called root.crontab.lock in the $PRODUCT ROOT D/var/ directory. Users will not be permitted to do scheduled tasks or view planned work, which must thus be run as root.

3. Create an empty file named root.event handler.lock in the $PRODUCT ROOT D/var/ directory, As a result, users are unable to create event managers that run root.

4. Once the previous two processes have been performed, SSH Terminal will not provide root access.

NOTE: $PRODUCT ROOT D is /usr/local/psa on RPM-based systems whereas /opt/psa is on Debian-based systems.

Procedure 2:

Only the SSH terminal root connection is given to the Plesk administrator, which can be stopped using panel.ini. This does not prevent root access in scheduled tasks and event managers.

1. Plesk should then be logged in.

2. Go to the Extensions tab.

3. My Extensions should then be selected.

4. Open the Panel.ini Editor by simply click on it.

5. The Editor option should then be selected.

6. Execute the new text at the end of the file:

[login]

systemAdmin = false

7. Restrict root access using the panel.ini menu.

[ext-ssh-terminal]

rootAccessAllowed = false

8. Using the panel.ini menu to the right. It will not be possible to set up it on a server if users add the ‘SSH Terminal’ extension to the blacklist. [extensions]

blacklist = ext-panel-editor

9. Press the Save button.

Procedure 3:

Both the Plesk administrator and Subscription holders can stop the SSH Terminal extension using panel.ini. This does not limit root access in scheduled tasks or event handlers.

To the right, there’s a panel.ini option. You won’t be able to install the ‘SSH Terminal’ extension on a server if you add it to the blacklist.

[extensions]

blacklist = ext-ssh-terminal, ext-panel-editor

Using this procedure, you can ban root or administrator users from accessing Plesk.