Software Tools to Prevent Attacks on Servers and Sites

Software tools to prevent attacks on servers and sites - Plesk

As hackers find more sophisticated ways of accessing your data, security is becoming a day-to-day struggle for businesses. Since 2018, security breaches have increased by 11%. And in the first half of 2019 alone, 4.1 billion personal records were exposed. And losses due to data exfiltration, stolen IP, and ransomware are also accelerating at a fast pace. Although nearly two-thirds of business leaders recognize the increasing security risks, only a small percentage have enough server security and website security.

Being fully protected means having multiple layers of security in place. With each layer addressing a different type of threat – and combining to form an impenetrable barrier. This becomes a difficult task for sysadmins, because just uncovering and blocking individual threats isn’t enough. It’s also important to defend against complex threats and take preventative action all the time.

To effectively manage cybersecurity, businesses outsource and use free and premium security tools. Here we’re going to look at some of the field’s top tools. And explain how they can help you enforce the seven key security layers every business needs to stay secure.

Network Firewalls

Firewall helps Linux server security - Plesk

A firewall is a system that prevents unauthorized access to or from a private network. It’s basically like the door to a house: an outer layer of security that determines what can and cannot enter. Of course, you also need the door to be closed, sturdy, and under your control in order to protect you. Most computers come with inbuilt firewall software, typically enough to shield against viruses, malware, and other unwanted content.

However, default firewalls are generic and limited, and so enterprises regularly use hardware firewalls as well. While the default Plesk firewall provides basic server protection, extensions like Juggernaut further secure your server against today’s threats. Juggernaut features include an SPI firewall, brute-force protection, real-time connection tracking, intrusion detection, and dynamic blocklists. Such features give you extra control and allow you to prevent inappropriate communications. Also, take a holistic view of your network, and even scan encrypted data for threats.

A firewall is considered the first line of defense in preventing attacks on servers. However, it’s not the only measure you should take.

Antivirus Software

Install antimalware/antivirus software

If a firewall is the door to your house, your antivirus software is the door to your bedroom. Whereas a firewall protects unwanted content and threats from getting in, antivirus software protects against threats already in your system. It does this by constantly monitoring files, looking for certain signatures to identify malware, and removing viruses and potential threats.

There’s no such thing as too much protection when it comes to antivirus software. The key is finding a tool that suits your needs while being easy to use, lightweight, and regularly updated. Premium antivirus by Dr. Web is an award-winning virus scanning and filtering software that protects mailboxes from many types of malware. Including viruses, worms, and trojans.

More great options are the Plesk Premium Antivirus or Kaspersky Antivirus extensions. Both extensions scan server mail traffic in real-time. But only Kaspersky allows fine-tuning and filtering of specific file types from attachments. Then there’s ImunifyAV – the leading malware-scanning tool. It ensures you keep malicious code away through antivirus, security and domain monitoring, blacklist status check, and one-click malware removal.

Endpoint Detection and Response (EDR) Software

EDR software - end point detection software - Plesk

EDR is a technology that addresses the need for continuous checking of file signatures. Checking for signs of malignancy and rapid responsiveness to advanced threats.

Whether it’s a Mac, PC, or a server, a good EDR system can detect suspicious activity running on any endpoint. This is especially important as even if a hacker has entered your system, for the hack to have a serious impact they must be able to siphon information out of your network. EDR software prevents this from happening by essentially placing compromised devices in quarantine, so no intel can be sent/received.

EDR is an advanced step in server security and so it typically comes at a cost. Kaspersky EDR provides full endpoint protection, from automatic threat blocking to complex incident response. It’s particularly popular for its comprehensive visibility across corporate networks and capacity to discover, prioritize, investigate, and neutralize advanced threats.

Anti-Phishing Tools

phishing - anti-phishing tools - Plesk

Phishing is a way of finding and gathering personal information using deceptive emails and websites. Techniques typically involve persuading people to click on malicious links by suggesting they are important and/or safe. It happens mostly through messaging platforms like email and chat apps. Built-in spam filters block most generic phishing attempts sent out to thousands of people. However, targeted phishing attempts, which may target specific individuals or organizations, can be harder to block.

Phishing is a particularly tricky form of cyberattack to protect against and it can appear so real. Neutralizing such scams, which have tricked even the savviest of CEOs, requires special anti-phishing tools. Warden Anti-spam and Virus Protection is a paid extension designed for power users and service providers. Besides providing high-performance and simple antivirus tests, it also offers support for nearly 30 SpamAssassin plugins. And is therefore one of the most robust anti-virus and anti-spam tools around.

Encryption Tools

encryption tools - Plesk

Encryption tools are software that use cryptography to prevent unauthorized access to sensitive information. It works by encoding data from “plaintext” into “ciphertext”. This process turns unencrypted information into an encrypted form for which you need a key to decode. Typically a password, making it harder for outsiders to access.

There are two main types of encryption: software and hardware encryption. Software encryption is more selective and focuses on encrypting individual files and folders. Hardware encryption involves encrypting entire devices.

Linux users will be used to connecting to servers using SSH keys. SSH (Secure Shell) keys are access credentials used in the SSH protocol. A secure and widely used standard for strong authentication, secure connection, and encrypted file transfers. Using SSH keys is more convenient and secure than traditional passwords.

From Plesk 12.0 onwards, you can use SSH Keys Manager to effectively manage SSH keys from the Plesk UI.

Specific Server Security Tools

specific server security tools - server security software - plesk

Some of the most popular Plesk extensions are those which improve your server’s security. Here are some of the most powerful ones which help combat server threats.

Sentinel Anti-malware

Sentinel Anti-malware is a scanner that combines the open-source principles from Linux Malware Detect and ClamAV. This extension especially serves power users and service providers who want to ensure they have protection from a variety of malware.

Kernelcare

This premium extension (free trial for 30 days) protects Linux servers against critical vulnerabilities. Mainly by automatically installing security updates to running kernels. This avoids rebooting servers and planning scheduled downtime for your customers. And it also ensures kernels are updated within hours of patch releases for uninterrupted security.

BitNinja

The BitNinja extension prevents 99% of malicious attacks. This can consequently reduce your server alerts and customer complaints by just as much. It actually provides protection against nine different aspects of attacks – including malicious port scans and infections. You can even set it up and start automatically protecting your server in as quick as five minutes.

Cloudbric

Cloudbric provides award-winning enterprise WAF and DDoS protection. Firstly, it has a threat detection system for real-time security against hacking attempts, website defacement, DDoS attacks, and spambots. Secondly, you can activate it with one click and try it for two weeks for free. While also benefiting from Cloudbric’s free and expert technical/security support.

DDoS Protection by Variti

DDoS Protection by Variti protects sites from DDoS – one of the most popular online attacks. As well as other types of sophisticated bot attacks. It does this by analyzing real-time traffic and passing it through a distributed network of VARITI filtering nodes. This extension is ideal for companies that depend on online traffic protection for their business.

Atomic Secured Linux

The Atomic Secured Linux extension provides the same level of protection that typically comes with an expert security team. It can prevent, detect, and respond to today’s greatest cybersecurity challenges. In particular, it features host and kernel intrusion prevention systems, brute force protection, and automated malware removal.

(D)DoS Deflate Interface

(D)DoS Deflate Interface is a lightweight shell script that helps deflect DDoS attacks automatically. The script runs in the background, blocking incoming connections from multiple IPs from which connections exceed the configured threshold. And above that – It’s simple to install and operate.

Penetration Testing Software

Password policy vs Hacking Techniques

Penetration testing software is the final line of defense in your security arsenal. Professional ethical hackers simulate a cyberattack (penetration testing), allowing enterprises to find weaknesses in corporate networks long before attackers do.

Rather than just software, penetration testing is often handled by human experts. Once your systems are in place, this added level of security helps you answer two questions in particular. First – does your security system have enough layers? And second – do those layers actually work?

In penetration testing, certain tests can, however, run autonomously. For example, Burp Suite’s vulnerability scanner autonomously crawls an enterprise’s web presence in search of common security holes. Including cross-site scripting, SQL injections, and volatile content. Admins can schedule Burp scans and see the resulting analysis in the form of detailed visual maps. Allowing for the ultimate control and protection of your business’s data.

How tight is your server security against attack? Do you use these tools or different ones? Let us know in the comments below!

Let’s Encrypt on Plesk: Your key to a free SSL certificate

The web is an endless battleground. The good guys are always trying to keep the bad guys from hacking, ransoming, and conning their way into our online lives. Our best weapon? Encryption. The web works on trust, and thanks to encryption, HTTPS provides exactly that. But if a website is going to use it, it first needs to get free ssl certificate from a Certificate Authority (CA). Such as Let’s Encrypt.

Let’s Encrypt – What is it?

Let’s Encrypt will only issue the file if you can exhibit control over your domain. And you can do that by using a software client that uses ACME (Automatic Certificate Management Environment) protocol. Having the free SSL certificate means your communications get end-to-end encryption.

So, when files pass between your web server and its users, they become unreadable to anyone who intercepts them. And moreover, nobody can tamper with them.

The Electronic Frontier Foundation developed Certbot, which has now become the best known and most widely used ACME client on the block. Certbot verifies the domain’s ownership, fetches certificates, and takes care of TLS/SSL configuration on web servers using Nginx and Apache.

What does a Certificate Authority do?

Certificate Authorities (CAs) vouch for the authenticity of a TLS/SSL certificate when they validate them using cryptography. Operating systems and browsers use a directory of trusted CAs to make sure that site certificates are bona fide.

This kind of authentication was something we had to pay for in the past. But now, Let’s Encrypt has broken tradition to offer automated creation of each free SSL certificate for the end user. The whole thing runs with funding from sponsors and donors.

How Let’s Encrypt does its thing

The ACME protocol that Let’s Encrypt uses talks about how clients interact with its servers when asking for certificates and confirming domain ownership. Some point soon, it’ll be recognized as an official IETF standard.

Let’s Encrypt for HTTPS

Let’s Encrypt provides domain-validated free SSL certificates. This means that after a request for a free https certificate, Let’s Encrypt makes sure that it’s from someone who is truly in charge of that domain. It sends the client a one-of-a-kind token that it uses to create a key. The domain owner then needs to provide this via Web or DNS.

Let’s Encrypt for HTTP

In the case of HTTP, the process is a bit different. The client manufactures the key using the unique token and also an account token. Then the result goes in a file that the web server makes available. And the Let’s Encrypt servers get the file from this address. If the key matches, the client has established domain control, and they get a free SSL certificate.

The ACME protocol can outline a number of tests that a client can use to verify ownership of a domain. For HTTPS that approach resembles that for HTTP, but the client creates a certificate that is self-signed that includes the key. The DNS challenge searches a DNS TXT record for the key.

Let’s Encrypt Certbot Client

Certbot is by far the most widely used Let’s Encrypt client. It bundles up most main Linux distributions and is able to automatically configure for both Apache and Nginx. After it finishes installing, you can get free ssl certificate and update your Apache configuration as below.

sudo certbot –apache -d www.example.com

Certbot will ask some questions, run a challenge, download certificates, update your Apache configuration, and reload the server.

Certbot and Let's Encrypt on PleskAfter this, when you browse to https://www.example.com you will see a green lock which confirms both a valid certificate and an encrypted connection.

Each Let’s Encrypt free ssl certificate lasts for only 90 days, so you need to make sure that you set it to renew automatically.

This command will take care of renewing all a machine’s certificates: sudo certbot renew

If you type this command into a crontab so it runs every day, your certificates will always be renewed 30 days before expiration is due. And Certbot will reload the server after a successful renewal. So long as the initial creation of the certificate includes the –apache or –NGINX options.

More Let’s Encrypt-ACME Clients you should know of

The ACME protocol is open in nature and its documentation is very comprehensive, which has encouraged many other clients to develop.

You can find an up-to-date list of ACME clients here.

Certbot is one of the few clients to offer automatic web server configuration,  but the others do provide features that may be of interest.

  1. If you want to avoid Python and other Certbot dependencies, (perhaps because you want to create certificates in a constrained environment) you can pick one in languages like Go, and Node.js.
  2. Some clients are able to run without root privileges. Which is good. Because we consider running the smallest amount of privileged code good practice.
  3. Lots of clients are able to produce the DNS-based challenge automatically. They do this using the API of your DNS provider to create the relevant TXT record. This challenge also allows for harder to handle cases like encryption of web servers that are only accessible privately.
  4. You will find some clients integrated into web servers, reverse proxies, or load balancers. This makes configuration and deployment a breeze.

Lots of other clients can be used, and lots of other servers and services automate TLS/SSL setup thanks to Let’s Encrypt support.

How to make and update Let’s Encrypt free SSL certificates with Plesk

Plesk has a plugin that lets you handle Let’s Encrypt free SSL certificates.

To work with a Let’s Encrypt SSL certificate the domain name must work in a web browser, regardless of whether or not it has any content. The process only works for a valid domain.

Here is how to get a Let’s Encrypt free SSL certificate for your domain:

  1. Log in to Plesk.
  2. On the (left) sidebar, click Websites & Domains
  3. Click on the Let’s Encrypt symbol to pull up the Let’s Encrypt SSL Certificate page.
  4. Type a valid e-mail address in the box.
  5. Select the “Include www.(example.com)” as an alternate domain name check box. So that the SSL certificate protects your domain with and without the www prefix.

5.1. Failure to check the box will mean that the certificate only relates to example.com. If you select the checkbox, it will be valid for www as well.

5.2. Click Install. When installation finishes successfully you will get a confirmation message.

5.3. If it doesn’t work, check that the domain name is valid. Also, check that the domain is:

  • spelled right
  • registered
  • has proper DNS records
  • accessible in the web

When you create or add a domain to the server, be sure to add the relevant DNS records (with, an A record pointing to the server IP address as a minimum), and allow adequate time for the DNS changes to be disseminated.

6. In the left sidebar, click on Websites and Domains
7. Click Hosting Settings.
8. Under Security, select the SSL support check box, and the Let’s Encrypt SSL certificate in the Certificate list box.

Plesk renews Let’s Encrypt certificates automatically

So you don’t need to do anything. Let’s Encrypt free SSL certificates are valid for 90 days by default. But Plesk renews certificates every month automatically, which is what the Let’s Encrypt developers recommend.

Doing this sooner enhances your site’s security, and it’s clear to you and the visitors to your site. Also, this gives you extra time to find a solution if a renewal doesn’t go through for whatever reason.

Manually renewing an SSL certificate in Plesk

You can also manually renew a certificate if you:

  1. Log in to Plesk.
  2. In the left sidebar, click Websites & Domains
  3. Click the Let’s Encrypt icon and select “Renew”.