You can work through this checklist in phases. The goal is to systematically eliminate vulnerabilities and harden every layer of your server.
Phase 1: Foundational Scanning & Vulnerability Assessment
Before making changes, you need to know your current security posture.
1.1. Vulnerability Scan with Ubuntu OVAL (OpenSCAP):
This is a critical first step. Ubuntu provides official OVAL (Open Vulnerability and Assessment Language) data that you can use to scan your system for known vulnerabilities and missing security patches .
Action: Install and use OpenSCAP to generate an HTML report of all known vulnerabilities affecting your installed packages.
# Install OpenSCAP
sudo apt install libopenscap8 -y # Download the OVAL data for your Ubuntu release (22.04 – Jammy)
wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2 bunzip2 com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2 # Run the scan and generate an HTML report
oscap oval eval --report vulnerability-report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml Open vulnerability-report.html in a browser to see the results. This will show you which CVEs (Common Vulnerabilities and Exposures) your system is currently susceptible to .
1.2. Plesk Security Advisories & Malware Scan:
Plesk has its own security dashboard. Use it to check for Plesk-specific updates and scan your websites for malware .
Action:
Log in to your Plesk panel. Go to “Security” or “Tools & Settings” > “Security Advisories” to check for critical updates.
Install a security extension. Go to “Extensions” and search for “ImunifyAV” (or the free “VirusTotal Website Check”). ImunifyAV is a powerful tool for scanning your web content for malware and is highly recommended for Plesk servers .
Phase 2: System-Level Hardening
This focuses on the Ubuntu operating system itself, independent of Plesk.
- 2.1. Apply CIS Benchmarks with Ubuntu Security Guide (USG): For a “rock solid” configuration, you should aim to meet industry standards like the Center for Internet Security (CIS) benchmarks. If you have an Ubuntu Pro subscription (which is free for personal use on up to 5 machines), you can use the Ubuntu Security Guide (USG) to automate this hardening .
- Action: If you have Ubuntu Pro attached, install and run USG to audit or remediate your system against a CIS Level 1 Server profile. # Install USG (requires Ubuntu Pro) sudo apt install usg # Audit the system against the CIS Level 1 benchmark sudo usg audit cis_level1_server # To apply the fixes (use with caution, review first!) # sudo usg fix cis_level1_server This tool will automatically configure hundreds of security settings, such as filesystem permissions, kernel parameters, and user account policies .
- 2.2. Secure Shared Memory: This is a simple but effective hardening step to prevent certain types of attacks.
- Action: Edit the
/etc/fstabfile and add a line to mount/dev/shmwithnoexec,nosuidoptions, preventing the execution of malicious code from shared memory.
- Action: Edit the
Phase 3: Plesk-Specific Security Configuration
Plesk has a robust suite of built-in security tools that you must configure correctly .
- 3.1. Web Application Firewall (ModSecurity): You’ve already touched on this. Ensure ModSecurity is enabled with an up-to-date rule set (like the OWASP Core Rule Set or Comodo rules).
- Action: In Plesk, go to “Tools & Settings” > “Web Application Firewall (ModSecurity)”. Ensure it’s enabled for your domains with a comprehensive rule set.
- 3.2. Fail2Ban Jails: You’ve set up Fail2Ban, which is excellent. In a Plesk environment, it’s crucial to ensure all relevant “jails” are active and configured correctly to protect not just SSH, but also FTP, mail services (Dovecot, Postfix), and your web applications . Action: In Plesk, go to “Tools & Settings” > “IP Address Banning (Fail2Ban)”. Review the list of enabled jails (e.g.,
plesk-apache,plesk-dovecot,plesk-postfix,plesk-wordpress). Adjust their settings as needed. 3.3. Plesk Firewall: The Plesk firewall is a front-end foriptables/nftables. While you have UFW, managing rules within Plesk can be more integrated.- Action: In Plesk, go to “Tools & Settings” > “Firewall”. Ensure it’s active and that you have rules only for necessary services (SSH on your custom port, HTTP, HTTPS, mail ports, etc.) .
Phase 4: Network & Web Application Protection
4.1. Cloudflare ServerShield: Since your server is public-facing, adding a CDN and Web Application Firewall (WAF) at the network edge is a game-changer. Plesk integrates directly with Cloudflare ServerShield .
- Action: In Plesk, open a domain and select “ServerShield by Cloudflare”. Follow the wizard to enable it. This will proxy your traffic through Cloudflare, hiding your origin server IP and mitigating DDoS and other common web attacks .
- Action: In Plesk, use the “Let’s Encrypt” extension to install free SSL certificates for all your domains. Go to “Tools & Settings” > “SSL/TLS Certificates” to review and enforce the use of modern TLS protocols only (disable SSLv3, TLSv1.0, TLSv1.1) .
- Action: On your Mac, install and run Sn1per against your server’s domain (
otsglobal.org) to identify open ports, misconfigurations, and web application vulnerabilities. This provides an invaluable external audit. # Install Sn1per on your Mac/Kali machine, then run: sniper -t otsglobal.org -m aggressive -re
✅ Summary: Your “Rock Solid” Action Plan
- Scan First: Use OpenSCAP to generate a vulnerability report. Install ImunifyAV from the Plesk extensions catalog.
- Harden the OS: If possible, use Ubuntu Security Guide (USG) to apply CIS benchmarks . If not, manually implement kernel and filesystem hardening from guides like and .
- Harden Plesk: Configure ModSecurity with a robust rule set . Review and tune your Fail2Ban jails . Activate the Plesk firewall .
- Protect the Perimeter: Enable Cloudflare ServerShield for all domains . Ensure all sites use Let’s Encrypt with modern TLS.
- Audit Externally: Use a tool like Sn1per from an external machine to test your defenses from an outsider’s perspective .
By working through these steps, you will transform your server from a standard setup into a hardened, well-defended system.