Securing your DV server

  • Applies to: DV
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH, root access, vi knowledge
  • Applies to: DV 4.0
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH, root access, vi knowledge

Before you start

This article has the following dependencies:

  • Please be cautious when configuring your firewall in Plesk. Improper rules could prevent you or your site visitors from being able to access your server.
  • The IP address is used as an example in this article. To find your own IP address use a service such as or or check your router's info page.


The publishing of this information does not imply support of this article. This article is provided solely as a courtesy to our customers. Please take a moment to review the Statement of Support.


CloudTech Can Help!

If you’re having trouble with the steps in this article, additional assistance is available via CloudTech, our premium services division. Our expert engineers can tweak and tune your server for optimal performance. For more information on what CloudTech can do for you, please click here.

Securing SSH

By default, the SSH standard port number is 22. If you look at your logs, you might see a large number bad login attempts on that port. Changing this port number is a simple way to make your server more secure. To change the port number, login as root and run the following command:

vi /etc/ssh/sshd_config

Find the line that says:

Port 22

Change this line to another port number above 1024. Using a port number above 1024 prevents scans like nmap picking up ssh.

Next, we want to use the more secure SSH 2 protocol. On the line underneath the port number, set the protocol to 2.

Protocol 2

Save the sshd_config file and then restart sshd:

/etc/init.d/sshd restart

Now when you login via ssh, you will need to specify the custom port. In the example below, the custom port has been set to 3456.

ssh -p 3456 user@


For additional security, you should disable direct root access to your server following this article: Disabling SSH login for root user.

Use the built-in Plesk firewall

Although you could edit the firewall from the command-line, it is much easier using Plesk's firewall instead. Just navigate to Server > Firewall (this is located under Tools & Resources)Modules > Firewall. If you have a static IP address, you can create rules so that the server will only allow access from your IP address at your home and/or office. For the example above (custom SSH port 3456), the following two rules will only allow access from the IP

Use only SFTP (Secure FTP)

Secure FTP is more secure than FTP since it uses the SSH protocol. Shell access must be enabled for each Plesk user for each account. In the setup page, select /bin/bash(chrooted) under the Shell access to server with FTP user's credentials. This user will now be able to login over SFTP. Remember to change the port in your FTP client if you changed the default port as discussed above. If you are sure you don't want users to login over standard FTP, you can also block this port via the Firewall module in Plesk as detailed in the screenshots above.

The following rules would apply:
Deny incoming from all on ports 21/tcp, 21/udp

You can further secure your FTP server if you have a static IP by allowing access only from your IP. If your static IP is, your rules would be:

Allow incoming from
Deny incoming from all others

Disable ping requests

By default, your server can be pinged by anyone, meaning it is discoverable. You can improve security by changing your firewall to only allow known IP addresses to ping your server. If your static IP is, change the rules under Ping Service in Plesk's default Firewall rules:
Allow incoming from
Deny incoming from all others

These are just a few steps that will tighten the security of your server.