NIS2 Directive Compliance

The NIS2 Directive provides EU-wide legislation on cybersecurity. NIS2 encourages the EU member states to introduce best practices regarding cyber security and tackle the growing onslaught of cyberattacks. NIS2 is an update to the previous Network and Information Security (NIS) Directive.

If you want to provide DNS hosting on the basis of Plesk and your prospective customers are essential or important entities (for example, companies in the energy, transport, or health sectors), you need to make your Plesk NIS2 compliant.

To make your Plesk NIS2 compliant:

  1. Turn on the NIS2 compatibility mode by adding the following lines to the panel.ini file:

    [actionLog]
    nis2compliant = true
    

    The mode makes it impossible to disable the logging of DNS and authentication related changes (for example, failed and successful logins) and prevents a complete removal of Action Log events.

  2. In the NIS2 compatibility mode, Plesk logs API requests that change its settings. However Plesk can also log API requests that do not change data (for example, GET requests). To enable that, add the following lines to the panel.ini file:

    [actionLog]
    api.includeImmutable = true
    
  3. Make sure that your Plesk server has the correct time and date settings and they are synced with a single reference time source. We recommend that you use the NTP Timesync extension to control and manage time-related settings.

  4. Check that necessary accounts are protected by multi-factor authentication (MFA). We recommend that you use the Google Authenticator extension.

  5. Disable all connections via Plesk API by adding the following lines to the panel.ini file:

    [api]
    enabled = false
    

    This prevents the ability to manage Plesk without MFA (for example, the Plesk Mobile app can bypass MFA).

    If you need to provide access to Plesk API, we recommend that you do so only from specific IP addresses, for example:

    [api]
    allowedIPs = 192.0.2.1,192.0.2.100
    

    For more information, see Restricting Remote Access via Plesk API.

  6. Make sure that Plesk uses strong passwords. For details, see Setting Up the Password Strength Policy.

  7. Make sure that Fail2Ban is enabled and the ssh and plesk-panel preconfigured jails are active. This way Fail2Ban is configured to monitor systems logs for brute force attacks.

  8. Give your customers the ability to sign the DNS zone with DNSSEC. To do so, use the DNSSEC extension (it is free in Web Pro and Web Host editions).

  9. Make sure that the Log Browser extension version 1.7.0 or later is installed. The extension provides the ability to monitor DNS and authentication related events to the Plesk administrator, resellers, and customers.

  10. To protect Plesk logs against unauthorized modification, redirect a copy of the logs to the log server that is external and independent from Plesk.

    Note

    Plesk backs up Action Log records but does not overwrite them when a backup is restored. Action Log records are stored in separate files with the backup_action-log prefix (for example, backup_action-log_2403281045.tzst (.zip)). The Plesk administrator’s files contain all records, while files of customers and resellers contain records pertinent to them only. Learn how to extract Action Log files from a Plesk backup.