How-to Protect server and separate accounts?
Re: How-to Protect server and separate accounts?
I just checked it seems that 'admin' is not in sudo group by default. But I'm sure there are other risks associated with 'admin'skurudo wrote:But user admin can use sudo and I see there security issue, if we place all your sites under this account and enable ssh for this user (disabled by default)
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: How-to Protect server and separate accounts?
Interesting Conversation here, will be watching this thread.
Will be happy to have Imperio and other Seniors look at this thread.
I already opened a bug/feature request to be able to change "Admin" username after install. Security through obscurity is the best option... will minimize brute force and "guess" attacks as the attacker will have to "guess" username along with the password.
Also you might want to change default VestaCP port:
But be cautious to have an ACCEPT rule in your firewall for the port you want, like 8083
Will be happy to have Imperio and other Seniors look at this thread.
I already opened a bug/feature request to be able to change "Admin" username after install. Security through obscurity is the best option... will minimize brute force and "guess" attacks as the attacker will have to "guess" username along with the password.
Also you might want to change default VestaCP port:
But be cautious to have an ACCEPT rule in your firewall for the port you want, like 8083
to replace the standard 8083
sed -i 's/8083;/8088;/' /usr/local/vesta/nginx/conf/nginx.conf
service vesta restart
Re: How-to Protect server and separate accounts?
I would be curious to hear their option as well.mehargags wrote:Will be happy to have Imperio and other Seniors look at this thread.
Acually I would see 'disable/enable' option for admin as better option. This way it does not get used at all for web projects.mehargags wrote: I already opened a bug/feature request to be able to change "Admin" username after install.
Thanks you for tip. And yes could be useful.mehargags wrote: Also you might want to change default VestaCP port:
But be cautious to have an ACCEPT rule in your firewall for the port you want, like 8083to replace the standard 8083
sed -i 's/8083;/8088;/' /usr/local/vesta/nginx/conf/nginx.conf
service vesta restart
And I really was concerned about something else as well
Here is the scenario: Hacker penetrates 'admin' on slappy php code ( or known CMS hole )
What will this mean for the Linux system???? And what will it mean for other VestaCP users?
Re: How-to Protect server and separate accounts?
I was wrong. :(((
'admin' = root
Now if php script gets compromised hacker gets full root.
This is alarming.
If any developers read this please respond ASAP
/etc/sudoers
'admin' = root
Now if php script gets compromised hacker gets full root.
This is alarming.
If any developers read this please respond ASAP
/etc/sudoers
Re: How-to Protect server and separate accounts?
Hello there, what we're talking on first page?
Sites on account admin - it's not good idea. I think it's better create new user for sites. If possible one user = one site.
It's not ring a bell?But user admin can use sudo and I see there security issue
Re: How-to Protect server and separate accounts?
Yes you are correct 'admin' is sudo with ssh enabled by default. ( unfortunately )skurudo wrote:Hello there, what we're talking on first page?
And its totally not obvious for new VestaCP users.
"Admin" should be disabled for WEB by default
And this to be written on the forehead → "Please don't use admin account" :)
Re: How-to Protect server and separate accounts?
Post your idea on bug tracker? I vote for it :)
https://bugs.vestacp.com/
https://bugs.vestacp.com/
Re: How-to Protect server and separate accounts?
Hey skurudo,skurudo wrote:Post your idea on bug tracker? I vote for it :)
https://bugs.vestacp.com/
Yes, submitted as 'idea'... thanks...
https://bugs.vestacp.com/responses/admin-account-lock
Technically changing ownership of the files (from 'admin') without moving them to another directory should work as well?
chown
Re: How-to Protect server and separate accounts?
Can we have an update on this issue please? Is this being changed, and what should new users do in the meantime?
I'd normally disable remote SSH access to root - this makes it sound like, if I'm on Vesta, I effectively can't because by design there is an admin account that has the same privileges as root that must have remote SSH? Is there not a workaround?
Also it looks very similar to this issue (Change default admin user - viewtopic.php?f=10&t=6820) and this related bug which is "under consideration" (Change Default "Admin" Username - https://bugs.vestacp.com/responses/chan ... n-username)
I'd normally disable remote SSH access to root - this makes it sound like, if I'm on Vesta, I effectively can't because by design there is an admin account that has the same privileges as root that must have remote SSH? Is there not a workaround?
Also it looks very similar to this issue (Change default admin user - viewtopic.php?f=10&t=6820) and this related bug which is "under consideration" (Change Default "Admin" Username - https://bugs.vestacp.com/responses/chan ... n-username)
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: How-to Protect server and separate accounts?
Thanks for the bump... I had raised this request many months back.
Security through obscurity is a good practice, ability to change the default "admin" to something else decrease chances of burte force "guesswork" attacks. Waiting to hear from @Imperio and other dev members.
Security through obscurity is a good practice, ability to change the default "admin" to something else decrease chances of burte force "guesswork" attacks. Waiting to hear from @Imperio and other dev members.