Vesta Control Panel - Forum

I have another idea for the super user permission. A new pool can be added for Vesta PHP-FPM and separate user can be created for phpmyadmin

dpeca wrote: Sun May 27, 2018 4:10 pm If your idea is to run phpmyadmin via php-fpm, to avoid apache, then it's pretty easy to install separate php-fpm, trust me... mostly one apt-get/yum command...

I don't use Apache it's Nginx + php-fpm setup

Let me explain why I did that and why it is not so bad Idea. If you run phpmyadmin on vhosts it is accessible on port 80 and 443. Now I am running it on Vesta Nginx server so it is only accessible on port 8083 on which I can set firewall rule to allow only specific ip addresses to access it.

Stesh wrote: Fri May 25, 2018 2:25 am Very very bad idea. In case of hacking PhpMyAdmin, the whole server will be hacked

Why do you think so. PhpMyAdmin will be running as vesta default user admin which does not have root access. It have same access as if you were running it from virtual host on admin user

It is impossible if you want to have it on multiple domains since it uses domain from each web domain

I just made instruction how to run PhpMyAdmin from vesta service for Nginx + Php-FMP on Centos 7 . For apache you'll need additional changes but it is possible to get done

This will make PHP my admin run with PHP from vesta and be available on port 8083.

This guide is for setup with Nginx + PHP-FPM tested on Centos 7

First we make new temp directory for PHPMyAdmin to avoid permission issue.

mkdir /tmp/phpMyAdmin
chmod 777 /tmp/phpMyAdmin

Then we add set this ...

vikhyat wrote: Tue Apr 10, 2018 8:57 am Another solution, use SSH key on root user.
All our servers which were using SSH keys on root user were not hacked. And setting up SSH keys is easy too.

I was using key on SSH and got hacked

First of all, there was no reports about hacks on 0.9.8-20.
Please update your servers as soon as possible.


For those who are interested in technical details here is how authentication model looked like in previous releases:
- PHP script /api/index.php receives user password via POST request ...

But what for those installations which were not affected. How many users are going to read forum and update their configs? Many of us did not reinstall systems completely. Just cleared the virus and got the servers runnign.

I just think it might a be a good ide to implemnt some differential scripts ...

The most thing that I am concerned about the future is that updating Vesta wont enable access logs since config files are not getting update. Only way to enable them is by manually editing config files by user. So every Vesta installaton which is currenly running will still not make access logs and ...