Tut: Change VestaCP port through SSH Command line
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Tut: Change VestaCP port through SSH Command line
Amidst the crisis, I wanted to share the fastest easiest SSH Command line to change your VestaCP port. I'm changing it here with 8383, you can replace 8383 with any other (uncommon) port number if you want.
Block 8083 in Firewall (if you want)
Double check if it shows DROP for 8083
Restarr Fail2Ban to monitor changed port (Thanks @nsuro for the tip)
Check iptables should now show the new port.
like this
If you are still not able to login at your custom port, stop firewall
then login to your panel and restart firewall from within your WebUI
Note: Seasoned admins may want to restrict access to WebUI for only their known IP... so replace ACCEPT 0.0.0.0/0 with your IP
Code: Select all
sed -i 's/8083;/8383;/' /usr/local/vesta/nginx/conf/nginx.conf
/usr/local/vesta/bin/v-add-firewall-rule ACCEPT 0.0.0.0/0 8383 TCP gVestaCP
Code: Select all
sed -i -e '/8083/ s/ACCEPT/DROP/' /usr/local/vesta/data/firewall/rules.conf
Code: Select all
nano /usr/local/vesta/data/firewall/rules.conf
Code: Select all
systemctl restart fail2ban.service
v-update-firewall
systemctl restart vesta
Code: Select all
iptables -L -nv | grep 8383
Code: Select all
....
0 0 fail2ban-VESTA tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8383
....
Code: Select all
/usr/local/vesta/bin/v-stop-firewall
Note: Seasoned admins may want to restrict access to WebUI for only their known IP... so replace ACCEPT 0.0.0.0/0 with your IP
Re: Tut: Change VestaCP port through SSH Command line
Awesome!! Thank you!
Re: Tut: Change VestaCP port through SSH Command line
I might be wrong but I just wanted to point out that I believe fail2ban might not work correctly for the panel after changing from the default port. Looks like the port used for setting up the vesta fail2ban chain is set in v-add-firewall-chain.
iptables shows original port not the new one.
Probably not the best editing bin files but changing the VESTA port in v-add-firewall-chain to the new port and restarting fail2ban does look like it temporarily gets fail2ban working again.
Also want sneak in a thanks to everyone working on vestacp, you guys rock!
Code: Select all
# Action #
#----------------------------------------------------------#
# Checking known chains
case $chain in
SSH) port=22; protocol=TCP ;;
FTP) port=21; protocol=TCP ;;
MAIL) port='25,465,587,2525,110,995,143,993'; protocol=TCP ;;
DNS) port=53; protocol=UDP ;;
WEB) port='80,443'; protocol=TCP ;;
DB) port='3306,5432'; protocol=TCP ;;
VESTA) port=8083; protocol=TCP ;;
*) check_args '2' "$#" 'CHAIN PORT' ;;
esac
Code: Select all
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-VESTA tcp -- anywhere anywhere tcp dpt:8083
Also want sneak in a thanks to everyone working on vestacp, you guys rock!
Re: Tut: Change VestaCP port through SSH Command line
I'm going to make a suggestion. Perhaps the vesta admin port should be kept in
$VESTA/conf/vesta.conf
Then this value could be used to generate the nginx.conf, the firewall conf etc.
Perhaps, also, if this is implemented, the vesta admin port could be semi-randomly generated at install.
and maybe a script too in bin/v-change-vesta-admin-port
$VESTA/conf/vesta.conf
Then this value could be used to generate the nginx.conf, the firewall conf etc.
Perhaps, also, if this is implemented, the vesta admin port could be semi-randomly generated at install.
and maybe a script too in bin/v-change-vesta-admin-port
Re: Tut: Change VestaCP port through SSH Command line
Another solution, use SSH key on root user.
All our servers which were using SSH keys on root user were not hacked. And setting up SSH keys is easy too.
All our servers which were using SSH keys on root user were not hacked. And setting up SSH keys is easy too.
Re: Tut: Change VestaCP port through SSH Command line
after doing this tuturial i screwed up the panel.
how can i reverse back to normal without taking backups?
i just managed to fix this.
how can i reverse back to normal without taking backups?
i just managed to fix this.
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Tut: Change VestaCP port through SSH Command line
@nsuro
Fail2ban doesn't monitor ports, it merely reads auth logs and counts the retries done there to ban the suspected IPs
You can alter that file, but I don't that would make any difference. Maybe the devs can suggest best settings here.
@plutocrat
Yes please suggest this on Git or http://bugs.vestacp.com/
Infact, I had suggested PORT selection and "admin" name selection as variable while we install VestaCP, the very first screen that asks for FQDN, or can be passed as an argument to the Advanced install script. Lets see if Vesta Dev team can implement that anytime soon.
Fail2ban doesn't monitor ports, it merely reads auth logs and counts the retries done there to ban the suspected IPs
You can alter that file, but I don't that would make any difference. Maybe the devs can suggest best settings here.
@plutocrat
Yes please suggest this on Git or http://bugs.vestacp.com/
Infact, I had suggested PORT selection and "admin" name selection as variable while we install VestaCP, the very first screen that asks for FQDN, or can be passed as an argument to the Advanced install script. Lets see if Vesta Dev team can implement that anytime soon.
Re: Tut: Change VestaCP port through SSH Command line
you are right.nsuro wrote: ↑Mon Apr 09, 2018 11:57 pmI might be wrong but I just wanted to point out that I believe fail2ban might not work correctly for the panel after changing from the default port. Looks like the port used for setting up the vesta fail2ban chain is set in v-add-firewall-chain.
iptables shows original port not the new one.Code: Select all
# Action # #----------------------------------------------------------# # Checking known chains case $chain in SSH) port=22; protocol=TCP ;; FTP) port=21; protocol=TCP ;; MAIL) port='25,465,587,2525,110,995,143,993'; protocol=TCP ;; DNS) port=53; protocol=UDP ;; WEB) port='80,443'; protocol=TCP ;; DB) port='3306,5432'; protocol=TCP ;; VESTA) port=8083; protocol=TCP ;; *) check_args '2' "$#" 'CHAIN PORT' ;; esac
Probably not the best editing bin files but changing the VESTA port in v-add-firewall-chain to the new port and restarting fail2ban does look like it temporarily gets fail2ban working again.Code: Select all
Chain INPUT (policy DROP) target prot opt source destination fail2ban-VESTA tcp -- anywhere anywhere tcp dpt:8083
Also want sneak in a thanks to everyone working on vestacp, you guys rock!
from a glance at the fail2ban config files one could assume it bans the IP completely if action is taken, as there are simply no ports specified.
yet the Jails get set up by v-add-firewall-chain as you pointed out and therefore a ban-action would result in having the offending IP only be blocked for accessing 8083 instead of the new port.
sadly the ports are hardcoded in that script so the only way to change is to add or change the port there too. keep in mind that these files might get replaced with any upcoming update, reversing any changes.
Re: Tut: Change VestaCP port through SSH Command line
So I just had some time to confirm this and yes if the port is not changed it does not ban you.
Yes I think those are all great suggestions, a place to set the port would be great! Looks like the vesta config is not generated like the other sites configs so I'm not sure how big of a change it would take. Maybe like plutocrat suggested a new script. I will file a bug this afternoon if no one else has done it by then. I think a simple solution for now would be to block all ports on failed logins for the panel.
@mehargags
/etc/fail2ban/action.d/vesta.conf
./v-add-firewall-chain
Yes I think those are all great suggestions, a place to set the port would be great! Looks like the vesta config is not generated like the other sites configs so I'm not sure how big of a change it would take. Maybe like plutocrat suggested a new script. I will file a bug this afternoon if no one else has done it by then. I think a simple solution for now would be to block all ports on failed logins for the panel.
@mehargags
You are correct it does not monitor ports. But in this case it does not blanket ban the user on all ports when detects failed logins from the panel. /etc/fail2ban/action.d/vesta.conf calls v-add-firewall-chain and creates a jail on fail2ban start that has a port attached to it. Then when there is a ban it calls v-add-firewall-ban that adds the users IP to that jail that has that port set, blocking user on only that port.Fail2ban doesn't monitor ports, it merely reads auth logs and counts the retries done there to ban the suspected IPs
You can alter that file, but I don't that would make any difference. Maybe the devs can suggest best settings here.
/etc/fail2ban/action.d/vesta.conf
Code: Select all
[Definition]
actionstart = /usr/local/vesta/bin/v-add-firewall-chain <name>
actionstop = /usr/local/vesta/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/vesta/bin/v-add-firewall-ban <ip> <name>
actionunban = /usr/local/vesta/bin/v-delete-firewall-ban <ip> <name>
Code: Select all
....
# Adding chain
$iptables -N fail2ban-$chain 2>/dev/null
if [ $? -eq 0 ]; then
$iptables -A fail2ban-$chain -j RETURN
# Adding multiport module
if [[ "$port" =~ ,|-|: ]] ; then
port_str="-m multiport --dports $port"
else
port_str="--dport $port"
fi
$iptables -I INPUT -p $protocol $port_str -j fail2ban-$chain
fi
....
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Tut: Change VestaCP port through SSH Command line
nsuro
so can you write a "sed" statement as in my Tutorial above... and then we can test this on our servers. If all is good, I will include that in my tutorial above.
Thanks alot for your keen eyes and contribution... above all your love for Vesta.
so can you write a "sed" statement as in my Tutorial above... and then we can test this on our servers. If all is good, I will include that in my tutorial above.
Thanks alot for your keen eyes and contribution... above all your love for Vesta.