Tut: Change VestaCP port through SSH Command line

[mehargags]

Amidst the crisis, I wanted to share the fastest easiest SSH Command line to change your VestaCP port. I'm changing it here with 8383, you can replace 8383 with any other (uncommon) port number if you want.

Code: Select all

sed -i 's/8083;/8383;/' /usr/local/vesta/nginx/conf/nginx.conf
/usr/local/vesta/bin/v-add-firewall-rule ACCEPT 0.0.0.0/0 8383 TCP gVestaCP

Block 8083 in Firewall (if you want)

Code: Select all

sed -i -e '/8083/ s/ACCEPT/DROP/' /usr/local/vesta/data/firewall/rules.conf 

Double check if it shows DROP for 8083

Code: Select all

nano /usr/local/vesta/data/firewall/rules.conf

Restarr Fail2Ban to monitor changed port (Thanks @nsuro for the tip)

Code: Select all

systemctl restart fail2ban.service
v-update-firewall
systemctl restart vesta

Check iptables should now show the new port.

Code: Select all

 iptables -L -nv | grep 8383 

like this

Code: Select all

....
    0     0 fail2ban-VESTA  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8383
....

If you are still not able to login at your custom port, stop firewall

Code: Select all

/usr/local/vesta/bin/v-stop-firewall

then login to your panel and restart firewall from within your WebUI

Note: Seasoned admins may want to restrict access to WebUI for only their known IP... so replace ACCEPT 0.0.0.0/0 with your IP

[arktex54]

Awesome!! Thank you!

[nsuro]

I might be wrong but I just wanted to point out that I believe fail2ban might not work correctly for the panel after changing from the default port. Looks like the port used for setting up the vesta fail2ban chain is set in v-add-firewall-chain.

Code: Select all

#                       Action                             #
#----------------------------------------------------------#

# Checking known chains
case $chain in
    SSH)        port=22; protocol=TCP ;;
    FTP)        port=21; protocol=TCP  ;;
    MAIL)       port='25,465,587,2525,110,995,143,993'; protocol=TCP  ;;
    DNS)        port=53; protocol=UDP  ;;
    WEB)        port='80,443'; protocol=TCP  ;;
    DB)         port='3306,5432'; protocol=TCP  ;;
    VESTA)      port=8083; protocol=TCP  ;;
    *)          check_args '2' "$#" 'CHAIN PORT' ;;
esac

iptables shows original port not the new one.

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination         
fail2ban-VESTA  tcp  --  anywhere             anywhere             tcp dpt:8083

Probably not the best editing bin files but changing the VESTA port in v-add-firewall-chain to the new port and restarting fail2ban does look like it temporarily gets fail2ban working again.

Also want sneak in a thanks to everyone working on vestacp, you guys rock!

[plutocrat]

I'm going to make a suggestion. Perhaps the vesta admin port should be kept in
$VESTA/conf/vesta.conf

Then this value could be used to generate the nginx.conf, the firewall conf etc.

Perhaps, also, if this is implemented, the vesta admin port could be semi-randomly generated at install.

and maybe a script too in bin/v-change-vesta-admin-port

[vikhyat]

Another solution, use SSH key on root user.
All our servers which were using SSH keys on root user were not hacked. And setting up SSH keys is easy too.

[perryoo11]

after doing this tuturial i screwed up the panel.
how can i reverse back to normal without taking backups?

i just managed to fix this.

[mehargags]

@nsuro
Fail2ban doesn't monitor ports, it merely reads auth logs and counts the retries done there to ban the suspected IPs
You can alter that file, but I don't that would make any difference. Maybe the devs can suggest best settings here.

@plutocrat
Yes please suggest this on Git or http://bugs.vestacp.com/

Infact, I had suggested PORT selection and "admin" name selection as variable while we install VestaCP, the very first screen that asks for FQDN, or can be passed as an argument to the Advanced install script. Lets see if Vesta Dev team can implement that anytime soon.

[Falzo]

I might be wrong but I just wanted to point out that I believe fail2ban might not work correctly for the panel after changing from the default port. Looks like the port used for setting up the vesta fail2ban chain is set in v-add-firewall-chain.

Code: Select all

#                       Action                             #
#----------------------------------------------------------#

# Checking known chains
case $chain in
    SSH)        port=22; protocol=TCP ;;
    FTP)        port=21; protocol=TCP  ;;
    MAIL)       port='25,465,587,2525,110,995,143,993'; protocol=TCP  ;;
    DNS)        port=53; protocol=UDP  ;;
    WEB)        port='80,443'; protocol=TCP  ;;
    DB)         port='3306,5432'; protocol=TCP  ;;
    VESTA)      port=8083; protocol=TCP  ;;
    *)          check_args '2' "$#" 'CHAIN PORT' ;;
esac

iptables shows original port not the new one.

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination         
fail2ban-VESTA  tcp  --  anywhere             anywhere             tcp dpt:8083

Probably not the best editing bin files but changing the VESTA port in v-add-firewall-chain to the new port and restarting fail2ban does look like it temporarily gets fail2ban working again.

Also want sneak in a thanks to everyone working on vestacp, you guys rock!

you are right.

from a glance at the fail2ban config files one could assume it bans the IP completely if action is taken, as there are simply no ports specified.
yet the Jails get set up by v-add-firewall-chain as you pointed out and therefore a ban-action would result in having the offending IP only be blocked for accessing 8083 instead of the new port.

sadly the ports are hardcoded in that script so the only way to change is to add or change the port there too. keep in mind that these files might get replaced with any upcoming update, reversing any changes.

[nsuro]

So I just had some time to confirm this and yes if the port is not changed it does not ban you.
Yes I think those are all great suggestions, a place to set the port would be great! Looks like the vesta config is not generated like the other sites configs so I'm not sure how big of a change it would take. Maybe like plutocrat suggested a new script. I will file a bug this afternoon if no one else has done it by then. I think a simple solution for now would be to block all ports on failed logins for the panel.

@mehargags

Fail2ban doesn't monitor ports, it merely reads auth logs and counts the retries done there to ban the suspected IPs
You can alter that file, but I don't that would make any difference. Maybe the devs can suggest best settings here.

You are correct it does not monitor ports. But in this case it does not blanket ban the user on all ports when detects failed logins from the panel. /etc/fail2ban/action.d/vesta.conf calls v-add-firewall-chain and creates a jail on fail2ban start that has a port attached to it. Then when there is a ban it calls v-add-firewall-ban that adds the users IP to that jail that has that port set, blocking user on only that port.

/etc/fail2ban/action.d/vesta.conf

Code: Select all

[Definition]
actionstart = /usr/local/vesta/bin/v-add-firewall-chain <name>
actionstop = /usr/local/vesta/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/vesta/bin/v-add-firewall-ban <ip> <name>
actionunban = /usr/local/vesta/bin/v-delete-firewall-ban <ip> <name>

./v-add-firewall-chain

Code: Select all

....
# Adding chain
$iptables -N fail2ban-$chain 2>/dev/null
if [ $? -eq 0 ]; then
    $iptables -A fail2ban-$chain -j RETURN

    # Adding multiport module
    if [[ "$port" =~ ,|-|: ]] ; then
        port_str="-m multiport --dports $port"
    else
        port_str="--dport $port"
    fi
    $iptables -I INPUT -p $protocol $port_str -j fail2ban-$chain
fi
....

[mehargags]

nsuro
so can you write a "sed" statement as in my Tutorial above... and then we can test this on our servers. If all is good, I will include that in my tutorial above.

Thanks alot for your keen eyes and contribution... above all your love for Vesta.