Page 1 of 1

Hardening Vesta & Server

Posted: Tue Apr 11, 2017 10:29 am
by soldx
First at all, I am new working with servers and with Vesta.

I have a VPS with CentOS 6.8 & Vesta 0.9.8.
My big concern is about the security. (Mode paranoid)
  • -Default ports
    -Default URLs
    -Change weak config
I appreciate a lot if anybody can give me some suggestions or guides for start to work with that.


Re: Hardening Vesta & Server

Posted: Tue Apr 11, 2017 12:43 pm
by peterbrinck
I have changed a few default ports, like for SSH.
That's not directly for security, but it prevents a lot bots to try access your server.

And for SSL you can go with CloudFlare. It's free and provides SSL for all your domains, just add SSL support to your domains in Vesta and create a certificate, and you're good to go!

Other than that, Vesta already comes with a lot of security instances, like Fail2Ban.
The rest is pretty much normal server configuration and security.

DigitalOceans has a lot of good tutorials and guides on security: ... =tutorials

Re: Hardening Vesta & Server

Posted: Wed Apr 12, 2017 8:40 am
by soldx
Hi Peterbrinck!
Thanks for your suggestions. I will take a look at the Digitalocean link.

If anybody have any other suggestions I will take in consideration and of course appreciate a lot!


Re: Hardening Vesta & Server

Posted: Wed Apr 26, 2017 7:16 am
by skurudo
You can add also additional password for VestaCP / phpmyadmin / pgadmin

Re: Hardening Vesta & Server

Posted: Wed May 24, 2017 11:23 am
by rhyker2u
See viewtopic.php?f=14&t=14386#p60357 for adding an aditional layer to phpmyadmin/adminer. What I also tend to do after every default VestaCP setup -- where I don't include FTP server, as I use SFTP -- is indeed change SSH port 22 in /etc/sshd/sshd_config to something in the 1000s range. As well as the 8083 port to something else in /usr/local/vesta/nginx/conf/nginx.conf as perfectly outlined in this post: viewtopic.php?t=5126 ... and don't forget to change to the matching ports in https://X.X.X.X:8083/list/firewall/ prior to restarting any service.

CloudFlare's Flexible SSL is indeed great (especially when using a lot of subdomains). Been using that for 3+ years. However VestaCP supports Let's Encrypt out of the box now, which allows to enable Full SSL (or strict) in CloudFlare. Making the route between Cloudflare and the server secure too. note: do disable CloudFlare's DNS and HTTP proxy temporarily when you setup LetsEncrypt through VestaCP when applying for the certificates.

Anyway, I found this topic through the search, as I for one would like to have 2FA security too as a default feature on the VestaCP backend. Just to feel a little saver. Is that something that's on the feature list skurudo? Or is that something we can easily do ourselves? And if so, how? :o)

Re: Hardening Vesta & Server

Posted: Fri Nov 23, 2018 1:14 pm
by beli
also consider:

* using .htaccess files for pre-authing with basic auth for phpmyadmin, roundcube, vesta-cp gui etc.
* using portknocking (knockd) to open/close services like sshd, vesta-cp gui, etc.
* doing file alteration checks by hashing critical system files with tripwire, aide, samhain
* using rkhunter to check for common rootkits (also has basic support for file alteration checks)