Page 1 of 1

[Req] Two-Factor Authentication + Recaptcha For VestaCP

Posted: Tue Sep 11, 2018 8:05 pm
by xorro
Well it's been a long time since people are using VestaCP more and more but when we search on internet people are afraid to use it sometimes just because lack of security on control panel login. I know we can use VestaCP fail2ban and ngx_http_limit_req_module to secure some stuff but that is not the proper solution for brute-forcing because if someone is attacking my server they might be using tons of proxies and when ngx_http_limit_req_module hits the limits mentioned in configurations users will start seeing 503 Error but what is server operator is away for a while or is on vacations? using ngx_http_limit_req_module and fail2ban will be a temporary solution and need someone to monitor the server and keep changing the limit in config file so websites can stay up all the time. Well i hope you guys will understand there are many possibilities. I am also not saying that Two-Factor or Captcha is the final solution to stop these attacks but at least it makes it much more harder for hackers/attackers to get in to admin panel.

I have seen feature adding submissions on bug reporting system but they have been left dead and never heard of these solution to be coming out. This is 2018 and We are still waiting for one of the best free vps control panel creators to add these both in vestacp so we can recommend this to others even if they have any concern about security they do not get a chance to deny the respect for this control panel.

Re: [Req] Two-Factor Authentication + Recaptcha For VestaCP

Posted: Thu Sep 13, 2018 4:19 am
by maman
Yes i agree with you. But that is not the solution which too annoying. A better idea is to make vesta admin panel accesible only from localhost and you can access it via ssh tunnel. That is much more safer than waiting for vestacp team release a bug fix (which will take way way way way way 100x to long for them to release it). And my suggestion do not use vestacp using the default setting. Because from my experience modifying vestacp to my own needs, vestacp has too many small bugs (non security related). Maybe this is because they support multiple OS. In order to fullfill that you need to make separate source code for each OS. Each OS needs some modification, so its hard to maintain multiple OS source code without doing some mistakes (bugs) especially when theres an major OS update some code needs to be modified again. Unlike cpanel they only focus on one OS (centos) so its easier to maintain. Maybe vestacp team should separate each OS development to specialized team below lead team. So its easier to maintain. Just my 2 cents.

Re: [Req] Two-Factor Authentication + Recaptcha For VestaCP

Posted: Sun Sep 23, 2018 6:19 pm
by maxpostal

Is the any news about that idea?

Re: [Req] Two-Factor Authentication + Recaptcha For VestaCP

Posted: Thu Sep 12, 2019 10:40 pm
by xorro
It's been a year but no news because current vestacp setup already have too many bugs and needs to be fixed and updated so i think developer do not have time to add new features. Or maybe not have even time to fix current bugs.