how to secure VPS

[Huanana]

HI guys,
I have a VPS with Ubuntu 18 and Vesta panel running on it. I'm a newbie so can you please help me?
And the goal was to secure my VPS and here is what I wanted to do:

Disable IPv6
via editing grub parameters in /etc/default/grub
I don't use IPv6 so as my VPS hoster so can this configuration affect any service on VPS ?

Put ssh to nonstandard port

Add basic http authentication to phpmyadmin
Add to apache2 config file /etc/phpmyadmin/apache.conf these lines

Code: Select all

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /usr/share/phpmyadmin/passwd
Require valid-user

And it works fine.

Add basic http authentication to Vesta
I added to /usr/local/vesta/nginx/conf/nginx.conf file these lines

Code: Select all

 auth_basic "Restricted";
 auth_basic_user_file /etc/nginx/.htpasswd;
expires max;
index index.php;
}

and created htpasswd.
From authentication perspective it works fine but Vesta and other sites are working extremely slow. And I can't find anything specific in logs.
For example with this configuration I need 30 seconds to move from USER menu to WEB menu inside Vesta.
When I'm disabling it all sites work as they should.
Any ideas how to implement http auth but not broke other sites and Vesta's performance?

Next to in I'd like to secure MySQL
by adding password to root%localhost and interface configuration. Instead of using 0.0.0.0/0 I added bind-address = 127.0.0.1 to my.cnf

But as a result backup process don't work as it should, looks like I broke it. Vesta create a lot of folders every 10 minutes until free space will end in /backup folder.

Code: Select all

ls -lah /backup
drwx------  5 root  root  4.0K Mar 27 19:15 tmp.5Vg0vTSI1n
drwx------  8 root  root  4.0K Mar 27 18:40 tmp.Sgr4ZfbM1B
drwx------  8 root  root  4.0K Mar 27 18:50 tmp.T3VpJdwJTz
drwx------  8 root  root  4.0K Mar 27 19:00 tmp.fXcXGATI56
drwx------  8 root  root  4.0K Mar 27 19:10 tmp.hvwohvHQMd

du -h -d1 /backup
4.0G    ./tmp.fXcXGATI56
4.0G    ./tmp.hvwohvHQMd
4.0G    ./tmp.Sgr4ZfbM1B
4.0G     ./tmp.5Vg0vTSI1n
4.0G    ./tmp.T3VpJdwJTz

Looks like it can't complete backup process because of some reasons and there are only such folders inside /backup/tmp.* folder
db dns mail pam vesta web
and there are no
cron user_dir
folders.


Looks like here is the answer to my question

Code: Select all

2021-03-27T19:00:03.943416Z 46 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:00:09.877277Z 47 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:05:02.979728Z 81 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:10:03.009843Z 119 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:10:22.250889Z 122 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:15:03.593465Z 163 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:20:03.774285Z 201 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:20:07.150538Z 202 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:25:02.475571Z 236 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:30:03.487948Z 272 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:30:07.456764Z 273 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2021-03-27T19:35:02.893016Z 308 [Note] Access denied for user 'root'@'localhost' (using password: YES)

and I deleted interface binding and a password on the root%localhost user.
But still no luck, Vesta is trying to create backups but instead archives it generates folders. And I'm constantly deleting these . tmp.* folders because there is not much space on VPS.



Thanks in advance.

[Huanana]

I added password from /usr/local/vesta/conf/mysql.conf to root%localhost user and now backup process works fine.
And there are no issues in these logs
/var/log/vesta/system.log
/var/log/vesta/backup.log


So now I have to add basic http authentication to Vesta panel and avoid performance issues I described in previous message.

[eris]

Don't use VestaCP..

[Huanana]

Is this Vesta's official forum? =) It's hard to believe because you are telling that I shouldn't use it.

So the main question is how to enable basic http auth for Vesta and do not affect it's performance like I described earlier.

[eris]

https://github.com/serghey-rodin/vesta/issues/2045 (Hasn't been Published so far)
https://cve.mitre.org/cgi-bin/cvename.c ... 2021-28379 or https://www.exploit-db.com/exploits/49659
https://www.exploit-db.com/exploits/49674
https://www.exploit-db.com/exploits/49662
https://www.exploit-db.com/exploits/49220
https://www.exploit-db.com/exploits/49219

https://www.exploit-db.com/exploits/49667
(Also aplies to VestaCP)

And even I have missed a lot ...

Maybe read this:
https://github.com/serghey-rodin/vesta/issues/2006

I don't care if you like keeping to run VestaCP but it hasn't been updated for over 1,5 years.With the amount has been found lately and the complete lack information for the last 1,5 year please consider the use of VestaCP... And there has been found all ready a new one that has been published at all.

[Huanana]

oh, a huge amount of issues....
Can you suggest other Panel please? MyVesta?

[eris]

MyVesta stays close to VestaCP but only supports Debian OS.

HestiaCP has more features and other improvements. Only supports Debian / Ubuntu OS

[Huanana]

Thanks!