We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How-to Protect server and separate accounts?
Re: How-to Protect server and separate accounts?
Technically, yes. Admin not for site holder only, it's important for control panel too.uscreator wrote: Technically changing ownership of the files (from 'admin') without moving them to another directory should work as well?
chown
Re: How-to Protect server and separate accounts?
Again, can we please have an update on the status of this?
Two things particularly worry me:
1) There was in May/June a serious vulnerability where it was possible for an attacker to take control of the Admin account and thereby essentially gain root access - https://www.htbridge.com/advisory/HTB23261 - yes that specific vulnerability was patched but it worries me that it'd just take just one slipup like this and the whole server is compromised at virtually root level.
2) Comments on this bug request suggest that by default the admin login is by default vulnerable to brute force - https://bugs.vestacp.com/responses/chan ... n-username
That issue has been active for 7 months now.
So - is this being worked on, yes or no, and is this something that users can currently fix themselves, if so how?
Two things particularly worry me:
1) There was in May/June a serious vulnerability where it was possible for an attacker to take control of the Admin account and thereby essentially gain root access - https://www.htbridge.com/advisory/HTB23261 - yes that specific vulnerability was patched but it worries me that it'd just take just one slipup like this and the whole server is compromised at virtually root level.
2) Comments on this bug request suggest that by default the admin login is by default vulnerable to brute force - https://bugs.vestacp.com/responses/chan ... n-username
That issue has been active for 7 months now.
So - is this being worked on, yes or no, and is this something that users can currently fix themselves, if so how?
Re: How-to Protect server and separate accounts?
hello sku,skurudo wrote:One domain = one user account
and account isolation with open_basedir
Templates - basedir / hostting for Apache2 and hosting for Nginx
Need security changes in ->
/usr/local/vesta/data/templates/web/apache2/basedir.stpl
/usr/local/vesta/data/templates/web/apache2/basedir.tpl
/usr/local/vesta/data/templates/web/apache2/hosting.tpl
/usr/local/vesta/data/templates/web/apache2/hosting.stpl
viewtopic.php?f=11&t=6747&p=21644&hilit ... dir#p21644Code: Select all
php_admin_value open_basedir %docroot%:%home%/%user%/tmp php_admin_value upload_tmp_dir %home%/%user%/tmp php_admin_value session.save_path %home%/%user%/tmp
im using the hosting template do i need to add the code below?
Code: Select all
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
also what is this for, is this enabled ? It's located outside the directory before the mod ruid
php_admin_value open_basedir %home%/%user%/web:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
below is the default hosting.tpl
Code: Select all
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value upload_max_filesize 10M
php_admin_value max_execution_time 20
php_admin_value post_max_size 8M
php_admin_value memory_limit 32M
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f %email%'
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
php_admin_value open_basedir %home%/%user%/web:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups apache
</IfModule>
<IfModule itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%web_system%.%domain%.conf*
</VirtualHost>