We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Ubuntu install DB Firewall ports open
Ubuntu install DB Firewall ports open
On a new Ubuntu install I notice the firewall ports for the DB are open (3306,5432). I don't need to remotely connect to mysql, am I safe to disable this rule?
Re: Ubuntu install DB Firewall ports open
I think this should be disabled by default. If you're techy enough to know what you're doing, then you can turn it on. But most people are not techy, so they install VestaCP without knowing their database is open to the internet. And also techy people are likely to choose bad database passwords, which means they are at increased risk of getting hacked.
Golden rule of security: if you're not using it, turn it off.
I notice too that database users are created with two accounts. One allows them to connect from localhost, which is expected. The other allows them to connect from ANY HOST. Once again, these accounts shouldn't be enabled by default, just the localhost ones. And once again, if you're techy enough to know that you need to connect to a database from a remote host, you're going to be able to enable this yourself, and you'd likely restrict it to a known IP or IP range rather than allow ALL. But anyway, if you've already disabled the firewall rule, then this is less of an issue.
Golden rule of security: if you're not using it, turn it off.
I notice too that database users are created with two accounts. One allows them to connect from localhost, which is expected. The other allows them to connect from ANY HOST. Once again, these accounts shouldn't be enabled by default, just the localhost ones. And once again, if you're techy enough to know that you need to connect to a database from a remote host, you're going to be able to enable this yourself, and you'd likely restrict it to a known IP or IP range rather than allow ALL. But anyway, if you've already disabled the firewall rule, then this is less of an issue.