Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section Web Server
  • Search

How-to Protect server and separate accounts?

Questions regarding the Web Server
Apache + Nginx, Nginx + PHP5-FPM
Post Reply
  • Print view
Advanced search
23 posts
  • Previous
  • 1
  • 2
  • 3
  • Next
uscreator
Posts: 43
Joined: Mon Oct 20, 2014 5:05 pm

Re: How-to Protect server and separate accounts?
  • Quote

Post by uscreator » Thu Feb 19, 2015 7:03 pm

skurudo wrote:But user admin can use sudo and I see there security issue, if we place all your sites under this account and enable ssh for this user (disabled by default)
I just checked it seems that 'admin' is not in sudo group by default. But I'm sure there are other risks associated with 'admin'
Top

mehargags
Support team
Posts: 1096
Joined: Sat Sep 06, 2014 9:58 pm
Contact:
Contact mehargags
Website Skype

Os: Debian 8x
Web: apache + nginx
Re: How-to Protect server and separate accounts?
  • Quote

Post by mehargags » Fri Feb 20, 2015 12:54 pm

Interesting Conversation here, will be watching this thread.
Will be happy to have Imperio and other Seniors look at this thread.

I already opened a bug/feature request to be able to change "Admin" username after install. Security through obscurity is the best option... will minimize brute force and "guess" attacks as the attacker will have to "guess" username along with the password.

Also you might want to change default VestaCP port:
But be cautious to have an ACCEPT rule in your firewall for the port you want, like 8083
to replace the standard 8083
sed -i 's/8083;/8088;/' /usr/local/vesta/nginx/conf/nginx.conf
service vesta restart
Top

uscreator
Posts: 43
Joined: Mon Oct 20, 2014 5:05 pm

Re: How-to Protect server and separate accounts?
  • Quote

Post by uscreator » Fri Feb 20, 2015 2:21 pm

mehargags wrote:Will be happy to have Imperio and other Seniors look at this thread.
I would be curious to hear their option as well.
mehargags wrote: I already opened a bug/feature request to be able to change "Admin" username after install.
Acually I would see 'disable/enable' option for admin as better option. This way it does not get used at all for web projects.
mehargags wrote: Also you might want to change default VestaCP port:
But be cautious to have an ACCEPT rule in your firewall for the port you want, like 8083
to replace the standard 8083
sed -i 's/8083;/8088;/' /usr/local/vesta/nginx/conf/nginx.conf
service vesta restart
Thanks you for tip. And yes could be useful.

And I really was concerned about something else as well

Here is the scenario: Hacker penetrates 'admin' on slappy php code ( or known CMS hole )
What will this mean for the Linux system???? And what will it mean for other VestaCP users?
Top

uscreator
Posts: 43
Joined: Mon Oct 20, 2014 5:05 pm

Re: How-to Protect server and separate accounts?
  • Quote

Post by uscreator » Fri Feb 20, 2015 5:01 pm

I was wrong. :(((
'admin' = root

Now if php script gets compromised hacker gets full root.
This is alarming.
If any developers read this please respond ASAP

/etc/sudoers
Image
Top

skurudo
VestaCP Team
Posts: 8099
Joined: Fri Dec 26, 2014 2:23 pm
Contact:
Contact skurudo
Website Facebook Google+ Skype
Twitter

Re: How-to Protect server and separate accounts?
  • Quote

Post by skurudo » Tue Feb 24, 2015 7:44 pm

Hello there, what we're talking on first page?
Sites on account admin - it's not good idea. I think it's better create new user for sites. If possible one user = one site.
But user admin can use sudo and I see there security issue
It's not ring a bell?
Top

uscreator
Posts: 43
Joined: Mon Oct 20, 2014 5:05 pm

Re: How-to Protect server and separate accounts?
  • Quote

Post by uscreator » Tue Feb 24, 2015 8:54 pm

skurudo wrote:Hello there, what we're talking on first page?
Yes you are correct 'admin' is sudo with ssh enabled by default. ( unfortunately )
And its totally not obvious for new VestaCP users.
"Admin" should be disabled for WEB by default
And this to be written on the forehead → "Please don't use admin account" :)
Top

skurudo
VestaCP Team
Posts: 8099
Joined: Fri Dec 26, 2014 2:23 pm
Contact:
Contact skurudo
Website Facebook Google+ Skype
Twitter

Re: How-to Protect server and separate accounts?
  • Quote

Post by skurudo » Sat Feb 28, 2015 12:28 pm

Post your idea on bug tracker? I vote for it :)
https://bugs.vestacp.com/
Top

uscreator
Posts: 43
Joined: Mon Oct 20, 2014 5:05 pm

Re: How-to Protect server and separate accounts?
  • Quote

Post by uscreator » Sat Feb 28, 2015 2:54 pm

skurudo wrote:Post your idea on bug tracker? I vote for it :)
https://bugs.vestacp.com/
Hey skurudo,

Yes, submitted as 'idea'... thanks...
https://bugs.vestacp.com/responses/admin-account-lock
Technically changing ownership of the files (from 'admin') without moving them to another directory should work as well?
chown
Top

alanms
Posts: 15
Joined: Sun Aug 16, 2015 12:03 pm

Re: How-to Protect server and separate accounts?
  • Quote

Post by alanms » Sun Aug 16, 2015 11:04 pm

Can we have an update on this issue please? Is this being changed, and what should new users do in the meantime?

I'd normally disable remote SSH access to root - this makes it sound like, if I'm on Vesta, I effectively can't because by design there is an admin account that has the same privileges as root that must have remote SSH? Is there not a workaround?

Also it looks very similar to this issue (Change default admin user - viewtopic.php?f=10&t=6820) and this related bug which is "under consideration" (Change Default "Admin" Username - https://bugs.vestacp.com/responses/chan ... n-username)
Top

mehargags
Support team
Posts: 1096
Joined: Sat Sep 06, 2014 9:58 pm
Contact:
Contact mehargags
Website Skype

Os: Debian 8x
Web: apache + nginx
Re: How-to Protect server and separate accounts?
  • Quote

Post by mehargags » Mon Aug 17, 2015 7:13 pm

Thanks for the bump... I had raised this request many months back.

Security through obscurity is a good practice, ability to change the default "admin" to something else decrease chances of burte force "guesswork" attacks. Waiting to hear from @Imperio and other dev members.
Top


Post Reply
  • Print view

23 posts
  • Previous
  • 1
  • 2
  • 3
  • Next

Return to “Web Server”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password