We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Serious concerns with security
Serious concerns with security
Hello Vesta Team,
After several fresh installs over the years on my Vestacp with CentOS7 I think I am getting an expert of installing this system properly with no errors and latest versions stable versions of PHP MariaDB and others... maybe will do a guide on this one day :P however still I have several concerns on Security of the server.
Being VestaCP platform to facilitate the management of server I think the DEV team should leverage the security issue very seriously. I have made a scan on my website with detectify and surprisingly see so many security concerns.
Some of the issues are related to other websites however the main security points are CrossSite Scripting XSS
Which I have been trying to sort out however never succeeded. The information is all over and there is no guide on how to implement it to all Domains.
I did try to install Modsecurity and OWASP but there is no proper step by step guide adaptable to Vestacp configs.
What would you advise about server security?
After several fresh installs over the years on my Vestacp with CentOS7 I think I am getting an expert of installing this system properly with no errors and latest versions stable versions of PHP MariaDB and others... maybe will do a guide on this one day :P however still I have several concerns on Security of the server.
Being VestaCP platform to facilitate the management of server I think the DEV team should leverage the security issue very seriously. I have made a scan on my website with detectify and surprisingly see so many security concerns.
Some of the issues are related to other websites however the main security points are CrossSite Scripting XSS
Which I have been trying to sort out however never succeeded. The information is all over and there is no guide on how to implement it to all Domains.
I did try to install Modsecurity and OWASP but there is no proper step by step guide adaptable to Vestacp configs.
What would you advise about server security?
Re: Serious concerns with security
What software is your website running? If you pointed detectify to your website running as a domain on Vestacp, then it seems most of the issues will be to do with the configuration of that software (eg Wordpress, Joomla, etc)
The one which does leap out as a VestaCP security issue is the exposed PHPMyadmin interface. I always change the default URL of that, and put Apache Basic Auth on phpmyadmin myself, which goes a long way to mitigating the risk. (And in fact, just changing the URL would stop detectify from finding it).
Re: Serious concerns with security
Please check:
https://github.com/serghey-rodin/vesta/issues/2045
Or https://github.com/myvesta/vesta/blob/m ... 1-feb-2021
With mulitple security issues that hasn't been patched...
https://github.com/serghey-rodin/vesta/issues/2045
Or https://github.com/myvesta/vesta/blob/m ... 1-feb-2021
With mulitple security issues that hasn't been patched...
Re: Serious concerns with security
Everything reported is patched in myVesta fork.
Patches are ready to be applied to official Vesta, Serghey should do that.
Patches are ready to be applied to official Vesta, Serghey should do that.