HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   BUG or Not? Control Panel Log In -- Any Domain (http://www.howtoforge.com/forums/showthread.php?t=38823)

gwiz 4th September 2009 07:57

BUG or Not? Control Panel Log In -- Any Domain
 
Set up ISPConfig3 using 1 of my 20 registered domain names through GoDaddy.

None of the other 19 domain names are installed on my tester server for ISPConfig3.

Question Is:

In playing around I discovered I could log into Control Panel with any 1 of my other domains?

AS ADMINISTRATOR


So ISPConfig3 is not really using "example.com" for install, but the IP the name resolves too?

Another dumb question I know - It will be the last I promise :D

Shameless Plug: Have Domains For Sale -- See http://www.gwizit.com/?page_id=60

till 4th September 2009 09:51

Why shall this be a bug. It is normal and intended that you can log in with any domain or IP on the server as long as you use port 8080.

gwiz 4th September 2009 18:57

re
 
Quote:

Originally Posted by till (Post 203269)
Why shall this be a bug. It is normal and intended that you can log in with any domain or IP on the server as long as you use port 8080.

Yup - that seems right.

But as I stated - The other 19 domains are not on the server.

Why bother with "domain name" setup.

Just use IP and everyone can be a number.

till 4th September 2009 19:04

But if the other domains are not pointing to the IP of the server in DNS, then no requests for these domains can be answered from this server. You should check the dns setup of your domains.

gwiz 5th September 2009 11:07

OK Then
 
I guess it's a Non-Issue then!

But it seems to me having ISP configured to only allow "ADMIN" access through a designated "DOMAIN" name rather than the IP would be added security.

Lets say you have a seller/client that's a little mischievous, and likes cracking passwords.

And he/she realizes they can log in as ADMIN if they crack your password.

Already have 2 out of the 3 steps needed since "admin" user name can't be changed (or can it?) and if they have an account through you - their domain resolves to your server - correct.

So - Rather than using their log in name - They decide to crack your password and log in as ADMIN - Could create havoc if you didn't notice or realize someone could gain access so easily.

So why not add one more safety feature, and make ADMIN LOG IN resolve to the actual 'domain name" rather than IP -- Gives the crackers one more challenge, in having to figure out the domain name & password to the admin control panel.


All times are GMT +2. The time now is 22:44.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.