How to add security to ispconfig login ?

[yoplait]

Hi there,

I have a debian with ISPconfig 3.0.1.6 installed.
I can imagine that a cracker who has the ispconfig access could do anything he wants on the server. Do you have tips to add more security to this web login ? I'm searching for something more friendly than a .htaccess (or maybe you think that's THE solution ?).

Thanks you for your advise.

[till]

The ispconfig login is already secured against brute force attacks and uses salted password, just use a safe password.

[yoplait]

I have good passwords, but as I can hear about you : There's nothing to do to add more security ?

I think about the script-kiddies which try some files, etc... If everybody tell me that they don't do anything more to protect the ispconfig interface, I can trust you. But, in my case, a friend of mine (co-"admin") is afraid about the security of this such software and I don't know if he's right or not and how ton convince him !

[bluebirdnet]

Quote:

Originally Posted by yoplait

I have good passwords, but as I can hear about you : There's nothing to do to add more security ?

I think about the script-kiddies which try some files, etc... If everybody tell me that they don't do anything more to protect the ispconfig interface, I can trust you. But, in my case, a friend of mine (co-"admin") is afraid about the security of this such software and I don't know if he's right or not and how ton convince him !

Its not going to be any safer with a commercial software, in fact with commercial software you dont know the code, with open source you do!

Just make sure you use Strong passwords.

[yoplait]

The comparaison was not done with commercial softwares, but now, it's more understood from me... It seems that nobody seems to put an htaccess on the ispconfig interface...

Thanks !

[N9XCR]

I'm with you yoplait. After a recent experience with my current web host (and my reason for moving to a colo solution), I would love to see a hosting control panel that takes an online banking security approach to panel security. I had a VERY STRONG password, yet the offenders still managed to get in somehow. They sure didn't get the password from malware on my computer or anything like that.

Chris

[till]

So, which exact problem do you have with ISPConfig security? If you find a way to login to ispconfig without knowing the correct password, let me know and we will fix it. But I'am not aware of such a problem and there has be no such problem reported in ISPConfig till now.

[yoplait]

Hum ... just to be exact, I don't critiquize anything about ispconfig security ... I'm really not an expert in this domain : It was just for information .

[damir]

You can always use ssl to encrypt the https traffic and as suggested use strong passwords.

[yoplait]

already done .