Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General
Reload this Page ISPconfig 3 - Password protect control panel as an extra layer of security
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
Page 2 of 2 1 2
 
Thread Tools Display Modes
  #11  
Old 11th April 2012, 10:12
orasis orasis is offline
Member
  
Join Date: Mar 2007
Posts: 82
Thanks: 3
Thanked 1 Time in 1 Post
Default
Quote:
Originally Posted by till View Post
ISPConfig uses already a good protection which includes also a brute force attack protection and blocking for the ispconfig login. So if you use the same username and password for the htaccess protection then you use for the ispconfig login you removed the brute force attack prevention of ispconfig.
I use different passwords on each, what caused me to do this were 3 things. It started from the phpmyadmin being exposed and I wanted to protect that first (now locked every user out of it ). 2 is, that the actual server admin login area is exposed, it is a common area for users and admins and I consider this a little ..(!) (or I am completely paranoid), maybe the server admin should use a secret address, and 3, the fact that I cannot change the default "admin" username (which is the default and known already to possible attacks) or create/delete server admins, maybe in order to change their default ID. I can create clients but not admins, is that right ?

Quote:
Originally Posted by till View Post
The symlink is a alternative approach to access ispconfig trough the default vhost of the server. Removing the symlink was only relevant for you as you added a additional password protection into the ispconfig vhost and the password protection could have been bypassed when the symlink is there. Removing the symlink is not required for any default install, it was just required for your setup.
Thanks for this explanation, I currently don't know "when" or from "where" the symlink could be used to access the control panel and bypass the authentication I added. Some info on this would be greatly appreciated.
__________________
Web Design // www.orasisdesign.com
Reply With Quote
Sponsored Links
  #12  
Old 11th April 2012, 10:16
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
Default
Quote:
the fact that I cannot change the default "admin" username (which is the default and known already to possible attacks) or create/delete server admins, maybe in order to change their default ID.
Of course you can change the default server admin name and you can add additional admin users as well in ispconfig. See System > CP user.

Quote:
I can create clients but not admins, is that right ?
Thats wrong.

Quote:
Thanks for this explanation, I currently don't know "when" or from "where" the symlink could be used to access the control panel and bypass the authentication I added. Some info on this would be greatly appreciated.
I mentioned that above but will explain it a bit more in detail: the symlink can be used to access ispconfig trough the default vhost. The default vhost is named default and it can be found in thefolder where all vhost files are. The default vhost is used when you access the server by IP address and no website is defined for that IP yet.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #13  
Old 11th April 2012, 10:31
orasis orasis is offline
Member
  
Join Date: Mar 2007
Posts: 82
Thanks: 3
Thanked 1 Time in 1 Post
Default
Quote:
Originally Posted by till View Post
The default vhost is used when you access the server by IP address and no website is defined for that IP yet.
This means that the address https://192.168.0.100:8080/ would not ask for password if I hadn't removed the symlink ?

You indeed are right about creating more admins I missed this I am sorry for myself... Does another admin need to be demoted first and then deleted ? cause logging in with a new admin account I created, still cannot see the delete icon next to the other admin.

great support by the way.
__________________
Web Design // www.orasisdesign.com
Reply With Quote
  #14  
Old 11th April 2012, 10:42
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
Default
Quote:
This means that the address https://192.168.0.100:8080/ would not ask for password if I hadn't removed the symlink ?
No. All request on port 8080 ask for apassword with and without symlink. The symlink is for the additional access with /ispconfig on the IP address. This is required in some setups where routers use port 8080 for their own webbased access.

Quote:
You indeed are right about creating more admins I missed this I am sorry for myself... Does another admin need to be demoted first and then deleted ? cause logging in with a new admin account I created, still cannot see the delete icon next to the other admin.
Dont delete the default admin, just change its username.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #15  
Old 11th April 2012, 10:55
orasis orasis is offline
Member
  
Join Date: Mar 2007
Posts: 82
Thanks: 3
Thanked 1 Time in 1 Post
Default
Quote:
Originally Posted by till View Post
The symlink is for the additional access with /ispconfig on the IP address.
Trying:
http://192.168.0.100/ispconfig
or
https://192.168.0.100:8080/ispconfig
shows the default apache Not Found page.
But trying:
https://192.168.0.100/ispconfig (without :8080) brings up a site, in particular the last one I created on server and the site says Page Not found
Last question! ---> in case I want to recreate the symlink, what is the command please ? (thanks)

Quote:
Originally Posted by till View Post
Dont delete the default admin, just change its username.
Right! I am very happy ! after all my friend !
__________________
Web Design // www.orasisdesign.com
Reply With Quote
  #16  
Old 11th April 2012, 11:21
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
Default
Quote:
Last question! ---> in case I want to recreate the symlink, what is the command please ? (thanks)
Code:
ln -s /usr/local/ispconfig/interface/web /var/www/ispconfig
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
orasis (11th April 2012)
  #17  
Old 11th April 2012, 11:54
orasis orasis is offline
Member
  
Join Date: Mar 2007
Posts: 82
Thanks: 3
Thanked 1 Time in 1 Post
 
Default
thanks till for everything
and keep it up !
__________________
Web Design // www.orasisdesign.com
Reply With Quote
Reply
Page 2 of 2 1 2

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
strange fail2ban behaviour > doesn't ban specific IP Djamu Server Operation 2 13th January 2012 02:29
disable security constrain in ispconfig 3 control panel to enable the multisites qiubosu Installation/Configuration 3 10th December 2010 23:04
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 08:20
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 22:40
Webmin docs missing namit Server Operation 11 5th January 2006 09:51


All times are GMT +2. The time now is 22:13.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.