Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th April 2012, 23:43
orasis orasis is offline
Senior Member
 
Join Date: Mar 2007
Posts: 183
Thanks: 13
Thanked 12 Times in 12 Posts
Default ISPconfig 3 - Password protect control panel as an extra layer of security

I have successfully password protected the control panel of ispconfig 3 (as an extra layer of security) but this caused all the sites on the same server to ask for the same password so I temporarily removed it.

I would like to know if there is a more wise solution on this.

What I did was the following:

Code:
cd /usr/local/ispconfig/server
htdigest -c .ispconfig_pw ispconfig username
then

Code:
gedit /etc/apache2/apache2.conf
added this to the end of the file:

Code:
##### htdigest authentication
<Location />
          AuthType Digest
          AuthName "ispconfig"
          AuthDigestDomain http://my-ispconfig-server.com/

          AuthDigestProvider file
          AuthUserFile /usr/local/ispconfig/server/.ispconfig_pw
          Require valid-user
</Location>
cheers and thanks in advance
Reply With Quote
Sponsored Links
  #2  
Old 11th April 2012, 08:29
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,483
Thanks: 835
Thanked 5,524 Times in 4,345 Posts
Default

You added a password protection for the whole server and not for ispconfig only. If you want to protect a single vhost, then add the protection inside this vhost and not globally in apache2.conf

Vhost conf files are in the folder /etc/apache2/sites-available/
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 11th April 2012, 08:50
orasis orasis is offline
Senior Member
 
Join Date: Mar 2007
Posts: 183
Thanks: 13
Thanked 12 Times in 12 Posts
Default

thanks for the answer, but in this location I don't see the address of the server, but only of the sites created on the server.

Please help
cheers
Reply With Quote
  #4  
Old 11th April 2012, 08:59
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,483
Thanks: 835
Thanked 5,524 Times in 4,345 Posts
Default

The ispconfig controlpanel has its own vhost file called ispconfig.vhost which runs under its own port (8080). Add the protection to that file and ensure that the symlink /var/www/ispconfig is deleted in case that it exists on your server.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 11th April 2012, 09:08
orasis orasis is offline
Senior Member
 
Join Date: Mar 2007
Posts: 183
Thanks: 13
Thanked 12 Times in 12 Posts
Default

yes I am in that file and I have no success yet as it behaves the same way.

Quote:
Originally Posted by till View Post
ensure that the symlink /var/www/ispconfig is deleted in case that it exists on your server.
please explain this part, where should I check for this ?

cheers
Reply With Quote
  #6  
Old 11th April 2012, 09:15
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,483
Thanks: 835
Thanked 5,524 Times in 4,345 Posts
Default

Quote:
yes I am in that file and I have no success yet as it behaves the same way.
ensure that you added the directives to protect the controlpanel inside the vhost definition, the location directive should not be added. It might be nescessary that you wrap them in a directory directive, but not 100% sure about that.

Quote:
please explain this part, where should I check for this ?
ls -la /var/www/ispconfig

if it exists, run:

rm /var/www/ispconfig
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 11th April 2012, 09:33
orasis orasis is offline
Senior Member
 
Join Date: Mar 2007
Posts: 183
Thanks: 13
Thanked 12 Times in 12 Posts
Default

I can say it works but would like to make sure everything is done right.
I moved the code as you said inside the VirtualHost definition so it looks like this:

Code:
######################################################
# This virtual host contains the configuration
# for the ISPConfig controlpanel
######################################################

 Listen 8080
NameVirtualHost *:8080

<VirtualHost _default_:8080>
  ServerAdmin webmaster@localhost
  
  <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
      Options Indexes FollowSymLinks MultiViews +ExecCGI
      AllowOverride AuthConfig Indexes Limit Options FileInfo
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>
  
  <IfModule mod_php5.c>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
      # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
      Options FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
      php_value magic_quotes_gpc        0
    </Directory>
  </IfModule>
  
  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off
  
  <IfModule mod_security2.c>
    SecRuleEngine Off
  </IfModule>

  # SSL Configuration
  SSLEngine On
  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key



################################################################
# htdigest authentication
<Location />
          AuthType Digest
          AuthName "ispconfig"
          AuthDigestDomain https://my-server.com:8080/

          AuthDigestProvider file
          AuthUserFile /home/my-profile/.ispconfig_pw
          Require valid-user
</Location>
################################################################



</VirtualHost>

<Directory /var/www/php-cgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

<Directory /var/www/php-fcgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>
Quote:
Originally Posted by till View Post
the location directive should not be added.
If I remove the <Location /></Location> I get error when I reload apache:

Code:
Syntax error on line 71 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
AuthType not allowed here
   ...fail!
Quote:
Originally Posted by till View Post
It might be nescessary that you wrap them in a directory directive, but not 100% sure about that.
If you think I got to do this please tell me (and how).

Quote:
Originally Posted by till View Post
ls -la /var/www/ispconfig
it returns:

Code:
lrwxrwxrwx 1 root root 34 2012-01-09 20:15 /var/www/ispconfig -> /usr/local/ispconfig/interface/web
remove safely ?

thanks for all this help
Reply With Quote
  #8  
Old 11th April 2012, 09:50
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,483
Thanks: 835
Thanked 5,524 Times in 4,345 Posts
Default

Quote:
If you think I got to do this please tell me (and how).
The error that you got says that its nescessary to warp them into a directory directive. Add

<Directory /usr/local/ispconfig/interface/web>
AuthType Digest
AuthName "ispconfig"
AuthDigestDomain https://my-server.com:8080/

AuthDigestProvider file
AuthUserFile /home/my-profile/.ispconfig_pw
Require valid-user
</Directory>

Quote:
remove safely ?
Yes.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 11th April 2012, 10:30
orasis orasis is offline
Senior Member
 
Join Date: Mar 2007
Posts: 183
Thanks: 13
Thanked 12 Times in 12 Posts
Default

Quote:
Originally Posted by till View Post
<Directory /usr/local/ispconfig/interface/web>
AuthType Digest
AuthName "ispconfig"
AuthDigestDomain https://my-server.com:8080/

AuthDigestProvider file
AuthUserFile /home/my-profile/.ispconfig_pw
Require valid-user
</Directory>
This works great

So I deleted the symlink /var/www/ispconfig and if I do: ls -la /var/www/ispconfig now it returns this:

Code:
ls: cannot access /var/www/ispconfig: No such file or directory
I suppose this is the right response. A question to understand this better. Was this symlink added during ispconfig3 installation, or how ? This is ISPConfig 3.0.4.4 (after some updates from previous versions) on ubuntu 10.04 following your tutorial: http://www.howtoforge.com/perfect-se...nx-ispconfig-3
What could have been caused If I wouldn't removed it ? cause I wouldn't have known this!

A couple of more questions/comments if you don't mind:

I mean, now I protected it with a password which for my needs right now is all I wanted, similar thing I did for the phpmyadmin. Though only I am the one to be able to access the control panel and phpmyadmin after that. So are you thinking of adding something like this or similar, as a feature in ispconfig 3 so that it uses the username and password of each account ? Or it could be done much more wise I guess. Example about phpmyadmin protection, cPanel forwards you to phpmyadmin only (I think) when logged in cPanel (or is it a hack they do on hosts ?). I don't agree when I see them hosts exposing the /cpanel url on every website like www.anotherwebsite.com/cpanel

Once Digest is better than Basic authentication (when no ssl, as I've read), why is it not the default on ispconfig or other control panels out there when for example creating a directory password protection ?

In any case, what I wanted to do is done fine and I got to thank you for this help here, and congratulate you for this amazing work you have done with ispconfig (especially version 3).
Reply With Quote
  #10  
Old 11th April 2012, 10:39
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,483
Thanks: 835
Thanked 5,524 Times in 4,345 Posts
 
Default

Quote:
So are you thinking of adding something like this or similar, as a feature in ispconfig 3 so that it uses the username and password of each account ?
ISPConfig uses already a good protection which includes also a brute force attack protection and blocking for the ispconfig login. So if you use the same username and password for the htaccess protection then you use for the ispconfig login you removed the brute force attack prevention of ispconfig.

Quote:
What could have been caused If I wouldn't removed it ? cause I wouldn't have known this!
The symlink is a alternative approach to access ispconfig trough the default vhost of the server. Removing the symlink was only relevant for you as you added a additional password protection into the ispconfig vhost and the password protection could have been bypassed when the symlink is there. Removing the symlink is not required for any default install, it was just required for your setup.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 11th April 2012 at 10:46.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
strange fail2ban behaviour > doesn't ban specific IP Djamu Server Operation 2 13th January 2012 03:29
disable security constrain in ispconfig 3 control panel to enable the multisites qiubosu Installation/Configuration 3 11th December 2010 00:04
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 09:20
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 23:40
Webmin docs missing namit Server Operation 11 5th January 2006 10:51


All times are GMT +2. The time now is 15:25.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.