How-to two-factor authentication for ISPConfig control panel access?

Discussion in 'Installation/Configuration' started by Masters of Media, May 22, 2021.

  1. Masters of Media

    Masters of Media New Member HowtoForge Supporter

    Is it posisble to secure the ISPConfig Control Panel access with two-factor authentication and, if so, how can this be achieved?
    Thanks in advance,
    Erik van Doorne
     
    Gwyneth Llewelyn likes this.
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No, not at this time.

    I did see a post on the internet (not this forum) once about seeing up 2fa right in nginx, which could possibly be an option. I've never tried, nor looked for an equivalent apache setup.
     
    Last edited: May 23, 2021
  3. Masters of Media

    Masters of Media New Member HowtoForge Supporter

    Thanks Jesse.
     
  4. ispcomm

    ispcomm Member

    I second this.
    Specially the admin account needs to be protected. I'd also suggest implementing fido2/webauthn as login method instead of passwords, also for the admin account.
    Perhaps not a simple task, and I'd be willing to participate in a bounty for this feature.
     
    Gwyneth Llewelyn and Steini86 like this.
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  6. GraceFisher

    GraceFisher New Member

    Thanks Jesse
     
  7. brainsys

    brainsys Member

    Not 2FA but two step using .htaacces/.passwd authentication does have some advantages. Besides requiring the cracker to have two correct combinations - htaccess authentication doesn't (as ISPConfig does) require a SQL lookup so reducing load if a brute force attack eludes fail2ban.

    You could do a pseudo-2FA htaccess authentication by having a cron job that alternates the authentication files.

    And, of course don't have Admin as your ISPConfig username especially if 1234 is your password :)
     
    Chris_UK likes this.
  8. Steini86

    Steini86 Active Member

    As long as it does not break the api its fine ;-)
    In the beginning I had the admin panel only available via VPN. However, I did not want to have an account for every user...
    I would appreciate 2FA for the admin panel. In my naive view it looks rather easy: Make a DB field to store the secret (if you want to have that in the same database than the password? oO) and implement one of these examples: https://github.com/topics/totp?l=php but as always, the devil is in the details.
    Anyway, I have secured my SSH account with totp which takes like 8 minutes (https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview) and secured the ISPC admin panel by other means. Would be a nice feature, though.
     
    Gwyneth Llewelyn likes this.
  9. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    ahrasis likes this.
  10. Chris_UK and ahrasis like this.
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Seems easy. I guess one just need to test it and if all worked out, pull request it to ISPConfig git to make it available for everyone with option to turn it off or on in the panel as some may not want it.
     
    Chris_UK likes this.
  12. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Admin : password is safe though right?
     

Share This Page