ISPconfig 3 - Password protect control panel as an extra layer of security

Discussion in 'General' started by orasis, Apr 10, 2012.

  1. orasis

    orasis Member

    I have successfully password protected the control panel of ispconfig 3 (as an extra layer of security) but this caused all the sites on the same server to ask for the same password so I temporarily removed it.

    I would like to know if there is a more wise solution on this.

    What I did was the following:

    Code:
    cd /usr/local/ispconfig/server
    htdigest -c .ispconfig_pw ispconfig username
    then

    Code:
    gedit /etc/apache2/apache2.conf
    added this to the end of the file:

    Code:
    ##### htdigest authentication
    <Location />
              AuthType Digest
              AuthName "ispconfig"
              AuthDigestDomain [URL]http://my-ispconfig-server.com/[/URL]
    
              AuthDigestProvider file
              AuthUserFile /usr/local/ispconfig/server/.ispconfig_pw
              Require valid-user
    </Location>
    cheers and thanks in advance
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You added a password protection for the whole server and not for ispconfig only. If you want to protect a single vhost, then add the protection inside this vhost and not globally in apache2.conf

    Vhost conf files are in the folder /etc/apache2/sites-available/
     
  3. orasis

    orasis Member

    thanks for the answer, but in this location I don't see the address of the server, but only of the sites created on the server.

    Please help
    cheers
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The ispconfig controlpanel has its own vhost file called ispconfig.vhost which runs under its own port (8080). Add the protection to that file and ensure that the symlink /var/www/ispconfig is deleted in case that it exists on your server.
     
  5. orasis

    orasis Member

    yes I am in that file and I have no success yet as it behaves the same way.

    please explain this part, where should I check for this ?

    cheers
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    ensure that you added the directives to protect the controlpanel inside the vhost definition, the location directive should not be added. It might be nescessary that you wrap them in a directory directive, but not 100% sure about that.

    ls -la /var/www/ispconfig

    if it exists, run:

    rm /var/www/ispconfig
     
  7. orasis

    orasis Member

    I can say it works but would like to make sure everything is done right.
    I moved the code as you said inside the VirtualHost definition so it looks like this:

    Code:
    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig controlpanel
    ######################################################
    
     Listen 8080
    NameVirtualHost *:8080
    
    <VirtualHost _default_:8080>
      ServerAdmin webmaster@localhost
      
      <IfModule mod_fcgid.c>
        DocumentRoot /var/www/ispconfig/
        SuexecUserGroup ispconfig ispconfig
        <Directory /var/www/ispconfig/>
          Options Indexes FollowSymLinks MultiViews +ExecCGI
          AllowOverride AuthConfig Indexes Limit Options FileInfo
          AddHandler fcgid-script .php
          FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
          Order allow,deny
          Allow from all
        </Directory>
      </IfModule>
      
      <IfModule mod_php5.c>
        DocumentRoot /usr/local/ispconfig/interface/web/
        AddType application/x-httpd-php .php
        <Directory /usr/local/ispconfig/interface/web>
          # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
          Options FollowSymLinks
          AllowOverride None
          Order allow,deny
          Allow from all
          php_value magic_quotes_gpc        0
        </Directory>
      </IfModule>
      
      # ErrorLog /var/log/apache2/error.log
      # CustomLog /var/log/apache2/access.log combined
      ServerSignature Off
      
      <IfModule mod_security2.c>
        SecRuleEngine Off
      </IfModule>
    
      # SSL Configuration
      SSLEngine On
      SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    
    
    
    ################################################################
    # htdigest authentication
    <Location />
              AuthType Digest
              AuthName "ispconfig"
              AuthDigestDomain https://my-server.com:8080/
    
              AuthDigestProvider file
              AuthUserFile /home/my-profile/.ispconfig_pw
              Require valid-user
    </Location>
    ################################################################
    
    
    
    </VirtualHost>
    
    <Directory /var/www/php-cgi-scripts>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <Directory /var/www/php-fcgi-scripts>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    If I remove the <Location /></Location> I get error when I reload apache:

    Code:
    Syntax error on line 71 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
    AuthType not allowed here
       ...fail!
    If you think I got to do this please tell me (and how).

    it returns:

    Code:
    lrwxrwxrwx 1 root root 34 2012-01-09 20:15 /var/www/ispconfig -> /usr/local/ispconfig/interface/web
    remove safely ?

    thanks for all this help
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The error that you got says that its nescessary to warp them into a directory directive. Add

    <Directory /usr/local/ispconfig/interface/web>
    AuthType Digest
    AuthName "ispconfig"
    AuthDigestDomain https://my-server.com:8080/

    AuthDigestProvider file
    AuthUserFile /home/my-profile/.ispconfig_pw
    Require valid-user
    </Directory>

    Yes.
     
  9. orasis

    orasis Member

    This works great

    So I deleted the symlink /var/www/ispconfig and if I do: ls -la /var/www/ispconfig now it returns this:

    Code:
    ls: cannot access /var/www/ispconfig: No such file or directory
    I suppose this is the right response. A question to understand this better. Was this symlink added during ispconfig3 installation, or how ? This is ISPConfig 3.0.4.4 (after some updates from previous versions) on ubuntu 10.04 following your tutorial: http://www.howtoforge.com/perfect-server-ubuntu-10.04-lucid-lynx-ispconfig-3
    What could have been caused If I wouldn't removed it ? cause I wouldn't have known this!

    A couple of more questions/comments if you don't mind:

    I mean, now I protected it with a password which for my needs right now is all I wanted, similar thing I did for the phpmyadmin. Though only I am the one to be able to access the control panel and phpmyadmin after that. So are you thinking of adding something like this or similar, as a feature in ispconfig 3 so that it uses the username and password of each account ? Or it could be done much more wise I guess. Example about phpmyadmin protection, cPanel forwards you to phpmyadmin only (I think) when logged in cPanel (or is it a hack they do on hosts ?). I don't agree when I see them hosts exposing the /cpanel url on every website like www.anotherwebsite.com/cpanel

    Once Digest is better than Basic authentication (when no ssl, as I've read), why is it not the default on ispconfig or other control panels out there when for example creating a directory password protection ?

    In any case, what I wanted to do is done fine and I got to thank you for this help here, and congratulate you for this amazing work you have done with ispconfig (especially version 3). :D
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig uses already a good protection which includes also a brute force attack protection and blocking for the ispconfig login. So if you use the same username and password for the htaccess protection then you use for the ispconfig login you removed the brute force attack prevention of ispconfig.

    The symlink is a alternative approach to access ispconfig trough the default vhost of the server. Removing the symlink was only relevant for you as you added a additional password protection into the ispconfig vhost and the password protection could have been bypassed when the symlink is there. Removing the symlink is not required for any default install, it was just required for your setup.
     
    Last edited: Apr 11, 2012
  11. orasis

    orasis Member

    I use different passwords on each, what caused me to do this were 3 things. It started from the phpmyadmin being exposed and I wanted to protect that first (now locked every user out of it :) ). 2 is, that the actual server admin login area is exposed, it is a common area for users and admins and I consider this a little ..(!) (or I am completely paranoid), maybe the server admin should use a secret address, and 3, the fact that I cannot change the default "admin" username (which is the default and known already to possible attacks) or create/delete server admins, maybe in order to change their default ID. I can create clients but not admins, is that right ?

    Thanks for this explanation, I currently don't know "when" or from "where" the symlink could be used to access the control panel and bypass the authentication I added. Some info on this would be greatly appreciated.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Of course you can change the default server admin name and you can add additional admin users as well in ispconfig. See System > CP user.

    Thats wrong.

    I mentioned that above but will explain it a bit more in detail: the symlink can be used to access ispconfig trough the default vhost. The default vhost is named default and it can be found in thefolder where all vhost files are. The default vhost is used when you access the server by IP address and no website is defined for that IP yet.
     
  13. orasis

    orasis Member

    This means that the address https://192.168.0.100:8080/ would not ask for password if I hadn't removed the symlink ?

    You indeed are right about creating more admins :( I missed this I am sorry for myself... Does another admin need to be demoted first and then deleted ? cause logging in with a new admin account I created, still cannot see the delete icon next to the other admin.

    great support by the way.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    No. All request on port 8080 ask for apassword with and without symlink. The symlink is for the additional access with /ispconfig on the IP address. This is required in some setups where routers use port 8080 for their own webbased access.

    Dont delete the default admin, just change its username.
     
  15. orasis

    orasis Member

    Trying:
    http://192.168.0.100/ispconfig
    or
    https://192.168.0.100:8080/ispconfig
    shows the default apache Not Found page.
    But trying:
    https://192.168.0.100/ispconfig (without :8080) brings up a site, in particular the last one I created on server and the site says Page Not found :)
    Last question! ---> in case I want to recreate the symlink, what is the command please ? (thanks)

    Right! I am very happy ! after all my friend !
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Code:
    ln -s /usr/local/ispconfig/interface/web /var/www/ispconfig
     
  17. orasis

    orasis Member

    thanks till for everything :)
    and keep it up !
     

Share This Page