2FA - Two Factor Authentication: remember device?

I heavily use 2FA, for all available accounts. Because usually it only asks me for the One-Time-Password one per device within about 14 days. Usual 2FA remember the device/browser for quite a time. It’s good to have 2FA in HestiaCP, but it asks me every time I log in. This is unusual. Did I configure something wrong or can’t HestiaCP remember devices? I also missed the activation code for configuring the 2FA in the beginning. I could only configure it via QR-Code and mobile phone.
Best, mandrael

Currently, hestia doesnt remember a device, also the feature doesnt exist and isnt planed to implement right now due to missing time and ressources.

The last one we should fix as it can be painfull if you enable it and then don’t scan the code

1 Like
1 Like

Perhaps we can initiate a funding? Any idea how much this would cost to implement? It’s a really good feature, but without this usual “remember for e.g. 14 days (with cookie)” I doubt many people want to bother entering an OTP everytime.
Btw. there is a classic and a new login (username and password seperated). Is the new login style more secure? I mean in HestiaCP it’s always admin for the main admin anyway, isn’t it?

Perhaps adding country whitelisting and a good password is security enough. I just found this awesome Hestia feature:

So for example

v-add-firewall-ipset country-de 'http://ipverse.net/ipblocks/data/countries/de.zone'

whitelists Germany. I tested it with a VPN and it seems to work well.

Best, mandrael

It has been merged for ever 2 year.

Yes, sure, but it has to do with login security. Combined with fail2ban it’s comparable with cpHulk. I searched, but didn‘t find what it exactly does. If I add the country-rules (v-add-firewall-ipset country-at) I can only access the web panel of Hestia from Austria (vpn with other country: webpage can‘t be found).
Can the ssh login also be restricted via „ipset country whitelisting“? I have a custom port, but I see no port options with v-add-firewall-ipset. Thanks for your help.

You can also customize your lists. So you can tune countries for login and also countries not to serve web or email

There is an option to allow ipsets:

(1234 as example where SSH runs)
But I’d like to only allow Austrian IPs and disallow the rest like it works with the control panel currently. Can I do that?

Another way to bypass this problem is to use a password manager like KeePass and use the AutoType capability to automatically send user + pass + OTP every time you need to login to a Hestia Server. Here is a quick proof of concept:

You could start from here Auto-Type - KeePass and then here Placeholders - KeePass to see how to configure OTP placeholder.

I use AutoType alsmost everywhere. Even for other purposes, like for example to autofill order details (like name, email, address, etc) in shops I use often.

1 Like