I heavily use 2FA, for all available accounts. Because usually it only asks me for the One-Time-Password one per device within about 14 days. Usual 2FA remember the device/browser for quite a time. It’s good to have 2FA in HestiaCP, but it asks me every time I log in. This is unusual. Did I configure something wrong or can’t HestiaCP remember devices? I also missed the activation code for configuring the 2FA in the beginning. I could only configure it via QR-Code and mobile phone.
Currently, hestia doesnt remember a device, also the feature doesnt exist and isnt planed to implement right now due to missing time and ressources.
The last one we should fix as it can be painfull if you enable it and then don’t scan the code
Perhaps we can initiate a funding? Any idea how much this would cost to implement? It’s a really good feature, but without this usual “remember for e.g. 14 days (with cookie)” I doubt many people want to bother entering an OTP everytime.
Btw. there is a classic and a new login (username and password seperated). Is the new login style more secure? I mean in HestiaCP it’s always admin for the main admin anyway, isn’t it?
Perhaps adding country whitelisting and a good password is security enough. I just found this awesome Hestia feature:
So for example
v-add-firewall-ipset country-de 'http://ipverse.net/ipblocks/data/countries/de.zone'
whitelists Germany. I tested it with a VPN and it seems to work well.
It has been merged for ever 2 year.
Yes, sure, but it has to do with login security. Combined with fail2ban it’s comparable with cpHulk. I searched, but didn‘t find what it exactly does. If I add the country-rules (v-add-firewall-ipset country-at) I can only access the web panel of Hestia from Austria (vpn with other country: webpage can‘t be found).
Can the ssh login also be restricted via „ipset country whitelisting“? I have a custom port, but I see no port options with v-add-firewall-ipset. Thanks for your help.
You can also customize your lists. So you can tune countries for login and also countries not to serve web or email
There is an option to allow ipsets:
(1234 as example where SSH runs)
But I’d like to only allow Austrian IPs and disallow the rest like it works with the control panel currently. Can I do that?
Another way to bypass this problem is to use a password manager like KeePass and use the AutoType capability to automatically send user + pass + OTP every time you need to login to a Hestia Server. Here is a quick proof of concept:
I use AutoType alsmost everywhere. Even for other purposes, like for example to autofill order details (like name, email, address, etc) in shops I use often.