Feature suggestions, brainstorming and discussion

Copying from my own notes, below is a list of features and improvements which I would like to see in Hestia CP (please feel free to add your own):

  1. use Cloudflare for DNS (can we edit Bind zone files locally, but update CF over PHP API? what about Letsencrypt?)
  2. offer a restricted shell (e.g. rssh or GNU rush) which allows rsync & git
  3. improve firewall (ipset lists, hashlimit, fail2ban etc)
  4. monitoring software & log viewer
  5. add WHMCS module (use VestaCP’s one)
  6. use AppArmor for more of the exposed apps (Exim, Bind, Nginx, Apache)
  7. securely add apt keys and repos during installation see
    https://github.com/hestiacp/hestiacp/issues/695
  8. create a Wiki (on Github)
  9. create a new article on Wikipedia about HestiaCP
  10. Backup (borg+borgmatic, rsnapshot)
  11. Security improvement: Replace PHP crypt() with password_hash() and MD5 with a stronger hashing algo (like BCRYPT) (see https://github.com/hestiacp/hestiacp/issues/895). But would replacing MD5 break the ability to migrate between CPs?
  12. Antivirus scan of the base system (e.g. rkhunter) and user files (e.g. using inotify-tools’ inotifywait with ClamAV’s clamscan & Sophos Free sweep)
  13. Migration scripts from other CPs to HestiaCP. User Skamasle at Github has migration scripts from cPanel, DirectAdmin and CWP to Vesta (see https://github.com/Skamasle)

Note: I’m posting here so we can first discuss / brainstorm. Once we have discussed them here, we can move to opening some issues at Github.

Creating article about your own business, products or services is discouraged by Wikipedia.

Well, HestiaCP is FOSS and IMHO definately deserves to be listed in Wikipedia (note: which unfortunately has a very strong US-centric bias in certain categories), along other CPs:


considering that other comparable CPs like Webmin, ISPconfig, Kloxo, Ajenti etc and of course the 3 big commercial ones (cPanel, Plesk and Directadmin) all have their own page in Wikipedia.

2 Likes
  1. use Cloudflare for DNS (can we edit Bind zone files locally, but update CF over PHP API? what about Letsencrypt?)

See https://github.com/hestiacp/hestiacp/issues/607

  1. offer a restricted shell (e.g. rssh or GNU rush) which allows rsync & git

RSSH has been part of Hestia

Maybe we should consider to add GNU rush For Debian 10 / Ubunutu 20.04
Please create a issue for it

  1. improve firewall (ipset lists, hashlimit, fail2ban etc)
    Ipset list has been added in 1.2.0
    How ever development power is limited…

  2. use rspamd instead of amavis

  3. add WHMCS module (see Vesta’s one)
    See http://vestacp.com/docs/#how-to-install-whmcs-module
    Probably will work fine for Hestia as the api is almost the same. Please try and if not maybe you could help and fix bugs…

  4. use AppArmor for more of the exposed apps (Exim, Bind, Nginx, Apache)
    apparmor-utils is installed on Ubuntu don’t know why it is missing in Debian

  5. securely add apt keys and repos during installation see
    https://github.com/hestiacp/hestiacp/issues/695

No comments about it…

  1. create a Wiki (on Github)
    We are currently working on the improvement on the website and http://docs.hestiacp.com

  2. create a new article on Wikipedia about HestiaCP
    Go ahead…

  3. Backup (borg+borgmatic, rsnapshot)
    How ever development power is limited…

If you can/want to make improvements please go a head you may always create a pull request for any improvements…

Currently we are working on the the release of 1.2.0 fixing the last bugs/issues. After that Website, Documentation and many more are on the waiting list.

1 Like

RSSH has been part of Hestia

I already know that, but rssh isn’t available for Debian 10 or Ubuntu 20.04 anymore.

Please create a issue for it we need to sort it out

1 Like

@eris I posted in the forum first, so we could simply discuss / brainstorm some features which I put in my own notebook about HestiaCP.

Once we have discussed these points here, I can create some issues at Github.

Thanks, K.

Please try the WHMCS module of Vesta. I think it works fine how ever don’t have WHMCS setup…

A log viewer would be great, I mean logs like nginx, apache, exim and so on

I added monitoring and log-viewer as #4 (instead of replacing SpamAssassin with rspamd, which I think would be of benefit mainly for busy HestiaCP servers with thousands of e-mails per day).

  1. Security improvement: Replace PHP crypt() with password_hash() and MD5 with a stronger hashing algo (like BCRYPT) (see https://github.com/hestiacp/hestiacp/issues/895)
  2. Antivirus scan of the base system (e.g. rkhunter) and user files (e.g. using inotify-tools’ inotifywait with ClamAV’s clamscan & Sophos Free sweep)
  3. Migration scripts from other CPs, e.g. user Skamasle at Github has migration scripts from cPanel, DirectAdmin and CWP to Vesta (https://github.com/Skamasle)
1 Like

Consider the pros/cons of disabling the following 6 PHP functions (as MyVesta does):

exec,system,passthru,shell_exec,proc_open,popen

See thread: Some interesting features for the next versions

Is it really necessary to use 4096 RSA keys? Does it impact performance / TLS negotiation time? Does it improve security?

# fgrep 4096 /usr/local/hestia/bin/*
/usr/local/hestia/bin/v-add-letsencrypt-user:    openssl genrsa -out $KEY 4096 >/dev/null 2>&1
/usr/local/hestia/bin/v-generate-ssl-cert:KEY_SIZE=4096

Based on a quick check around, popular sites are still using 2048 bit RSA keys (e.g. Github, Google, Facebook).

Try to be more specific in AppArmor confinement:

Replace line 1479 of install/hst-install-debian.sh:
echo "/home/** rwm," >> /etc/apparmor.d/local/usr.sbin.named 2> /dev/null
with
echo "/home/*/conf/dns/* r," >> /etc/apparmor.d/local/usr.sbin.named 2> /dev/null

and use aa-enforce instead of aa-complain.