Hestia Control Panel have Insecure Default URLs

Hi people.

I have recently installed Hestia Control Panel and have begun to explore its possibilities, what I find first is a series of situations that can reduce the security and performance of a server.

By default hestia have insecure urls, as example the route for admin panel is your_server_ip:8083 and for phpmyadmin and is your_server_ip/phpmyadmin
that is so bad very bad idea.

To reduce the dangers of a brute force attack and to reduce the load on the server of all malicious traffic from robots and suspicious users it should be possible to change the routes and administration port to something else like “your_server_ip / RaND0mTh1nG /route”.

In order to not expose the technology and programs used on the server, the administration panel should be accessed on the same ports 80/443 used for HTTP / HTTPS trafic and served to a custom or randomned generated route.

So in order to make a strongest installation as posible I need help about:

How to rename the admin default route from “/” to “/ramdonthing/”?
How to rename the phpmyadmin default route from “/phpmyadmin” to “/ramdonthing/phpmyadmin”?
How to change the default port for admin panel from “8083” to “80” and set the admin port in SSL to “443”

Thanks for any help.

How to rename the admin default route from “/” to “/ramdonthing/”?

Currently not supported

How to rename the phpmyadmin default route from “/phpmyadmin” to “/ramdonthing/phpmyadmin”?

Does random_string for phpmyadmin works?

Please note phpmyadmin Single Sign On is an 1.4.0 feature and not availble yet!

How to change the default port for admin panel from “8083” to “80” and set the admin port in SSL to “443”

Currently not supported with out of an custom template
8083 is an ssl only port and can’t be moved to an port 80 port. Also for Hestia we run an custom nginx version that can’t be ran next to the normal nginx. Solution might be:

https://gist.github.com/jaapmarcus/25b513629139af4ff45915fa154675b9

You can also change it to something random… For example port 1234 or something else…

If you really don’t want to have any body on your admin pannel add your own ip to the firewall and block all other traffic from port 8083 (Default port) or use iplist and allow only safe countries…

2 Likes

You can:

  • Option A:
    • Close all unnecesary ports.
    • Close SSH ports
    • Connect via local shell or KVM console.
  • Option B:
    • Use port knocking
  • Option C:
    • Ban everything that attempts to connect to your server and then.
    • Use fail2ban to whitelist your IP / dyndns
  • Option D:
    • Set very hard rules for fail2ban
    • Set a whitelisting jail in fail2ban so you can access (unless fail2ban fails and you have to enter via KVM)
  • Option E:
    • Use VPN connection or SSH tunnel to connect to the server
  • Option F:
    • Disable port 8083 and don’t use the API and the panel BUT you may use the CLI.

For example, you can set a fail2ban jail to ban every attempt to log into hestiacp in port 8083 and you can also set a jail to set ignoreip if you are successfully connected via imap to the server so you may log in with an established imap connection.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.