How add ReCAPTCHA to hestia login?

how add ReCAPTCHA Google or similar to hestia login?

I was hacked somehow. ssh access open only local area network. in logs journalctl see hacker actions in control panel.

or how to improve the protection

There is a ZERO change to acquire more protection through ReCAPTCHA. What it does is to simply detect the activity of an user trying to login and commands him to do something. Thats it. It prevents bots and automated scripts, etc. who will be prevented to make a call to the panel scripts.

So you need to change area of trouble shooting somewhere else. First, identify how your server was hacked.

The chances are less that a hacker entered the system using Hestia panel. Check out other scripts on the system to identify and remove them.

You could install CSF for additional security and configure many things to stop a hacker making attempts in different ways and track him.

You could use Cloudflare to prevent a hacker through their free DNS + proxy system and IP firewall and use it to proxy the inbound traffic.

You could not only change the port to access Hestia but also enter your router IP in the iptables trough CSF or Hestia and block access by any hacker on that port. This solution will make Hestia 100% secure but will not help, if there are other scripts vulnerable and allows a hacker to gain root access.

Alternative, you could turn off Hestia service and accept disadvantage of all activities Hestia performs. Then, you will have to manually configure and execute these activities, when you need it to be executed.

2 Likes

@Deepak is right…

By default Hestia has some ‚Äúsecurity‚ÄĚ checks:

  1. Post requests are checked for a mandetory CSRF token unless you can guess the token you need refresh the login page to fetch the token.
  2. Post requests are blocked outside hostname.com or ip for new installs. Can be enabled in settings for older servers
  3. By default 2 seconds of delay is added after a failed attempt + after 15 min after each failed attempt… See https://github.com/hestiacp/hestiacp/blob/376f7406ea34525495b91a9808a2c8a24a396845/web/login/index.php#L139-L143
  4. If you really want to add aditionally security you can add 2FA verification to it. So it becomes ‚Äúimpossible‚ÄĚ to guess the random 6 char string in 60 seconds. as it also bans you after 7 failed attempts‚Ķ
  5. If you want more security disable login for the admin user after you created a new user with admin permissions. So ‚Äúhackers‚ÄĚ need to guess the password they also need to guess the username. Disable for each extra user also the login attempts.
    6, If you then want more security. Use ip tables and allow traffic from your own ip or use ip set and only allow connect from your country. Currently it only logs failed attempts from my ip when I make an error with the 2FA code.

If some body is able to bypass 1 + 2 + 3 with a reasonable strength password (8 chars containing upper and lower case letters and numbers call me. These requirements are enforced for Hestia)

Also our generated password are currently 16 chars…

To be honest for VestaCP currently the weakest spot is not the login but the password reset function.

2 Likes

Eirs, how about creating an optional activation and deactivation of the password reset function from CLI ‚ÄĒ> hestia.conf as an option that could only be executed by sudo root? This will not allow something like hijacking of the webmail subdomain vulnerability patched earlier.

the from @eris written issue has already been fixed in hestia, there is no additional validation or secueity function needed.

@Deepak We have all ready a option in UI to disable the in the UI.

Only for a strange reason the check doesn’t go trough the /reset/ path…

We have changed the forgot password procedure…

  1. You need to enter both username and email to generate an new key
  2. key is valid for only 15 min instead always
  3. Key is hashed in user.conf
  4. F2B monitors false enteries…
2 Likes

Oh my god, Eris! Thank you for pointing this out. Then I need to have this feature poured in my shell framework to deactivate it everywhere. I still have not visited so many areas. You guys have done such a lot of work! Just amazing.

I am so pleased to move to Hestia… No doubt that this is the best panel and the best group of developers…

Made a quick pull request

Please check

Mainly the security tab has some new options regarding security

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.