Perhaps this is outside of the scope of what ApisCP should cover -
Include documentation on best securing root user access to the server that hosts the ApisCP install.
When logging in as root I noticed the little message that “there have been 84,000 failed login attempts since your last login”. I decided to disable root login access to the server as a temporary fix.
I would like to enable ssh-key login only for root, but allow other accounts password login. I am not sure if this is a possibility or not, yet - but I thought that it would be convenient if there were some “best practices” or guidelines in the documentation about securing the root user. I created another user account and added to sudo user group, however I encountered that I was unable to cd into some directories and so I’m not sure what to do from there.
ApisCP comes secured out of the box. Those should be picked up by Rampart, which is a wrapper around fail2ban.
cpcmd rampart:get-jail-entries recidive
If you see IPs in there, then it’s banning repeat offenders. You can also refer to /var/log/fail2ban.log to see how/if it’s detecting. If it’s a hot IP expect things to cool down over the next couple days. Here’s an active ban list from one of my servers,
Only other thing to consider is restricting SSH logins to public key-only. This would disable the web terminal in the panel and require all logins to use public key.
cpcmd scope:set system.sshd-pubkey-only true
A sufficiently long password, while not the best option because it requires user intervention each login, is OK.
I was actually laughing about that one, thanks for that.
I may consider enabling public key only… I don’t know why it feels convenient having the Terminal right there in the browser. Maybe it’s not? I shall contemplate this.
