VestaCP additional protection

Discussion in 'Questions and Answers' started by vRozenSch00n, Nov 7, 2015.

  1. vRozenSch00n

    vRozenSch00n Active Member

    256
    80
    May 17, 2013
    Hi everybody,


    I'm a little paranoid about my VestaCP installation where my control panel can be accessed through its IP, so I took some steps to harden it a little.


    First, I check the server's hosts file /etc/hosts to ensure i have the right fqdn (xxx.xxx.xxx.xxx vcp.mydomain.com  vcp)


    Then I added a line to /etc/resolv.conf (search vcp.mydomain.com)


    Generate a Basic Auth file (htpasswd -c -d /etc/nginx/htpasswd myusername)


    Replaced the Nginx configuration as follows: 


    #Replace vcp nginx configuration
    rm -f /usr/local/vesta/nginx/conf/nginx.conf
    vi /usr/local/vesta/nginx/conf/nginx.conf
    auser admin;
    worker_processes 1;
    error_log /usr/local/vesta/log/nginx-error.log;
    pid /var/run/vesta-nginx.pid;

    events {
    worker_connections 128;
    use epoll;
    }

    http {
    # Main settings
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    client_header_timeout 1m;
    client_body_timeout 1m;
    client_header_buffer_size 2k;
    client_body_buffer_size 256k;
    client_max_body_size 100m;
    large_client_header_buffers 4 8k;
    send_timeout 30;
    keepalive_timeout 60 60;
    reset_timedout_connection on;
    server_tokens off;
    server_name_in_redirect off;
    server_names_hash_max_size 512;
    server_names_hash_bucket_size 512;


    # Log format
    log_format main '$remote_addr - $remote_user [$time_local] $request '
    '"$status" $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
    log_format bytes '$body_bytes_sent';
    access_log /dev/null main;


    # SSL PCI Compliance
    ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
    ssl_session_cache shared:SSL:10m;
    ssl_prefer_server_ciphers on;


    # Mime settings
    include /usr/local/vesta/nginx/conf/mime.types;
    default_type application/octet-stream;


    # Compression
    gzip on;
    gzip_comp_level 9;
    gzip_min_length 512;
    gzip_buffers 8 64k;
    gzip_types text/plain text/css text/javascript
    application/x-javascript;
    gzip_proxied any;


    # Proxy settings
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header Set-Cookie;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;
    proxy_buffers 32 4k;


    # Error pages
    error_page 403 /error/403.html;
    error_page 404 /error/404.html;
    error_page 502 503 504 /error/50x.html;

    # Vhost
    server {
    listen 443;
    if ($http_host = "xxx.xxx.xxx.xxx") {
    return 403;
    }
    deny all;
    allow 127.0.0.1;
    satisfy all;

    rewrite ^ https://vcp.mydomain.com:8083? permanent;
    ssl on;
    ssl_certificate /usr/local/vesta/ssl/certificate.crt;
    ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    }
    server {
    if ($http_host = "xxx.xxx.xxx.xxx:8083") {
    return 403;
    }
    listen 8083;
    server_name vcp.mydomain.com;
    root /usr/local/vesta/web;
    charset utf-8;
    ssl on;
    ssl_certificate /usr/local/vesta/ssl/certificate.crt;
    ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    error_page 404 /error/404/index.html;
    error_page 403 /error/index.html;
    error_page 500 /error/index.html;

    location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/htpasswd;
    expires max;
    index index.php;
    }

    location /error/ {
    expires max;
    index index.html;
    }

    location /rrd/ {
    expires off;
    internal;
    }

    location /backup/ {
    root /;
    internal;
    }

    location ~ \.php$ {
    include /usr/local/vesta/nginx/conf/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/local/vesta/web/$fastcgi_script_name;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_pass unix:/var/run/vesta-php.sock;
    fastcgi_intercept_errors on;
    break;
    }
    }
    }



    Last I restart the Nginx (/etc/init.d/vesta restart)


    In my desktop I added to my hosts file (xxx.xxx.xxx.xxx  vcp.mydomain.com)


    So I can access my control panel using https://vcp.mydomain.com


    My question: Is my setting correct? Is there any way I can harden it more?