How to safeguard Network Security for ISPconfig 3

Network Security is one of the crucial aspects of any network infrastructure. Since ISPConfig 3 is one of the most demanding applications for today’s need, we’ve decided to make a tutorial and explain how we can safeguard network security of ispconfig. Using SSL will only secure the communication but the web stack is still exposed to the internet and can be attacked. So, that’s why we recommend to use SSH tunnel to access ISPConfig.
This tutorial is tested on Debian 8 jessie.
Note: If you need guidance on installing ISPConfig 3 using automated script on Debian 8 Jessie please follow tutorial.

Using SSL Certificate

The ISPConfig controlpanel login is running on http by default. This short tutorial shows you how to enable SSL encryption (https) for the ispconfig vhost. ISPConfig is installed without SSL/HTTPS by default. Therefor, our first task is to implement a proper SSL certificate to safeguard the network security of ISPConfig 3. Let’s make a separate directory for the SSL Certificate:

 mkdir /usr/local/ispconfig/interface/ssl
cd /usr/local/ispconfig/interface/ssl 

Now we will create SSL Certificate files :

 openssl genrsa -des3 -out ispserver.key 4096
openssl req -new -key ispserver.key -out ispserver.csr
openssl x509 -req -days 3650 -in ispserver.csr 
-signkey ispserver.key -out ispserver.crt
openssl rsa -in ispserver.key -out ispserver.key.insecure
mv ispserver.key ispserver.key.secure
mv ispserver.key.insecure ispserver.key 

Next thing to do is enabling the mod_ssl for apache2.

 a2enmod ssl 

Let’s edit the ISPConfig vhost file, look for the  tags and uncomment/modify these lines:

 SSLEngine On
SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key 

Now as a last step we’ll restart apache server.

 /etc/init.d/apache2 restart 

We can now access ISPConfig 3 config via SSL interface using the HTTPS protocol.

Updating ISPConfig 3

Even though our ISPConfig 3 is now over HTTPS/SSL, we still require it to safeguard its network security further. In order to do so, we’ll need to update the ISPConfig time to time. There’s a very use to use the script installed along with the installation of ISPConfig 3 “ispconfig_update.sh”. So, let’s run this script to initiate the update procedure.

Please note that before updating you should take a backup of your ISPConfig and its database

 Select update method (stable,git) [stable]: 

After executing the script the first question you will be asked is whether you want to do update through ‘stable’ or ‘git’ method. We should always use the “stable” option for a production server and the “git” for development server.

Please note that if your ISPConfig 3 already is updated, you should see the following:

 There are no updates available for ISPConfig 3.0.5.4p8 

Otherwise you should receive this as a 2nd step/question:

 Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: 

You should choose “yes” here. This will create a backup of the ISPConfig scripts (/usr/local/ispconfig), the /etc directory and the ISPConfig MySQL database in the directory /var/backup/

 Reconfigure Permissions in master database? (yes,no) [no]: 
 Reconfigure Services? (yes,no) [yes]: 

Choosing “yes” would be a better option. If you had modified your ISPConfig manually, it might be a better options to select “no”. However, in this case, the new features of ISPConfig or functions may not work until you adjust the configuration files manually. Therefor, it’s always a good decision to chose “yes” here. Next Step – selecting the ISPConfig port:

 ISPConfig Port [8080]: 

As you can see port 8080 is the default port, if you wish to change it then enter your desired port number and if you don’t wish to do so, you should press ‘enter’ and proceed with the update.

 Create new ISPConfig SSL certificate (yes,no) [no]: 

Choose “yes” ONLY if your existing SSL certificate has been expired and you want to renew it. Otherwise choose “no” and proceed with the update.

 Reconfigure Crontab? (yes,no) [yes]: 

Final step would be reconfiguring crontab shell. You may select ‘yes’ and press ‘enter’.

Hide ISPConfig behind the firewall

The advantages of protecting a network service behind the firewall is that it can not be accessed from the internet and so, it is not available to be attacked. In order to hide ISPConfig from external threats we will follow two simple procedures:
1. Configure iptables for ISPConfig.
2. Use SSH Tunnel to Access ISPConfig.

1. Configure iptables for ISPConfig

Port 8080 is closed by default on VPS provided by rackhansa. Please refer to this article to learn how your VPS is protected by Rackhansa.
Check your firewall with the following commands that the port 8080 for ispconfig is really blocked.

 iptables -n -L -v
ip6tables -n -L -v 

2. Use SSH Tunnel to Access ISPConfig

We will use SSH Tunnel for ISPConfig 3 so that our whole transmission is truly encrypted. For this purpose, first thing to do is we’ll add a new user for tunneling purpose:

 useradd -m tunnuser
passwd tunnuser 

and then :

 ssh -fCN tunnuser@www.your-domain.com  -L 8080:localhost:8080 

-f : Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases but the user wants it in the background.
-N : Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
-C : Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and UNIX-domain connections).
8080:localhost:8080 means that remote port 8080 will listen at local port localhost:8080
You can now access the ISPConfig Web Interface at http://localhost:8080/
Please read this post to achieve better protection for SSH.

Feel free to contact us if you believe you’re still facing issues following these steps. Rackhansa Professionals are always ready to help their customers in making their online presence smooth and uninterrupted. Our free webhosting services have also been devised mainly for those entrepreneurs who have just jumped into online business. To know more about our services, please visit our products page to enjoy the cheap hosting plans.