BUG or Not? Control Panel Log In -- Any Domain

Discussion in 'Installation/Configuration' started by gwiz, Sep 4, 2009.

  1. gwiz

    gwiz New Member

    Set up ISPConfig3 using 1 of my 20 registered domain names through GoDaddy.

    None of the other 19 domain names are installed on my tester server for ISPConfig3.

    Question Is:

    In playing around I discovered I could log into Control Panel with any 1 of my other domains?

    AS ADMINISTRATOR


    So ISPConfig3 is not really using "example.com" for install, but the IP the name resolves too?

    Another dumb question I know - It will be the last I promise :D

    Shameless Plug: Have Domains For Sale -- See http://www.gwizit.com/?page_id=60
     
    Last edited: Sep 4, 2009
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Why shall this be a bug. It is normal and intended that you can log in with any domain or IP on the server as long as you use port 8080.
     
  3. gwiz

    gwiz New Member

    re

    Yup - that seems right.

    But as I stated - The other 19 domains are not on the server.

    Why bother with "domain name" setup.

    Just use IP and everyone can be a number.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    But if the other domains are not pointing to the IP of the server in DNS, then no requests for these domains can be answered from this server. You should check the dns setup of your domains.
     
  5. gwiz

    gwiz New Member

    OK Then

    I guess it's a Non-Issue then!

    But it seems to me having ISP configured to only allow "ADMIN" access through a designated "DOMAIN" name rather than the IP would be added security.

    Lets say you have a seller/client that's a little mischievous, and likes cracking passwords.

    And he/she realizes they can log in as ADMIN if they crack your password.

    Already have 2 out of the 3 steps needed since "admin" user name can't be changed (or can it?) and if they have an account through you - their domain resolves to your server - correct.

    So - Rather than using their log in name - They decide to crack your password and log in as ADMIN - Could create havoc if you didn't notice or realize someone could gain access so easily.

    So why not add one more safety feature, and make ADMIN LOG IN resolve to the actual 'domain name" rather than IP -- Gives the crackers one more challenge, in having to figure out the domain name & password to the admin control panel.
     

Share This Page