Duplicate ID after adding new CP User & admin_allow_new_admin failed

Discussion in 'ISPConfig 3 Priority Support' started by peterpetr, Jan 20, 2022.

  1. peterpetr

    peterpetr Member

    I am running the latest ISPconfig on Ubuntu 20.04 with PHP 7.4, NGINX and MariaDb (all installed using your tutorial www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/).
    It seems everything is working except for the following:

    #1. Logged in as "admin" CP User, I went to System > CP Users I clicked the [Add new user] button and added a new CP user with Type = admin, Module = all checked. Then, when I viewed CP Users, I see my new CP User (with a unique name) but the User ID column shows "0" for both my "admin" Username and also for my "newAdmin". It seems to me that each CP User should have a unique User ID number, not "0" for both. Note that I also created a new Client (using the Client tab) and it shows under CP Users with User ID = 1.

    #2. When I login using my new CP User ("newAdmin" that has all the same rights as "admin"), I get an error message when clicking on this CP User's Group tab:
    • Check for security permission: admin_allow_new_admin failed.
    How can this be fixed?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's correct and required for admin users.

    That's intended as well, the only user that is able to do such tasks is the main admin. Additional admins that you add have lower privileges and can't perform some of the admin functions for security reasons.
  3. peterpetr

    peterpetr Member

    Thank you for clarifying in your response.
    My reason for creating another CP User with full "admin" rights is to possibly disable the main "admin" (user name). My concern is that a brute force attack on my ISPconfig installation might be successful.

    Other than a very good password, do you advise any other security measures to keep my "admin" user from being compromised?

    Thank you.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can just change the name of the main admin under System > CP users, there is no need to create another admin.
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Failed logins are logged to /var/log/ispconfig/auth.log, you can add a fail2ban rule to monitor failures and block. You could even add multiple rules if you like, with very strict limits for 'admin' and your real admin name, and relaxed limits for other logins.

    Two factor auth will be added, but is not available yet.

    Other options that come to mind are to add custom code to limit your admin logins from specific ip addrs (not currently a feature, but that wouldn't be hard to implement), and to use mod_security, which would require custom rules for implementing your logic (rate limit failures, ip restrictions, etc.). If you have a small, defined set of users, you could restrict access (eg. by source ip) in firewall rules. As you're using nginx, I came across an article once about setting up 2FA at the nginx level, independent of the app that was being accessed, which might be an option.

Share This Page