Good morning, we use ispconfig on many of our servers, but only as standalone instances. On each of these we've restricted access to the admin interface on our firewall and also with iptables. We're giving some thought to using a clustered setup for our DNS and/or mail and we want to open the interface to give users access to manage their own DNS and that. One of the potential problems with that potentially somebody could brute force the admin login and then get access to everything. Sure we can use fail2ban to reduce the likelihood of this but is there anyway to eliminate the option entirely? Either say that the admin user can only log in from a certain IP or can only log in to a certain server in the cluster, and then we'd restrict access to that server?
You can not brute force the ispconfig admin login as ispconfig blocks IP's aftersome failed login attempts automatically. Fail2ban is not required for that. The ispconfig login is a normal apache vhost, so you can use all kin of restrictions that are available for apache vhosts as additional protection.
what we want is to make the login interface generally available, just not have the option to login as admin on the public interface, I'm not aware of how to do that via apache. What method does ispconfig use to block brute force attempts other than fail2ban?
