Server Security (1) Bt Panel Defense

This article has been included in the column of this site
Server Security Series

0. Preface

Some time ago, I used social engineering and related methods to accidentally enter the backend of a scammer's website and obtained the real IP of his server, so I successfully used the same password to log in to SSH, obtained the login user name of the Bt panel, and then used the same password to log in again to generate SSH private key.
Later, he changed the password of the Bt, and I logged in to SSH and executed it in a fit of rage.

Bash
1
rm - rf /www/*

That is to say, all the data under the Bt will be deleted.
After this incident, I paid more attention to the security configuration of my server. After all, the Tencent Cloud plug-in is installed in the Bt panel, and you can directly see the API Key and Secret Key. Hence this series.

1, login configuration

Install Bt version 7.7.0 and crack the tutorial:
https://blog.tsinbei.com/archives/7/
Use port scanning tools such as Ping Tools to scan the server IP, and you can easily scan the login port of the Bt panel. So, in the login section, there is the following configuration:

  1. Modify the panel port
  2. Set up security entrance
  3. Enable panel SSL
  4. Enable Basic Auth
  5. Configure login alerts
  6. Use multi-user login

1.1, modify the panel port

The default panel port is 8888, which is so characteristic that it is very easy to scan.

Note: Some users say that five-digit ports are prone to problems in some plug-ins, so try to use four-digit ports!

Recommended port: Use your own birth year + several digits of the month, such as December 1999, use the 1912 port.

set port

1.2. Set up security entry

The security entrance can be arbitrarily set, in fact, it can not be set. But in order to be more secure, it is recommended that you set it up here.

Recommended entry: name in Pinyin or English, plus a few numbers, for example, chenrui would use chenrui147 or cherry258.

set secure entry

In addition, also set the Unauthenticated response status, such as 401 Unauthorized, to avoid being recognized.

Set Unauthenticated Response Status

1.3, open the panel SSL

Before enabling panel SSL, you need to bind a domain name first.

Note: It is recommended to use uncommon domain names. For example, Tencent's domain name is Tencent.com, and the Beijing server panel uses the domain name bj.qcloud.com.

Using a self-signed certificate will make access very troublesome, and a certificate needs to be installed, but it also improves security, and access without a certificate cannot be installed. But for convenience, I copied the certificate from the website to the "self-signed certificate". Using Let's Encrypt will automatically add a website, which is also not recommended.

Set SSL certificate

1.4, enable Basic Auth

Basic Auth is actually an additional layer of password. The password here should not be the same as the panel password. It is recommended to use birthday year + specific date, etc.

Configure BasicAuth

1.5, configure login alarm

If you often use QQ or WeChat, it is recommended to use the email channel to push to QQ mailbox; if you use corporate WeChat or DingTalk, it is recommended to use the WebHook API to push.

If you use a mailbox, it is recommended to use the Bt Post Office Manager to create your own mailbox, and you must set a whitelist in the web version of QQ mailbox, otherwise it may be identified as spam! **

config mail

Enable login alert

Note: The local loopback address and public IP should be whitelisted.

Set IP whitelist

1.6, use multi-user login

If SSH is cracked, you can view the current user name of the Bt through the command line, which increases the probability of being cracked.

Therefore, it is recommended to set the default username and password to be extremely complex, with upper and lowercase letters + numbers + special symbols + more than 20 digits, preferably if you can't remember them yourself.
Then, install the plug-in "Multi-User Management" in the software store, and configure the user name and password in it.

Add multiple users

2, phpMyAdmin configuration

If phpMyAdmin is enabled for public network access, it is also easy to be cracked. Therefore, the following configuration is required:

  1. Disable HTTP access
  2. Change the port and enable HTTPS access
  3. Enable password access

2.1, close HTTP access

After configuring the panel SSL with the above method, you can configure the HTTPS login of phpMyAdmin and close the HTTP access.
You can use the default HTTP port, and then delete this port in the firewall, that is, the external network cannot be accessed.

use default port

2.2, enable HTTPS access

Just set an HTTPS port.
Note: Remember to add this port in the firewall.

Enable HTTPS access

2.3, set password access

Similar to the Basic Auth of the panel, the password complexity is the same.

password access

3. Summary

After completing the above configuration, you can configure the port at the firewall to release it.

Server security is very important, so do not execute scripts from unknown sources on the server! There is a precedent for a server that executes a crack script to be added with a backdoor on the Bt Forum.

All source code or scripts given in this blog have been tested, please use it with confidence!

Server Security (1) Bt Panel Defense

https://blog.tsinbei.com/en/archives/125/

Author
Hsukqi Lee
Posted on

2022-02-03

Edited on

2022-07-28

Licensed under

CC BY-NC-ND 4.0

Comments

Name
Mail
Site
None yet