Control Web Panel

Developers => Suggestions => Topic started by: n8v8r on February 05, 2018, 11:54:43 AM

Title: add 2-Step Verification (TOTP) for root (and perhaps end user) panel
Post by: n8v8r on February 05, 2018, 11:54:43 AM
As discussed here http://forum.centos-webpanel.com/centos-webpanel/(security)-disable-root-login-change-linux-privileges/msg15330/#msg15330 (http://forum.centos-webpanel.com/centos-webpanel/(security)-disable-root-login-change-linux-privileges/msg15330/#msg15330)
I would tend to reckon that such added security value would not only benefit the user but also raise the attraction of CWP for potential clients.

Why not integrate https://www.freeipa.org (https://www.freeipa.org) with CWP? FreeIPA ships with a trove of security features, among them TOTP. It has full CentOS support through Red Hat Identity Management https://access.redhat.com/products/identity-management#getstarted (https://access.redhat.com/products/identity-management#getstarted)

Title: Re: add 2-Step Verification (TOTP) for root (and perhaps end user) panel
Post by: n8v8r on February 09, 2018, 07:09:16 PM
Looking at the headers from the CWP (apache) server with its exposure to the inet I am baffled that there are apparently not even basic security headers in places, such as:

Code: [Select]
x-content-type-options nosniff
x-download-options noopen
x-frame-options SAMEORIGIN
x-permitted-cross-domain-policies none
x-xss-protection 1; mode=block

Neither is any CSP (Content Security Policy) deployed...

That leaves the CSP server open to a variety of attacks, e.g. cross scripting and CSS Exfil , and just deploying TLS is no cure to those.

I really would prefer that my server is not exposed such a way by proxy of the CWP server. Whilst being in the position to harden any other services on the server the CWP server is beyond such measures, unless starting to mess with its code and risking unattended consequence and instability.