Author Topic: Two-Factor Authentication (2FA) - Google Authenticator for CWP and CWP PRO !  (Read 27929 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
How I will enable 2FA for admin ( root)?

Offline
*
I too am interested in a 2FA option for admin. I realize it is available for the user panel. A bit surprised not for the admin, which I would have lot to be a higher priority.

Thanks for all you do, I am very new to the CWP world, but really appreciating what I see so far.

Offline
*
Is this still not possible for the CWP admin panel?

Offline
****
If you truely want to secure your CWP Admin interface, do the following.

Setup DDNS somewhere (No-ip is a good free version)

edit /etc/csf/csf.dyndns   and add your ddns hostname there
edit /etc/csf/csf.conf
find DYNDNS   set it to a value of 600 (10 minutes)  DYNDNS="600";
find DYNDNS_IGNORE = "0"  and change it to 1

On TCP_IN and TCP6_IN, remove port 2086,2087,2030,2031.

then restart csf.  csf -r

You can still login to CWP as long as your match your dyndns, as it allows you through the firewall on all ports.
Google Hangouts:  rcschaff82@gmail.com

Offline
*
If you truely want to secure your CWP Admin interface, do the following.

Setup DDNS somewhere (No-ip is a good free version)

edit /etc/csf/csf.dyndns   and add your ddns hostname there
edit /etc/csf/csf.conf
find DYNDNS   set it to a value of 600 (10 minutes)  DYNDNS="600";
find DYNDNS_IGNORE = "0"  and change it to 1

On TCP_IN and TCP6_IN, remove port 2086,2087,2030,2031.

then restart csf.  csf -r

You can still login to CWP as long as your match your dyndns, as it allows you through the firewall on all ports.

I've done all of the above EXCEPT remove ports 2086, 2087, 2030, and 2031 (playing it cautious). The system is giving me "Not Found" when I go to HTTPS://<hostname>/login/index.php

Any quick advice?

Offline
****
Use https://hostname:2031

It's possible the proxy get's broken.

YOu can also add your hostnames IP to the /etc/csf/csf.allow, but I believe that will open up the system to the possibility of brute force attacks again
Google Hangouts:  rcschaff82@gmail.com

Offline
*
Use https://hostname:2031

It's possible the proxy get's broken.

Pardon my ignorance but isn't port 2031 supposed to be closed? Isn't that the idea for using DynDNS?

Offline
****
2031 is closed to all traffic not "ALLOWED" through the firewall.  By having a DDNS address in the allow list, you are bypassing the firewall.

Ports 443, and 80 are run by different software than all of the other ports.  Therefor, if you don't add the port on the end of the URL, those softwares don't know how to route them to cwpsrv.
Google Hangouts:  rcschaff82@gmail.com

Offline
*
Noted with thanks!