Using Ubuntu 18.04: On VestaCP installation, how to get result (https://subdomain.domain.tld:8083) instead of (https://123.312.321.23:8083) [closed]

I’m trying to install VestaCP on Ubuntu 18.04 but keep getting the following result after successful installation:

https://123.231.312.23:8083 instead of:

https://subdomain.domain.tld:8083

What do I have to do get this result: https://subdomain.domain.tld:8083?

I set hostname to server1: $ sudo hostnamectl set-hostname server1

then edit host file: $ sudo nano /etc/hosts

IP_address subdomain.domain.tld subdomain 

After all is done,I get hostname and FQDN as shown below, which is as it should be:

$   hostname server1 $   hostname -f server1.domain.tld 

But then, the result after successful installation: https://123.231.312.23:8083

What am I doing wrong?

Major security and usability flaw in Linux (root privileges and sudoers, folder access restriction, Ubuntu Linux)

Alright, let me give you the context. I am a business owner with strong technical background, say a programmer, though not an advanced system administrator. I’ve bought a VPS server where I want to host several applications and webpages. One of the apps consists of backend, admin frontend and user frontend, another one is just backend and frontend. So 5 different programmers develop those apps. From time to time, as the development takes its place, those programmers need to install and upgrade some packages, modify system configs and so on, i.e. they need ssh access and some root privileges.

And here is the tricky part. It is obvious that I don’t want them to see and gain access to the folders they are not supposed to see, i.e. the devs of the first app shouldn’t have access to the folders of the second app and vice versa. Moreover the backend dev of the first app shouldn’t have access to the frontend folders of the same app and the same goes for the second app. Also I would like to restrict access for them to certain commands like visudo or reboot, so they wouldn’t be able to lock me out of my own server or reboot it without my consent.

Now, if I give them sudo privileges for them to be able to run administrative tasks needed for their development – then they have access to everything and it becomes practically impossible to restrict access for them to certain folders and commands. On the other hand if I DON’T give them sudo privileges, then it becomes a huge pain for me to every time install packages and give them access to certain files and commands they need to continue development. There are over 1500 commands and the corresponding number of system files in Linux they could potentially need access to, so it’s very VERY unconvenient for me to spend so much time to administer the VPS, especially getting the fact that I’m not a very advanced system administrator and I don’t have much time because I need to run my business.

There are already numerous posts and threads on the Internet where people try to find solutions to somewhat close problems like these: One, Two, Three, Four, Five, Six, Seven, Eight, Nine, and they still have no reasonable solutions to them, only those that involve some supercomplex activities and anyway not giving a needed result.

So from my point of view as a business owner it should be something like this: there is a root user who can do everything. He can create admins and define access rights for them, for example in that very sudoers file. Then it’s his decision whether to give access to an admin to the sudoers file itself and any of the folders and commands of his choice. For example an admin could be able to run any command in the system except “reboot” and “visudo” and he can access all files and folders except /etc/sudoers and say /var/www/private_folder even WITH sudo privileges invoked (meaning he can’t even copy those files, overwrite them, chmod and chown them and so on, i.e. access them with any command).

That would immediately make the whole system administration A LOT more easier and logical, eliminating the need for complex solutions like chroot jails, separate bash environments, splitting servers into virtual machines, using containers and so on. And it’s so simple, a matter of a couple of conditions in the code, if I understand it correctly from a developer’s perspective. Also, I want to be in control of my VPS, not having to trust any other third person believing he/she won’t steal my information and/or destroy my whole system either by making a mistake or intentionally and basically it can be considered as a serious security vulnerability from a certain point of view.

This seems so obvious and logical for me, that I was really discouraged and embarrassed that it’s really isn’t like that in Linux. Maybe 20 years ago when Linux was created it was enough to have only a root and sudoers and the rest of users to accomplish tasks they had at that time, but today everything goes a bit different way already and that archaic approach is not usable anymore.

Of course I realize I can understand something wrong and there is a strong reason why it has to be as it is, then please let me know why is it so and what is a correct and easy way of solving my problem described above without a need to build a behemoth on my VPS or manually administering it all the time by myself. After all it should be user-friendly, right? Now it’s not.

On the other hand if there is no such a solution, then I would really be willing to even pay someone who could implement some kind of a patch or a package that will allow to solve this problem.

GUI for LAMP stack with ubuntu on WSL2 for website development

Currently I am using WAMPserver on Windows, I'm very happy with it, but Drupal requires Drush and Composer for website maintenance and updates, all the literature is written for linux.

So I am looking into using WSL2 with ubuntu – and I am looking for a tool similar to WAMPserver for ubuntu

What I particularly appreciate in WAMPserver is that everything comes pre-installed and pre-configured, and the program takes care of creating new vhosts, etc. as needed, no need to do anything in the…

GUI for LAMP stack with ubuntu on WSL2 for website development

Is a firewall enough of a security measure for an Ubuntu server that hosts a website?

I recently got a VPS with Ubuntu on it, and I’d like to start creating a very basic website. However, I don’t know what steps I should take to secure this server.

I’m new with Ubuntu, new with security and new with creating websites (the website will probably be just HTML, CSS, Django/Python and some database).

My biggest concern is that some hacker could try to use it as a zombie and I won’t know. Or that robots could try to log in and sneak at whatever data I’ll store on that machine and I won’t know. Or who knows what else.

I found the firewall information page on the Ubuntu website, but will that be enough ?

P.S.: If it’s impossible to give an answer, I’d also appreciate a book/website recommendation for Ubuntu and security complete beginners

How to protect my ubuntu linux computer from screen capture programs or keystroke loggers?

I have a Ubuntu home PC. I often use this system to enter passwords to various websites. Some sites also offer a graphical on screen keyboard to protect from keyloggers. However, I suspect that even the on screen keyboard is not safe from malicious software which records the computer screen. I want my passwords to be safe from such programs. Of course, I do ensure that I don’t install insecure programs but I would like to have an additional layer of security.

Updating Ubuntu

How can I make sure in the terminal that my Ubuntu updates are from the real source?

I am asking because I know that one download was fake. It was rkhunter. The update was malware. Done from Bangkok. I think it was DNS hijacking.

How does a TPM inform me that someone has tampered with the BIOS under Linux / Ubuntu?

I read guides on how to set up a TPM but none of them tells me how a TPM actually works in practice (under Linux/Ubuntu which I use).

My understanding is that a TPM can inform me whether any of the components which load before the main operating system (Bios, bootloader, firmware) have changed in any way since the TPM was activated.

But how exactly would I know whether something has actually changed? If someone (an attacker) has tampered with with the BIOS or some firmware component, will the next boot process simply not complete? If that is correct, will the system boot successfully again, if I manage to put the BIOS back into the state that is known to the TPM?

Master – Master setup on Postgresql 10 + Ubuntu 18.04 + Pgpool II

Does anybody have experience in configuring Pgpool II with Postgresql 10 on Ubuntu 18.04?

I am trying to setup Master – Master setup on Postgresql 10 + Ubuntu. I am trying to use Pgpool II

I will have two or more mater DB servers running on different IPs and my objective is synced with each other.

I am looking for an open-source solution/s Your thoughts, suggestion and experiences are kindly welcome. Cheers

Fully-secured screen lock in Ubuntu with encryption

I have Ubuntu 19.10 with full disk encryption. The encryption is effective as long as the system is turned off or restarted. Otherwise the data is unencrypted behind a locked screen which may not be very secured.

I wish to protect against:

  1. mechanisms that bypass screen lock (I have disabled SysRq, but there might be other ways too)
  2. cold boot attacks
  3. attacks through DMA, network, WiFi/Ethernet, physical ports, etc

What’s the best way to proceed? Can I have a home encryption on top of full disk encryption, and set the screen lock such that the same password will unlock and decrypt the home drive (I don’t want to enter two passwords)?

Is there any secure screen lock (no bug, no vulnerability against X11 crashes, etc)?

The OS + encryption should be able to protect the system 100 percent (except for cold boot attacks which mostly aren’t practical: the data rapidly deteriorates).

Thanks!

Ubuntu Server SSH configuration file help

This is my sshd_config file settings I can connect to my server with my pc using public key but I can also connect from another pc with the password of sudo user account. How can make the login possible only with public key in SSH and SFTP? Thanks a lot

# This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information.  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin  # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options override the # default value.  #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::  #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key  # Ciphers and keying #RekeyLimit default none  # Logging #SyslogFacility AUTH #LogLevel INFO  # Authentication:  LoginGraceTime 1m PermitRootLogin without-password #StrictModes yes MaxAuthTries 3 #MaxSessions 10  PubkeyAuthentication yes  # Expect .ssh/authorized_keys2 to be disregarded by default in future. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2  #AuthorizedPrincipalsFile none  #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes  # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no  # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no  # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no  # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no  # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication.  Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM no  #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none  # no default banner path #Banner none  # Allow client to pass locale environment variables AcceptEnv LANG LC_*  # override default of no subsystems Subsystem   sftp    /usr/lib/openssh/sftp-server  # Example of overriding settings on a per-user basis #Match User anoncvs #   X11Forwarding no #   AllowTcpForwarding no #   PermitTTY no #   ForceCommand cvs server