TheWormsUnited you're right politics has no business here. I will hold back in this regard in the future.
We all want the same thing, that aaPanel gets better and spreads more

    aaPanel_Jose Glad to hear that we are currently merging the firewall and Fail2ban so that there is only one tab left.

      a month later

      With good reason I also have attack problems in some VPS, I suspected it and changed the panel, How good that they separate from bt.cn.

      4 months later

      Dear all . I am a new user to private VPS and found aaPanel to install. I came across this thread by CQT who posts some very valid points. Now I am happy with the service of aaPanel. BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

      Basically has the link to a new install of aaPanel opening up your server IP address being 'smeared' hence attacked been proved or not?

      Do I just accept this is the 'game' of server admin ... this is a 2nd hand IP address and is now exposed anyway.

      CQT / gacott did u continue with aaPanel ?

        a month later

        @cib3r can you tell us what setting you put on your f2ban?

        thank you

        4 days later

        CQT
        106.12.0.0 - 106.13.255.255 this seems to be China's search engine Baidu crawler robot.

          5 months later

          cib3r BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

          I don't think this is a problem of aaPanel or because aaPanel is made in China. I have CyberPanel and attacks coming from China are usually massive. Change the SSH port to something else. This helped to block out the server-side attacks to zero.

          CyberPanel also supports CSF and that's so robust and keeps website safe.

            Yes my aapanel username and password was changed
            and the web scripts i have hosted was stolen from my ubuntu
            and i remote the connections where came from and from china

            same network as aapanel

            wireshark is the best network app for track any hacking

            aapanel its free open source what do you expect about this nothing in this world its free without any
            trade

            if was a paid software they will have more security and not hacking but its free and open source
            we do not know what is behind

            track your PCS using wireshark

            aapanel they are controlling your server and still what you have hosted

              aaPanel_Captain

              as your software its open source so give me the full source code to install as my own
              and not install from your servers

              installing from url links and from your server i do not know what comes inside my server
              my aapanel was changed my username and password was changed and
              i was stoped to add more websites i just have 5 websites running and to add more gived me errors
              my username and password was changed and i m just the only person on here who has access to the aapanel

              no one else

              i trace using wireshark and you are remote controlled to aapanel servers you guys are still people information and stilling people websites and information as credit card and have access to databases

                  Vereato

                  i will contact interpol police and net police for investigation

                  good luck

                    I'll just leave it here

                    Vereato i always use the same credentials for all my PCs its the same password and username

                      4 months later

                      Hello, I am new to aaPanel. I came to this panel because I was looking at a free solution, alternative to cpanel/plesk and after using webmin/virtualmin, cyber panel, centos web admin, I had to find something more stable. I immediately loved aaPanel. But then, I faced the same problems as discussed in this thread. Many friends of mine who are pentesters faced the same issues even though they have not used aaPanel. Though I confirm that after minutes of fresh installations I got massively attacked by China, USA and Russian and some European IPs. I can see that still the problem discussed here hasn't been solved, to the point that somehow our server IPs are leaked or scraped. Below I will explain the solution I followed and solved my problems. 1- I changed the default ports. 2- I changed the admin URI of my website software and created firewall rules to drop connections on the default admin URI. 3- I DID NOT enable Postfix on the webserver, let the experts deal with it. I use Zoho Mail for all my customers and never have to deal with excessive server load cause of postfix, or mail deliverability or sent messages going to customer's spam folder. 4- Enabled Cloudflare and applied the same firewall rules as on my server's firewall. 5- Now except from the usual users (100 customers online), I see on my logs some (limited no) of the attack bots are just browsing the website and aaPanel's load is 1-5% and cpu load 0.5-3%.

                      I read that there is a problem with the node list of the installer script. So, I did a little experiment. I installed a new VPS test server. I modified the installer script and removed all node references of the bt.cn domain and I left only the US based node.aapanel.com. After the installation my logs are crystal clear. No attacks, no strange visitors or bots. I wish I knew why isn't this a default setting, as I see in the previous posts since 2020 that bt.cn would be replaced at some point completely from the system!

                        aaP-aris Please, may you explain me wich files and procedure did you followed to do it so?

                        I get Hacked this week and OVH totally banned me because they considered it was mi making DDos attacks and sending phishing mails from my system.

                        This is the first time I experience a situation like this and it happend casually with aapanel after 20 days of usage.

                        Also, which firewall and antivirus do you recommend to me to install on Centos 7 and set it on fulltime realltime supervisor. I don't want to perform manually system analysis to all my clients.

                        May you share also your firewall settings to block all this identifyed hackers from Russia and China? Or at least to allow only access to the domain from a specific country?

                        Thank you very much.

                            aaP_ptakx I edited the installer script as I mentioned already. The installer script is this: http://www.aapanel.com/script/install_6.0_en.sh

                            Line 146: nodes=(http://node.aapanel.com http://128.1.164.196 http://45.76.53.20 http://dg2.bt.cn http://dg1.bt.cn http://123.129.198.197 http://125.88.182.172:5880 http://119.188.210.21:5880 http://120.206.184.160 http://113.107.111.78);
                            Replaced it with nodes=(http://node.aapanel.com http://128.1.164.196);

                            Line 184: NODE_URL='http://download.bt.cn';
                            Replaced it with NODE_URL='http://node.aapanel.com';

                            Line 219: curl -Ss --connect-timeout 3 -m 60 http://download.bt.cn/install/yumRepo_select.sh|bash
                            Replaced it with curl -Ss --connect-timeout 3 -m 60 http://note.aapanel.com/install/yumRepo_select.sh|bash

                            Line 224: getBtTime=$(curl -sS --connect-timeout 3 -m 60 http://www.bt.cn/api/index/get_time)
                            Replaced it with my own implementation of unix timestamp api, but you can leave it as is.

                            Line 670: isHosts=$(cat /etc/hosts|grep 'www.bt.cn')
                            Replaced it with isHosts=$(cat /etc/hosts|grep 'node.aapanel.com')

                            Line 673: echo "103.224.251.67 www.bt.cn" >> /etc/hosts
                            Replaced it with echo "104.21.79.196 node.aapanel.com" >> /etc/hosts

                            Line 677: sed -i "/bt.cn/d" /etc/hosts
                            Replaced it with sed -i "/node.aapanel.com/d" /etc/hosts

                            I used iptables, fail2ban and the free version of NGINX Firewall, as well as Cloudflare. I cannot share my firewall rules because they are paid, but Clouflare FREE as a proxy should do the work for you too with minimum settings.

                            For example if you use Wordpress you should definitely change admin url, and block the old URIs from your server's firewall as well from your Cloudflare Firewall. (Edit) Also, you should protect your new admin login URI, from failed logins or throttle/reject/ban the failed login tries to avoid brute force attacks [this is implemented via various plugins and/or firewall settings].

                            I did not install Mail Server such as Postfix, most attacks come from there.

                            From the Security tab you can change the SSH port. You must change the default ports from any service you can.

                            I enabled aaPanel login notifications, as well as 2FA like Google Authentication.