aaPanel_Jose Glad to hear that we are currently merging the firewall and Fail2ban so that there is only one tab left.

    a month later

    With good reason I also have attack problems in some VPS, I suspected it and changed the panel, How good that they separate from bt.cn.

    4 months later

    Dear all . I am a new user to private VPS and found aaPanel to install. I came across this thread by CQT who posts some very valid points. Now I am happy with the service of aaPanel. BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

    Basically has the link to a new install of aaPanel opening up your server IP address being 'smeared' hence attacked been proved or not?

    Do I just accept this is the 'game' of server admin ... this is a 2nd hand IP address and is now exposed anyway.

    CQT / gacott did u continue with aaPanel ?

      a month later

      @cib3r can you tell us what setting you put on your f2ban?

      thank you

      4 days later

      CQT
      106.12.0.0 - 106.13.255.255 this seems to be China's search engine Baidu crawler robot.

        5 months later

        cib3r BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

        I don't think this is a problem of aaPanel or because aaPanel is made in China. I have CyberPanel and attacks coming from China are usually massive. Change the SSH port to something else. This helped to block out the server-side attacks to zero.

        CyberPanel also supports CSF and that's so robust and keeps website safe.

          Yes my aapanel username and password was changed
          and the web scripts i have hosted was stolen from my ubuntu
          and i remote the connections where came from and from china

          same network as aapanel

          wireshark is the best network app for track any hacking

          aapanel its free open source what do you expect about this nothing in this world its free without any
          trade

          if was a paid software they will have more security and not hacking but its free and open source
          we do not know what is behind

          track your PCS using wireshark

          aapanel they are controlling your server and still what you have hosted

            aaPanel_Captain

            as your software its open source so give me the full source code to install as my own
            and not install from your servers

            installing from url links and from your server i do not know what comes inside my server
            my aapanel was changed my username and password was changed and
            i was stoped to add more websites i just have 5 websites running and to add more gived me errors
            my username and password was changed and i m just the only person on here who has access to the aapanel

            no one else

            i trace using wireshark and you are remote controlled to aapanel servers you guys are still people information and stilling people websites and information as credit card and have access to databases

                Vereato

                i will contact interpol police and net police for investigation

                good luck

                  I'll just leave it here

                  Vereato i always use the same credentials for all my PCs its the same password and username

                    4 months later

                    Hello, I am new to aaPanel. I came to this panel because I was looking at a free solution, alternative to cpanel/plesk and after using webmin/virtualmin, cyber panel, centos web admin, I had to find something more stable. I immediately loved aaPanel. But then, I faced the same problems as discussed in this thread. Many friends of mine who are pentesters faced the same issues even though they have not used aaPanel. Though I confirm that after minutes of fresh installations I got massively attacked by China, USA and Russian and some European IPs. I can see that still the problem discussed here hasn't been solved, to the point that somehow our server IPs are leaked or scraped. Below I will explain the solution I followed and solved my problems. 1- I changed the default ports. 2- I changed the admin URI of my website software and created firewall rules to drop connections on the default admin URI. 3- I DID NOT enable Postfix on the webserver, let the experts deal with it. I use Zoho Mail for all my customers and never have to deal with excessive server load cause of postfix, or mail deliverability or sent messages going to customer's spam folder. 4- Enabled Cloudflare and applied the same firewall rules as on my server's firewall. 5- Now except from the usual users (100 customers online), I see on my logs some (limited no) of the attack bots are just browsing the website and aaPanel's load is 1-5% and cpu load 0.5-3%.

                    I read that there is a problem with the node list of the installer script. So, I did a little experiment. I installed a new VPS test server. I modified the installer script and removed all node references of the bt.cn domain and I left only the US based node.aapanel.com. After the installation my logs are crystal clear. No attacks, no strange visitors or bots. I wish I knew why isn't this a default setting, as I see in the previous posts since 2020 that bt.cn would be replaced at some point completely from the system!

                      aaP-aris Please, may you explain me wich files and procedure did you followed to do it so?

                      I get Hacked this week and OVH totally banned me because they considered it was mi making DDos attacks and sending phishing mails from my system.

                      This is the first time I experience a situation like this and it happend casually with aapanel after 20 days of usage.

                      Also, which firewall and antivirus do you recommend to me to install on Centos 7 and set it on fulltime realltime supervisor. I don't want to perform manually system analysis to all my clients.

                      May you share also your firewall settings to block all this identifyed hackers from Russia and China? Or at least to allow only access to the domain from a specific country?

                      Thank you very much.

                          aaP_ptakx I edited the installer script as I mentioned already. The installer script is this: http://www.aapanel.com/script/install_6.0_en.sh

                          Line 146: nodes=(http://node.aapanel.com http://128.1.164.196 http://45.76.53.20 http://dg2.bt.cn http://dg1.bt.cn http://123.129.198.197 http://125.88.182.172:5880 http://119.188.210.21:5880 http://120.206.184.160 http://113.107.111.78);
                          Replaced it with nodes=(http://node.aapanel.com http://128.1.164.196);

                          Line 184: NODE_URL='http://download.bt.cn';
                          Replaced it with NODE_URL='http://node.aapanel.com';

                          Line 219: curl -Ss --connect-timeout 3 -m 60 http://download.bt.cn/install/yumRepo_select.sh|bash
                          Replaced it with curl -Ss --connect-timeout 3 -m 60 http://note.aapanel.com/install/yumRepo_select.sh|bash

                          Line 224: getBtTime=$(curl -sS --connect-timeout 3 -m 60 http://www.bt.cn/api/index/get_time)
                          Replaced it with my own implementation of unix timestamp api, but you can leave it as is.

                          Line 670: isHosts=$(cat /etc/hosts|grep 'www.bt.cn')
                          Replaced it with isHosts=$(cat /etc/hosts|grep 'node.aapanel.com')

                          Line 673: echo "103.224.251.67 www.bt.cn" >> /etc/hosts
                          Replaced it with echo "104.21.79.196 node.aapanel.com" >> /etc/hosts

                          Line 677: sed -i "/bt.cn/d" /etc/hosts
                          Replaced it with sed -i "/node.aapanel.com/d" /etc/hosts

                          I used iptables, fail2ban and the free version of NGINX Firewall, as well as Cloudflare. I cannot share my firewall rules because they are paid, but Clouflare FREE as a proxy should do the work for you too with minimum settings.

                          For example if you use Wordpress you should definitely change admin url, and block the old URIs from your server's firewall as well from your Cloudflare Firewall. (Edit) Also, you should protect your new admin login URI, from failed logins or throttle/reject/ban the failed login tries to avoid brute force attacks [this is implemented via various plugins and/or firewall settings].

                          I did not install Mail Server such as Postfix, most attacks come from there.

                          From the Security tab you can change the SSH port. You must change the default ports from any service you can.

                          I enabled aaPanel login notifications, as well as 2FA like Google Authentication.

                            Unfortunately, my very first instance of aaPanel, could not afford more attacks. I get frequent Error 502 Bad gateway from Cloudflare. Many customers are calling to report those incidents because they cannot browse the website normally. Even Cloudflare cannot throttle those bots any more. I see many bots bypass the Cloudflare JS Challenge easily and end up overloading my server. Everytime I create new cloudflare firewall rules the bots get more clever and change their attack methods too. I can see that they are using Proxy pools, as every request they make is from different IP and country and as a result cloudflare cannot assume it's suspicious. I get more than 5-6K (only from bots) requests per hour. And today as a result I lost the customer. As I can see from aaPanels admins they don't care about these incidents, as they have not changed the installation script (the bad nodes) since last year that everybody is talking about it!

                            I suggest you move to another panel, a panel that the developers care about security! I am really disappointed because I really liked the panel, but it's like I got infected with those bots because of a repository your panel uses to install and update itself!