Unfortunately, my very first instance of aaPanel, could not afford more attacks. I get frequent Error 502 Bad gateway from Cloudflare. Many customers are calling to report those incidents because they cannot browse the website normally. Even Cloudflare cannot throttle those bots any more. I see many bots bypass the Cloudflare JS Challenge easily and end up overloading my server. Everytime I create new cloudflare firewall rules the bots get more clever and change their attack methods too. I can see that they are using Proxy pools, as every request they make is from different IP and country and as a result cloudflare cannot assume it's suspicious. I get more than 5-6K (only from bots) requests per hour. And today as a result I lost the customer. As I can see from aaPanels admins they don't care about these incidents, as they have not changed the installation script (the bad nodes) since last year that everybody is talking about it!

I suggest you move to another panel, a panel that the developers care about security! I am really disappointed because I really liked the panel, but it's like I got infected with those bots because of a repository your panel uses to install and update itself!

    aaP-aris
    Hello, according to the script node problem you mentioned, do the following

    1. Delete nodes other than node.aapanel.com
    2. Delete the time synchronization script connected to bt.cn

    Clearly you did not read my previous post (#111-#112 & #114) on this thread, as I not only did what you say, but I wrote instructions to the other users on how to do that! The problem is not that I need to modify the installer script, but that you have not already done that for a year now (after so many discussions) to protect your users!!! We should not have to discuss the basics of security.

    Today authorities stepped in to collect data about the attacks, they've already been informed about the cause of the attacks and we'll see what will come of it! My customer will formally open a complaint and lawsuit to those responsible.

    As I can see now on installer script for Debian. now all bt.cn links are in comments and use only node.aapanel.com, so maybe now in each subsequent installation it may be safer (?)

    Okay, try explain that to your customer who's been attacked and lost a lot of profit, because of disappointed customers who could not even browse the e-shop website!

      aaP-aris

      You are right, it is a big problem. I watch logs in CloudFlare and I see unwanted and unexpected traffic from bots mainly from China, Singapore, Russia and other countries searching for phpmyadmin url, for searching files, etc. With some rules I try to avoid them (to reduce) but of course spam not stopping here because spam is going also direct to IP (unbound domainds, etc, I have set a default site setted and I see all traffic and IPs...). Fail2Ban is fully of IPs and I have all ports disabled (and enabled to my proxy IP for restricted-safe access) except 443.

        Maybe we should find an alternative panel for better security or wait a big update...

          Jimmy Why wait for update of a software that was not built with fundamental security?

            aaP-aris

            So, what free and open source panel you suggest as a alternative?

              Jimmy bots are very smart nowadays. They can bypass JS challenges. This says a lot. You should see my Cloudflare dashboard. One minute after I block some countries, the next minute I get requests from countries not seen before in the logs.

              Jimmy I will return on FASTPANEL which is a perfect free alternative, but lacks some GUI tools that aaPanel has (which is what caught my attention). You can use them via CLI though.

                aaP-aris

                Oh yes. I finally found one! I also use FastPanel, I agree that is a perfect alternanative with quick ticket support and more stability. Some specs lacks but is very good on speed, uses different accounts for sites, very low use of memory and mainly Apache + Nginx is perfect (backend go very fast). General FastPanel has logic but needs a better deploy, some parts are a litle mysterious.

                CQT Suggestion! Connect the sys firewall and geoip under one tab. Write Config in such a way that both get the DB from one source (folder) and can access it at the same time. Furthermore, the IP and the entire IP range are queried, which can then be blocked using a button, but which the user can decide for himself whether only the individual IP (Geoip is blocked or the entire network of the IP operator). Then integrate the NGINX firewall into the whole. Because on the one hand it is very confusing, and I also think that everything does not work together so harmoniously.

                Which is the full procedure to integrate them all?

                Thank you very much

                Make a unified response, our panel is open source, github address: https://github.com/aaPanel/BaoTa
                In addition I read most of the responses, is some targeted scanning, such as phpmyadmin use of port 888, redis use of port 6379, if you do not use phpmyadmin or redis, you can remove these ports in the panel security, if you use phpmyadmin, redis, I also do not recommend that you use the default If you use phpmyadmin and redis, I don't recommend you to use the default ports, you can modify them to other ports that are not used by other services. In addition, the service permissions on the panel are accessed by localhost|127.0.0.1 by default, except for the ports that are needed on the panel such as 8888 80 443.
                We attach great importance to user feedback on security-related issues, because we ourselves are a company that does security operations and maintenance, and if our products are questioned, all our employees will feel bad about it!
                Also if you encounter security related information during use, you can email our team directly to anyone! My email address is: power@aapanel.com

                  Jimmy Maybe we should find an alternative panel for better security or wait a big update...

                  Cyberpanel is much better. They hired Rack911 to help tighten the security. Keep in mind, they were not badly off in terms of security. https://rack911labs.ca/research/security-analysis-of-alternative-control-panels/

                  aaPanel should follow suit.

                  aapanel_power We attach great importance to user feedback on security-related issues, because we ourselves are a company that does security operations and maintenance, and if our products are questioned, all our employees will feel bad about it!

                  You need an independent third-party company to conduct a security audit of aaPanel. There will always be smart asses out there and that's why an independent audit is important.

                    I personally am sorry for speaking harshly, but I do that (I mean to say sorry) because I am human and also a developer and I know how hard it is to maintain something, especially opensource, but I am a perfectionist, and you should do to, because your software is serving a big share of people. Also, you have to understand that your words should follow your actions if you want them to have actual meaning. After a year of comments in this thread I did not see any actions in terms of this matter. There is a vulnerability here. Once your users install the panel using the bt.cn node, instantly their cover is blown and they are suddenly exposed to the world and easy exploitable with automated payloads, this is serious stuff. Thank you!