aaPanel_Jose Hey man,

Not the default panel port, ssh port is still standard but ssh pass is very strong.

    TheWormsUnited I have had all of these IPs for years, probably 5 years at this point now, we have around 500 of them. These same IPs were running a different panel, no issues. So we have some issues with the panel here. Hopefully the next update will solve these.

      CQT Yep, we are seeing many of those same IPs. So, more proof it's panel issues. So good we are all working on this together. :-)

        CQT This just fixes one issue though, on the server side, from a provider side (OVH) these are still coming at the IP. We need to find the source more so then block the bad guys.

          I / We and my employees are in the process of working something out, but it still takes a little time.

          As we can see, the firewall and geoip must still be worked on, before aapanel is installed, a proxy must be set up to run the installation. so the ips can no longer be stretched.

          Furthermore, not all countries blockages are accepted by the sys-firewall, there are some problems that have to be fixed beforehand.

          @aaPanel_Jose:

          Suggestion! Connect the sys firewall and geoip under one tab. Write Config in such a way that both get the DB from one source (folder) and can access it at the same time. Furthermore, the IP and the entire IP range are queried, which can then be blocked using a button, but which the user can decide for himself whether only the individual IP (Geoip is blocked or the entire network of the IP operator). Then integrate the NGINX firewall into the whole. Because on the one hand it is very confusing, and I also think that everything does not work together so harmoniously.

          A good approach can be found here: https://gist.github.com/Pandry/21fc0e30abbfd0579ec69c491b99a446

          as I said, just an approach!

          In addition, the purchased DB from https://www.ipdeny.com/ are outdated and have not been maintained since 2014.

            CQT
            I checked the installation script, it just visits a url on aapanel, then aapanel gets the client ip and records it

            I tried to enable HTTPS for the requested URL. Can you help me see if there are any attacks after normal installation?

            In addition, you only need to allow server access, *.aapanel.com *.bt.cn, all functions of the panel can work

                aaPanel_Jose What are we still getting from *.bt.cn? There is no way to move that stuff off of them and onto somewhere else?

                    gacott
                    The domain name of our software download node is download.bt.cn, and there are other nodes in

                    /www/server/panel/data/node.json

                    • CQT replied to this.

                        aaPanel_Jose hello two minutes after the installation the attacks started, not with the ips from node.json, but from the same network operator. We left out the proxy and firewall to see if anything changes and nothing changes. So we can assume that the download requests at the node will be used to track and record the IPS. you have to make sure that the node from bt.cn can no longer be used, we are already trying to load the stuff from the node, but are currently facing problems with it, we had to host the whole thing ourselves, so one clean installation would be possible! So everything that is necessary from the node must be cleaned on another server and first. otherwise aaPanel cannot become what you / your want to achieve. It would also be an absolute risk since all server clients would be contaminated by customers.

                            aaPanel_Jose the api to the node is a problem, as long as you cannot pull the download without the api, you are dependent on the node and as long as the ips can be tracked.

                            the user who creates here via the db: INSERT INTO users (id, username,password, login_ip,login_time, phone,email) VALUES
                            (1, 'admin', '21232f297a57a5a743894a0e4a801fc3', '192.168.0.10', '2016-12-10 15:12:56', 0, '287962566@qq.com');

                            Many of the attacks come from the same, namely from Guangdong Communication Co.Ltd. ASN 9808

                            All attacks are conducted via our own proxy servers or others, but ultimately from the regions of BT.CN and Shenzhen Tencent Computer Systems Company Limited ASN 45090

                            backlinks like libList.conf :: "help": "http://www.bt.cn/bbs",
                            it is very helpful to prepare such attacks, because they alone provide enough information about which ip the panel is installed on.

                                CQT Great info, this is what I was getting at and thought something like this was going on. IMO, if we (as a community) want to see this become a successful panel, we need to disengage this from bt. Also, yeah I think this very well may be how they are getting in.

                                CQT the user who creates here via the db: INSERT INTO users (id, username,password, login_ip,login_time, phone,email) VALUES
                                (1, 'admin', '21232f297a57a5a743894a0e4a801fc3', '192.168.0.10', '2016-12-10 15:12:56', 0, '[287962566@qq.com](mailto:287962566@qq.com)');

                                      still waiting for response! I have use aapanel on several VPS and everything is OK! Aso I use the Chinese Version BT Panel. ..

                                      Baidu is NO1 SE company in China so I think someone is using their IP as bridge to attacke

                                      or maybe it's Baidu's spider ? try to ban the Baidu's spider in the robots.txt

                                        waikey It would be a SUPER aggressive spider. Blocking in robots.txt will do nothing, these are attacks on ports.

                                          waikey We don't want to come to China and data protection now, it doesn't matter which company comes from. China has never been a country that values data protection. That's why I don't put everyone under general suspicion, but I trust state-owned companies like my ex-wife. Not directly related to aaPanel, but to NO1 SE. Everyone knows that everything and that is spied on and I also know a little bit about the politics of China. According to this sentence, I would be a dead man in China.

                                              aapanel_user WTF are you talking about? I'm trying to help make a better panel, HERE! Why are you talking about forking it? Is there something wrong about contributing to this project? Do I have to fork and start my own to contribute?

                                                CQT you clearly dont know what you are talking about. I lived and visit China several times per year so your affirmations are not accurate at all. I am sorry thats not correct.

                                                China offers several business and services, we cannot state and talk about politics on a webhosting control panel forum, makes no sense at all. Let's keep it to the topic.

                                                • CQT replied to this.

                                                    TheWormsUnited you're right politics has no business here. I will hold back in this regard in the future.
                                                    We all want the same thing, that aaPanel gets better and spreads more