ZPanel hosting control panel - your opinion?

littleguy

Working as a freelancer, I am looking to offer clients web hosting that they can manage themselves if needed.

Found ZPanel http://www.zpanelcp.com/ - which seems perfect for my needs.

What are your guys opinion on ZPanel as opposed to more popular panels such as Webmin, cPanel etc?

ghoulnet

I installed it recently to see how it performed and it feels like it's just been slapped together without much thought.

Installing is very straight forward, but I wouldn't let any clients loose with it in it's current state.

jhadley

Don't use that. I found this late last night - you can get a Plesk 11 (I know it's Plesk but v11 in "Service Provider" mode is actually really nice!) licence for under 2 euros a month: https://www.netsys-online.de/

Bought mine yesterday, came through in a few hours and working fine.

littleguy

@ghoulnet said: I wouldn't let any clients loose with it in it's current state.

What do you mean?

@jhadley said: Plesk 11

Will check it for sure. Tried Webmin but thought it was a bit too bloated for my needs. It also made my server idle at 0.10 load just because it keeps running background processes all the time. I really just need a super-simple admin, mostly for myself. Client isolation isn't critical (but nice to have!) as I maintain all the applications of each client.

eastonch

Isnt zPanel the one where the devs are crazy on WHT and act like kids?

Victor

It's alright, I use it myself, not much issues.

joepie91

It has some serious security issues in its current state.

littleguy

@joepie91 said: It has some serious security issues in its current state.

Links to issues? Since I will only run private clients I can protect the login page behind standard http auth so most automated/probe attacks should be impossible.

connercg

The biggest issue I have wtih ZPanel X is not being able to run Ajaxplorer. I use eXtplorer instead, and...

WebSec to provide a full security audit of ZPanelX

forums.zpanelcp.com/showthread.php?7724-WebSec-to-provide-a-full-security-audit-of-ZPanelX

littleguy

@connercg said: not being able to run Ajaxplorer.

You mean it's not available as a core plugin?

@connercg said: WebSec to provide a full security audit of ZPanelX

Is it done yet? The post is almost four months old..

connercg

@littleguy

You mean it's not available as a core plugin?

I've not seen it as a core plugin, and I'm surprised no one has made it so.

Is it done yet? The post is almost four months old..

They released 10.0.0.0 and there have been bug reports about permission issues with WWW not reading or executing files uploaded via FTP. there were a couple issues wit the Dovecot as well, 10.0.0.1 is in BETA with the new installer right now, (been BETA for a couple months already) and I suspect that's why the Websec post is a few months old now, they'll probably update to resubmit 10.0.0.1.

They did say in the forums they expected an update after the initial release to address bugs and issues as 'X' aka 10.0.0.0 was a rewrite.

I only remember one security issue coming up and a hotfix was put in place quickly. I believe it's still in the announcements section.

littleguy

@connercg said: 10.0.0.1 is in BETA

I've been playing around with it and so far stuff seems to work well. Now I just pray Dovecot is setup correctly, that's usually the most PITA to get working.

I haven't quite understood how ZPanel runs Apache, is it mod_php? How does it handle multiple users?

joepie91

@littleguy said: Links to issues? Since I will only run private clients I can protect the login page behind standard http auth so most automated/probe attacks should be impossible.

I've found and reported several issues myself, and those have been mostly fixed (two arbitrary code execution vulnerabilities and an SQL injection vulnerability), but some security issues remain (one of which can be exploited by reseller and up) - and I don't doubt that undiscovered issues exist, as the code style is very inconsistent (meaning it's easy for developers to overlook something). Seriously, in a security sense, you do not want to use ZPanel in its current state for anything serious.

@connercg said: WebSec to provide a full security audit of ZPanelX

WebSec missed a considerable amount of vulnerabilities - quite obvious ones, too.

@littleguy said: I haven't quite understood how ZPanel runs Apache, is it mod_php? How does it handle multiple users?

Apache + mod_php is used, all processes run under the same user, Suhosin and open_basedir restrictions are used to prevent users from escalating their access to other users. Seems to work pretty well.

connercg

@littleguy said: I haven't quite understood how ZPanel runs Apache, is it mod_php? How does it handle multiple users?

I haven't had the need to run the particulars down yet -- I suspect they are using mod_php, it would explain the permission issues between Apache and the FTP User.

connercg

@joepie91

There may be some issues, but it would almost certainly be better than Kloxo at this point in time.

joepie91

@connercg said: There may be some issues, but it would almost certainly be better than Kloxo at this point in time.

Why is that?

jkr1711

Not too bad for the price; just wish they'd get some sort of Nginx/Lighttpd support

connercg

@joepie91 said: Why is that?

There is minimal development with Kloxo for several months now, and they are only supporting PHP 5.2.x at the moment. You can upgrade to 5.3 but there is no official support for it. Additionally, scripts are moving to 5.3 so more things will begin not to work on Kloxo. It's irrelevant to me as long as the packages are secure and it support current scripting. their codebase seems secure for the time being, but PHP 5.2 will become a larger issue in the future.

littleguy

@joepie91 said: Suhosin and open_basedir restrictions are used to prevent users from escalating their access to other users.

This is pretty awesome. My biggest gripe with Webmin that it didn't give you this kind of security without running FCGI, which completely breaks APC caching. (each fcgi child has own cache)

@jkr1711 said: Not too bad for the price; just wish they'd get some sort of Nginx/Lighttpd support

I'm thinking about amending this by running Squid in accelerator mode on top of Apache to increase the speed of static assets.

kalam

No one has mentioned ISPConfig 3 yet. I've looked at it, but never tried it myself yet. Can anyone that has used it chime in on the pros/cons?

joepie91

@connercg said: There is minimal development with Kloxo for several months now, and they are only supporting PHP 5.2.x at the moment. You can upgrade to 5.3 but there is no official support for it. Additionally, scripts are moving to 5.3 so more things will begin not to work on Kloxo. It's irrelevant to me as long as the packages are secure and it support current scripting. their codebase seems secure for the time being, but PHP 5.2 will become a larger issue in the future.

I don't really see how that is worse than several arbitrary code execution vulnerabilities and an SQLi that allows you administrator access without any kind of authentication...

@littleguy said: This is pretty awesome. My biggest gripe with Webmin that it didn't give you this kind of security without running FCGI, which completely breaks APC caching. (each fcgi child has own cache)

Another thing to be aware of regarding FastCGI is that if you want to have a different cache per user, it will incur quite some RAM overhead. From the top of my head, it's 1-2MB per user.

@kalam said: No one has mentioned ISPConfig 3 yet. I've looked at it, but never tried it myself yet. Can anyone that has used it chime in on the pros/cons?

I've used an older version of ISPConfig a long time ago, found the interface quite painful to work with - but that may have changed.

Torquemada

@jhadley said: Don't use that. I found this late last night - you can get a Plesk 11 (I know it's Plesk but v11 in "Service Provider" mode is actually really nice!) licence for under 2 euros a month: https://www.netsys-online.de/

Bought mine yesterday, came through in a few hours and working fine.

Can you confirm for me that it's Plesk 11 that you purchaced?

I'm only seing Plesk 9.5 and 10

Thanks

littleguy

@joepie91 said: Another thing to be aware of regarding FastCGI is that if you want to have a different cache per user

The overhead is actually your apc.shm_size size. So if it's set to 128MB you are looking at that times the number of your users in worst-case.

Also depending on the configuration the APC cache can also be per thread (worker), which immediately kills your server since standard config can happely spawn hundreds of threads.

Zero

@Torquemada said: I'm only seing Plesk 9.5 and 10

I've bought a Plesk v10 license (from another reseller) and then installed Plesk v11 and everything was fine.

jhadley

@Torquemada said: Can you confirm for me that it's Plesk 11 that you purchaced?

Plesk 10 licences are good for Plesk 11.

SonicVPS

Wait for joepie91's release, I believe he is recoding it from scratch.

HalfEatenPie

@SonicVPS said: Wait for joepie91's release, I believe he is recoding it from scratch.

No, he's just re-writing portions of it and closing the security vulnerabilities.

joepie91

@HalfEatenPie said: No, he's just re-writing portions of it and closing the security vulnerabilities.

Well, no, I'm actually rewriting the core from scratch, I'm just leaving the UI intact :)

Jeffrey

For some reason, I've always viewed the development of ZPanel and the actual control panel to be a complete mess and a joke.

littleguy

@Jeffrey said: For some reason, I've always viewed the development of ZPanel and the actual control panel to be a complete mess and a joke.

Care to elaborate? From my tests it seems to work perfectly fine and do what it says on the tin.

risharde

I'd like to know more about zpanel vs kloxo vs panel w.r.t security and facts hopefully as well