New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VestaCP vs CentOS Web Panel vs... ?
Hi,
I'm running VestaCP in 2 VPS boxes since 2016 or something.
Despite all security breaches in Vesta, i was never under attack (lucky maybe), all updated and running good, but i'm open to changes of course.
So, for the ones that have experience with this two control panels (or other, free for 1 our 2 domains without email server), what are your opinion?
Sorry for the bad english
Comments
VestaCP, never had any issue so far.
$7
what?
Virtualmin and lately CyberPanel is interesting.
CyberPanel all way, only missing Softaculous tho
Personally, I find Virtualmin/Webmin utterly confusing and overly complex, especially compared to cPanel. For my own servers, I use Centoswebpanel, where at all possible. For the 'enforced' debian installs, I'm going to give VestaCP/Froxlor a try, primarily 'cos I don't have time/inclination to mess about setting up ISPConfig.
Prerequisites: easy DNS, able to rip out fail2ban in favour of csf, easy Let's Encrypt. To name a few.
That's always the fun question. Do you go with the one who just learned something about vulnerabilities or the one who hasn't yet? Is one because they're bad and the other because they're good, or is one a more highly sought target than the other because it has higher adoption?
Someone smarter than me can actually answer some of those questions, but usually not all of them. For example I've not seen anyone dive into the code of CentOS Web Panel to see how secure it is, and I don't know if it's lack of inbound attacks are evidence of better coding practices or evidence of low adoption.
Vesta works but you do need to be able to self support as most hosting providers don't offer it. CentOS web panel is even more obscure in that regard. Given all the merging / acquisitions of the software hosting providers use we probably need to start working on getting familiar with these other options vs having cPanel dictate terms to us.
I'm migrating from VestaCP to ISPmanager atm.. not free indeed, but I've got cheap license from previous thread. Able to select php version and web server (apache/nginx), easy and also fun to explore..
I just did a cursory glance over at CyberPanel, but does it automatically secure your server and does all the "hard work" (more or less like cPanel) or does it let you set up your server freely (like Virtualmin)?
There's little doubt that cPanel is a more polished (commercial) product than (free) Webmin/Virtualmin.
At the same time, the last time I checked, cPanel was both invasive and effectively required CentOS, whereas Webmin/Virtualmin is non-invasive and works on a number of Linux distributions.
It ultimately depends on what you want or are looking for.
Yes, apples and pears.
Re: Webmin. Manually pointing to SSL certs; the DNS chore etc.
CWP is much better in that respect and the free version isn't too crippled (I have one full licence). For daily management, an integrated solution saves much time.
Webmin does have an easy LVM interface though, once the physical partitions have been laid out.
True, maybe it was my fault to not specified what will be the usage/scenario:
What i dont need:
Not sure how intertwined it is with the OS. I just started using it and testing a couple of weeks ago.
I did see firewall setup and things like that in the webUI.
@cyberpersons Should be able to provide a better answer.
I am using fastpanel for some wordpress sites.. so far so good...
Installed on debian 9.
The default installation of CyberPanel comes with firewalld and only necessary ports open. The latest version also have basic csf functionality (enabling csf will disable firewalld).
If you don't require some services you can also disable them: https://docs.cyberpanel.net/doku.php?id=manage-services
On the control panel side it is written in python (django) so SQL injection does not work on django. Django templates also escape HTML to prevent Cross Site Scripting. OS Command injection is also not possible. But no system is 100% secure, rest assured it is updated regularly.
For your websites you can use open_basedir protection to box them: https://docs.cyberpanel.net/doku.php?id=open_basedir-protection
I really like it so far, however, there a few things that I still do not like.
Other than that I highly recommended it and it is being updated quite regularly
I'm being sweeping here, but does that mean that a minimal OS install + OS update + CyberPanel install and you're good to go? No other server hardening steps needed?
Bash.
+1 for cyberpanel. Use it for our free hosting. A few issues now and then but nothing contacting @cyberpersons wont fix.
He is extremely responsive and goes the extra mile to assist resolving the issue.
Cyberpanel already has an SSL feature with LetsEncrypt. You can add a certificate when needed. There is also a hostname and mailserver SSL by LetsEncrypt also.
You will always need to keep on top of your own security. No control panel will do that for you.
You can harden via the panel if needed but it is not automated.
I know, but you would have to go to edit website and then re-issue ssl (for end-users), as SSL is already on the launcher, it would be easier for end-users
Very true. For the end user it is a headache.
We manually have to add SSL to client sites once a week unless they send a support ticket requesting it sooner. No one on free hosting comes with a paid certificate lol.
@cyberpersons can automated SSL for endusers be looked into as a feature request?
Yes, I will automate the SSL process in next release but Manage SSL will still be there just in case.
Being a control panel n00b here: but isn't cPanel and Directadmin designed to be somewhat like that, that is, the server is automatically hardened as you install and update them?
Another one bites the dust:
No VestaCP for SYS Storage, then. I had chosen to NOT install nginx!
You are most vulnerable when you think you are automatically secured by a panel software. As widely said, security is a never-ending process. If you want to operate and self administer a Linux server, you should definitely learn the basic security practices and ensure they are in place without just relying on automated panel setting.
If you don't need mailbox management than Centmin mod. Nice tool, a bit complicated as there is a ton of unstructured documentation, but damn it's fast!
@claudiof This is a bit dated but might help with setting up Virtualmin https://www.lowendtalk.com/discussion/18133/virtualmin-security-guide-part-one-22-images Google or someone here might have more modern answers.
I like Virtualmin mostly for the backup and restore tool
No, I would not agree with that.
For me, cpanel and directadmin are marketed and presented in a way you could be forgiven for thinking it will handle all of your security issues out of the box (plug and play) but that is in fact not the case at all.
cpanel make it extremely easy to confine most of a servers security within the panel but it does not do this automatically as mentioned in my earlier post.
Extra security measures for example, changing your mysql port, removing password login, or even changing your SSH port (which should preferably be done as soon as your server is live rather than waiting for the panel to install and then changing it via the panel) are not automatically applied features of any panel. You still have to manually configure them.
Cyberpanel, worth your conversion, at least a try.