New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
In other words, it's yet another reminder that quality control in modern software often feels like an "joke"—what a shock.
@Chunkserve – I truly respect providers who have the resources and determination to develop their own control panels and provisioning systems. Wishing you success and as few flaws as possible in the journey ahead. It's a big task, but the long-term control and reliability it brings are worth it.
Unfortunately, own software is also not given any guarantees for security. Software development is not as easy as it might seem. You need a large budget, high-level developers, high-security experts, and high-level testers, among other things. And even if you follow these guidelines, you are not guaranteed to be free from problems. There are many cases of security breaches even in state-of-the-art systems.
However, there is one positive aspect to self-development software. Usually, hackers do not target them because they are too difficult to use compared to the potential revenue.
Making your own panel is not in the budget for many providers, and frankly is overkill. As @rustelekom mentioned, you can unknowingly write in your own security holes or bugs into your new panel that established panels have already patched out from their years of experience and bug reports. I commend the initiative and effort to go your own way and fully agree that commercial software is both expensive and mediocre (if not rubbish) nowadays, but please don't get into a false sense of security either that hackers won't be able to hack your custom code. It's not always safer or better to reinvent the wheel.
Frankly no software in the world is safe from stuff like zero-day exploits. Not even Debian, and if you use Windows on any machine (PC or server), you're already waiting to be 0-day'd in due time. Just make sure you enforce good practice like following all the recommended practices (that includes hashing passwords, I still can't believe people store plaintext passwords to this day).
I imagine it'd be cheaper to hire pentesters or contract out a security audit to review your systems and correct deficiencies than to develop a full blown panel. But I'm not a software developer or IT guy so I can very well be talking out of my ass too.
Made a mental note to buy some more servers from @Chunkserve when I can because they're taking customer data security seriously and that should be rewarded 👍
how about
Virtfuuuuuuuuuuuuuuuuuuuuuuusion
But we are not talking about the log in password to the panel, but the root password of the installed VPS - I am not sure why you would want to store the root password of the VPS in the panel at all, but if you need to do that (for whatever reason), storing a hashed password will likely not work for what you would want to achieve.
Also, as a user, best practice would be to change the root password of a freshly installed VPS anyway (not via the panel).
Not the best - user should rely on SSH public keys instead. In such case there would be no need for a root password (from a control panel perspective) at all
And what if it also gets hacked? What else is here?
vmware?
or proxcp
So virtualizor stores new provisioned servers password in the database??
Thats in Virtfusion case.. in Virtualizor and other panels despite using ssh keys you need to enter root passwrod when installing. Best practice is to go with random pass and change it later in terminal, not from panel.
Technically speaking, VirtFusion does also in email log. Thus I highly recommend to enforce a policy of password reset on first login for all providers seeing this.
Btw, Skhron enables this policy for all templates. And the best option is to just use SSH public keys.
Okay, I could not even imagine that Virtualizor does so. In that case you are correct but what I meant is that if done properly, SSH keys is the best option.
Thing is i would just send out an email with the password and ask in the email to change immediately the password or at least don't save the initial password in the database (not sure if virtualizor does that never used it
)
I would say it's more secure is to uninstall both sshd and qemu-guest-agent and then turn off the public virtual network interface. I have done it on several of my VPS and it has greatly reduced the risk of security compromise.
Doesn't work. Most humans are lazy (I hope I am wrong but here we are). I prefer doing
passwd -e rootas it actually enforces password change policy. Below is a snippet from man passwd:No you're not wrong hetzner by default does this they ask after ssh to change the password it's forced.
uninstall sshd?
everyone should use rsh anyways
Any other providers using Virtualizor and are impacted by this?
rsh is a security risk, it enables remote execution of code just like ssh
I have couple of services which uses this panel.. will tag them here, so they can be aware of this problem. Not saying they are impacted tho..
@naranjatech
@hostdare
@LiteServer
@Chunkserve
Waiting for new database
We use it for legacy VMs. We moved to VirtFusion for new VPS plans earlier this year, but are not migrating customers from old Virtualizor nodes to new VirtFusion nodes since there is no real sane way to do it and it'd probably take a month to complete.
Rotated API keys and checked things on our master Virtualizor panel. Seems fine but will await further announcements by Virtualizor or the attacker or Colocrossing to give a better idea of how this was achieved. Seems like only Colocrossing was impacted thus far.
Kinda cringe bro.
Who the hell uses naranja?
It appears that they are starting to delete VMs, as per their telegram channel?
No idea, but a dumb ass witch hunt also doesn't work. But its LET
I'd say most companies offering VMs for longer than 2 or 3 years are using Virtualizor. VirtFusion is great but (imo) it's only become a real contender in the recent last two years. Before then most of the market share was mostly Virtualizor, since those using Solus are few and far between and not a ton of great options for Proxmox end-user front ends.
What?!