New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Sh*tpanel
Doubt no further, because http://lowendtalk.com/discussion/comment/317747/#Comment_317747
well where is the proof people that zpanel is safe so far zpanel seems not good though no actual proof it is not good as of april 2014 until someones proves zpanel is good it is not a panel anyone should use... which is sad as i said before i do like zpanel quite a lot : (
Or maybe he is just a nice guy who knows stuff about zpanel and doesn't mind helping?
Stop the nonsense hating for a moment and bring real facts if you can: Are there know exploits for zpanel as of April 2014? No, there aren't. If you know any you are encouraged to post them publicly here and then we will see how fast the developers react. Otherwise you are just making a lot of noise for nothing.
About what happened in the past: I don't know these stories and can't take sides on this matter, but seriously who didn't make mistakes in the past? We shouldn't trust anyone if we keep on judging people because of past mistakes.
I currently use zpanel and ajenti V for my private websites. Both are working great so far and RAM consumption is similar (ajenti is slightly lighter). zpanel is much easier to use and has some great out of the box features. I would absolutely recommend it for private use.
I hate zPanel with a reason. It is the main cause of hijacked sites, spam, outgoing DoS and phishing.
I do not care what version it is, people say, hey, was just zPanel with a couple of blogs, then i point them to some security issues with it and usually they understand. If it happens again, then there is the door. But even if it happens once, why do we have to clean up just because the user doesnt want to understand? If it was insecure once and devs didnt want to hear about, then, unless all the devs changed, it will remain insecure as long as they are there at least.
The are free, easy to use, as well as feature-loaded panels out there, why should we have to lose time and money with this one? Users are free to use it, fine, but it is not free for hosts to clean up the mess. This is why I hate it, it is an uphill battle here where I have little chance to win.
Capisci?
Sorry, but if I'd have to stop using all the software that has had an exploit at some point (including paid software like cpanel, whcms, etc.), I wouldn't be using any software at all. I understand what you are trying to say and the frustration that it can bring to have an exploited costumer, but people make mistakes (I bet you made some also, didn't you?
) and most of the time they deserve a second chance in my opinion. I don't know any of the "they didn't want to know about the exploit I reported omg"-drama, but as far as I can tell the exploit have to be fixed by now, as there are no known exploit at this time. Yes, there are alternatives, but concurrence is always a good thing and I think zpanel is exceptionally easy to sue and feature packed. I may be proven wrong in the future, but for now I don't see any reason not to use it for personal website management.
Anyway, rispetto la tua opinione e la capisco perfettamente, anche se non mi trovo d'accordo.
The issue is right there.
What if there are known exploits, just not known by the general public? What if the admins deleted threads about exploits, what if they refused to look at issues signaled in PMs, what if some people got frustrated by that and are selling those exploits to criminals?
There are no known exploits... Is it because they have not been discovered yet or because the admins did all possible to stop them from becoming known? After a while you get better on PR and spinning the facts than on programming, that is the most dangerous situation.
The facts remain, out of all known hacking cases, zPanel has the lion share. This is not my opinion, it is a fact I have to deal with. Never heard of hacked Virtualmin in our range, never heard of hacked cPanel, never heard of hacked VestaCP. Perhaps they are having issues too, nothing is perfect, and the cause for many unsolved hacking cases could be one of those panels, but statistics dont lie, there is a problem with zPanel. Much bigger than in other panels, as such it is subpar at least.
so still confusing i messaged to opps on zpanel to prove there panel is upto scratch don't know if they will post here though, basically i wont use zpanel until i see proof it is good, i do not see a result coming from this thread as to yes or no opinions are to mixed : ( that also includes the poll mixed as well lol!
i see ok, well if zpanel don't reply i guess thats zpanel for april 2014 as no it is not a good panel and is still a security issue and is not recommended unless anyone can show recent proof that it is good
Problems with reading? i told you earlier im not a devolper or even someone from their team, just a happy zpanel user !
Because i helped someone you think im from the zpanel team ?
Get a life
and what do you think their reply would be able to prove?
was looking for a reply showing testing of zpanel brute force etc and if the file manager is easily hackable and ftp they where the loopholes last time and as far as i know they ae
ZPanel: http://arstechnica.com/security/2013/05/app-developer-calls-critic-fcken-little-know-it-all-site-goes-down/
If you want your site to be hacked then use zpanel.
I can't say if it has improved or not, I have not been back to Zpanel since I got banned for posting on their forums about an exploit I found which they would not comment on, They did fix it eventually though.
I like Zpanel in terms of its ease of use however free or otherwise it needs to be secure, also as important is that it needs a team of developers who are open, honest and ready to accept feedback from the very people that can tell them what issues the panel may have and benefit from that feedback.
For whatever reason the folks over there don't like that kind of feedback and as a result it makes it hard to be able to trust them.
Brute force has nothing to do with exploits, usually. You just test passwords or stuff. Sure, it should not be possible, after a few attempts you should be banned temporarely, but an exploit is a different thing. For example, you can send a specially cooked request to the panel and it will return the admin password from the database. That is an example of an exploit. It could also return all the database in a file to download, or will give you full admin access even without knowing the password, or you will be able to upload files there and execute them, etc.
oh i see ok, well it seems zpanel is doing ok then lol i feel like this thread will never end, if possible can a admin of lowendtalk give the final opinion and close the thread?
It's not really the role of an admin to summarize a thread for you. You appear to be a provider of hosting services which is a bit odd that you need to be asking about things like brute force.
It's up to you to take or leave the comments made on this thread and formulate your own way forward. However if you feel that based on what you have read here that Zpanel is doing ok then either you have not read the thread correctly. Or are choosing to ignore the comments because you don't want to hear them and all you really wanted was someone to tell you it's ok to use Zpanel.
I would appreciate it if you don't close this thread. I have been using zpanel for a couple months now without knowing the security risk. Anyways, thanks to this thread I have moved on to ajenti v It's really nice.
The security risk for the latest version is still unknown, many member here judge based on the old version (has been fixed now) and not the latest version.
You and many others are missing the point.
The issue is not that it was insecure in the past, the issue is that admins and programmers did not WANT to patch the issues people were POSTING for them. It is unlikely that changed, they probably still try to hide exploits from the general public and make it possible for criminals to act undercover. Not every user (and especially not a zPanel typical one) will take time to analyze the traffic from the server to see if it is hijacked or not. Most find out fromt he host and some even contest that, say it is not possible, they only had zpanel didnt even move the sites, we are the thieves for suspending the spam/phishing/DoS/mining box.
It is the attitude of developers which is the problem and that generates the coding problems, you must go to the root cause, otherwise holes will keep popping up and people will say from time to time, I know it was insecure, but is it secure now since most public exploits have been fixed?
And that happen in the past isn't it? so once someone do a wrong thing then surely forever he will make similar mistakes over and over again?
For known issue yes but there must be a hole some where, but there is no perfect product right..
OK I am out of this topic
there was a similar incident https://gist.github.com/uppfinnarn/9956023 (off topic)
@W1V_Lee i was asking about brute force etc as i thought it was relevant to this thread though maybe i was mistaken, i run my hosting company's with other people. Those people my friends do know a lot more about security than me but i would say i do have some knowledge of security involving servers and websites, so maybe i do not know everything but i try my best : )
From the reply's on this thread i am inclined to say zpanel is not recommended and i would not let any users using a vps from me use zpanel after the reply's i have had here yet again no proof of recent problems though no one on zpanel has even bothered to come forward to say hey! Here is some proof we are as secure as cpanel blah blah etc
Until there is proof zpanel is secure IT IS NOT SECURE APRIL 2014
If someone makes a mistake in the past and does nothing to demonstrate they have learnt from that mistake then yes it's not unfair to presume they are still making the mistake.
Show me where they learnt from the past and are more open to accepting feedback and are patching the issues people are telling them about. I have looked and there is no evidence I can see.
You want to believe that a past mistake is not a current mistake but you have no evidence to back that up do you?
Mao, (as you may remember an older post of mine) I was used to use zpanel since what happened here and in their forums (because of a post of mine) in June.
I now don't use zpanel anymore, just in a couple of boxes for testing and monitoring in non - critical or dummy projects.
But I am often go to their forums and read posts and updates. They seem to change their behavior a lot and a couple of their developer staff members that mostly had the behavior you mentioned, are not anymore active because of their attitude. There are some new developers there that seem to willing not only to help, but to check any hole or problem users find. In a couple of times, some security holes had been patched almost immediately.
I am not a coder or developer (and I don't have any relationship with zpanel or the devs), in the other hand you are an expert and you know way a lot of things more than me. Maybe there are a lot of security problems there and your experience says that you see a lot of compromised vps's out there wearing zpanel
If that daily experience is what leads you to discourage users from this panel, you are absolutely right. But, if it is more a thing of the previous behavior of the devs and not some issues with the current version of the panel, maybe you could observe them for a bit, to see (as I think I saw) a change in their perspective.
As of security, I had some weeks ago a hacked vps of mine with ispconfig installed as panel, no root access, csf installed, ssh port changed etc. The two boxes that are wearing zpanel (the test ones) are never been compromised. Of course, maybe this is just luck. :-)
They are on Github so there are many records, example https://github.com/zpanel/zpanelx/pulls?direction=desc&page=1&sort=created&state=closed
So how can someone or zpanel prove it is safe to use in april 2014? that is the question we all want to know, though it seems the answer is do not use zpanel sadly surely someone can test it?
It's NOT safe to use. I had a friend use it about a month ago and his server started sending out spam emails - and yes he used a secure password.
That says nothing. A lot of vps's are compromised daily. Using a secure password is not security to a box. There are a lot of things you have to do and even so, you are not completely secured. Maybe was zpanel, maybe not. Did he search and find the exploit? How did he was hacked?