New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Open mail relay, it's not in the default config but when you change a few options such as forwarding it gets enabled. He posted a thread in the zpanel forums, I'll try and find it.
No disrespect, but what exactly are you expecting from us? There is currently no known exploit for zpanel and the devs seem to have changed their attitude lately. Many think zpanel is still a security risk, others don't.
Just try it out yourself. Nobody can predict the future, even the admins can't.
Let me tell you: yes, it is very safe in April 2014. There, I just write what you wanted to read. Go on and install it.
@active8 , are you @zerocool? Was the only guy defending zpanel like crazy
damm, i do not use zpanel and will not use it any time soon, which is sad but security comes 1st anyways webuzo is really nice : )
been running fine and smooth for me ... guess just people trolling about zpanel
If you want something safe, turn off your computer. Zpanel is a pretty sweet panel with its features. However, they obviously do not roll out patches as needed and leave it up to the user to make fixes until a long term supported version is released. And some bugs they won't be open about. You have to check the forums daily along with their bug reporting site. This is my observations as a past user.
You've been offered a few other recommends and I'd like to add Webuzo to the mix. It does everything Zpanel can do out of the box (no mods to download) and a lot more. It will also auto-update itself to newest version if you dont stop the cron. No need to open console/putty to update Webuzo, it can be done via the panel.
TLDR: Zpanel as a free panel has come a long way but certainly doesn't have the most positive past. I recommend using an alternative until the recent version proves itself.
Just because it works for you does not mean your panel has not been compromised and you don't know it. But if you are happy then all good.
Equally, just because you have no issues does not somehow mean everyone else is trolling.
Well I'm from Zpanel team and discovered this thread.
None of those bashing zpanel didn't disclose a problem. Even joepie91 all he tried to prove is that any one able to get into zpanel core will gain control over server. Agree over that BUT you must find a bug and any control panel will need root access to manage settings.
We care over security and I'm using it in production before helping the team and I can say they care for security.
We patched flaw those last month's and those were due to ROUNDCUBE outdated/buggy shipping and having issues and anoter due to pchart that was vulerable.
http://forums.zpanelcp.com/Thread-Pcharts-Urgent-Vulnerability-Fix
and it was reported here by a user and patch was issued 2 days later... UK1 saw it..
A lot recommend Kloxo here funny, if you knew the bug that blow out over 100.000 websites and main developer suicide... BUT no kloxo is fixed but can't be the case for zpanel.
We are happy and open for security issues reports and once the last regarding pchart was reported by user that was thanked by the team and never BANNED like some here were telling. And I won't agree my self over banning users reporting issues. BUT trolling you get banned for sure. Even UK1 here got a serious warning as he was bashing out security without any serious facts.
The project is open source on git hub. We might have flaws in the future as Zpanel is not just a panel but it installs a lot of third party software, and we saw that.
sz1hosting asked a direct question, do you have facts?
joepie91 was challenged didn't even throw roundcube flaw or pchart. All he did is using a basic SQL injection to gain access over Tgates server, notice it was not zpanel core targetted.
I had my self customers hacked but each time I traced it to Wordpress f*** plugins/issues but no one will bash it.
There were also Zpanel hacked in the past.
So would be great if you can help over security with FACTS. What we can improve to secure Zpanel, this is open for every one as long there is mutual respect.
I'm concerned over security too, but there is everyday flaws even in Cpanel or Plesk.
Cpanel is not open source like plesk, in last flaws I was able to fix my self zpanel before the patch official release using only the public infos on forum.
For Cpanel lovers seem you don't read the discussions here:
http://lowendtalk.com/discussion/25147/whmcs-hacked#latest
OOoops what a scoop! No let's be serious.
And last security recommendation: servers must be run by experienced admin's! Not rookies not even understand basic file editions in linux. You must know how to sandbox the risk and make it harder for the hacker if he gets in. As any software will be hacked, you can have the flaw in panel or underlying software it uses like postfix or apache or this week we got a red flag over openSSL. Reduce permissions and add layers. Security is not absolute!
I think that zpanel have a bright future and you might expect nginx support in future and a lot of other gems...
This said positive suggestion are welcome and I will be eager to forward them to developers. For bashing you can roll on too as Zpanel will survive that.
@Me_B
You find a developers death over his project funny? You know why there's still love for kloxo than zPanel? Its your freaking attitude, fix it.
For kloxo I never said developer death WAS FUNNY you are twisting my words I reminded that kloxo got a big flaw that was a big mess. And I'm sorry it ended up so badly. So don't twist my words here. I just pointed kloxo had flaws and now you say it's secure, that brings at least hope for me and for Zpanel team. I found funny that you back a project and recommend it while it had a major issue in the past. Those are my words and I reminded the death of the developer.
http://www.theregister.co.uk/2009/06/09/lxlabs_funder_death/
This is story IS SHOCKING, should never happened that way and feel sorry for Kloxo developer death. But it's your double words over security. Kloxo can be but Zpanel can't! This was my argument.
And this is not about Kloxo VS Zpanel. Or if zpanel is more secure. If Kloxo fits for your needs it's good for you. Same over ISP Config, you should always pick the software that do it the right way and indeed is "secure".
Easy to say. "My freaking attitude" was to help everybody and I was not part of the team in last clash. And I care over security. If you just want to continue bashing roll on as I said before. We fixed flaws thanks to users who gave us notices in the forum.
And you are welcome if you want to advice over security. It's easy to confuse here a panel is secure or not due to team attitude. Some might be arrogant but you don't have any idea the questions/ trolling we got.
Check the support forum and see what I handle there like other members of the team:
http://forums.zpanelcp.com/Forum-General-Support-Questions
Or Newbie section:
http://forums.zpanelcp.com/Forum-Newbie
In short words you don't love the team that's your problem and I can't patch that buddy. All I can say on my side I'm open and eager to fix any flaws reported and help escalating it.
@Me_B thank you for commenting and explaining about zpanel so in conclusion zpanel is upto date and i would now recommend people to use it if they are very experienced in security and know how to secure there projects when using zpanel.
This thread was in no way at all bashing zpanel and no one was providing proof of very recent problems except linuxthefish who said his friends zpanel was hacked a month ago which was concerning. It is nice to know you guys are willing to explain things and ensure people zpanel is safe and you guys are doing everything you can to ensure the security is upto date. I admit i did make a few threads without eviidence saying zpanel security is not good with no evidence it was just because it has had bad press in the past so it made me think omg its not a safe panel. I think people should try zpanel again and see how it goes as they have been very active lately and need some good press, i will install zpanel for testing purposes on a kvm soon and stay with it as zpanel is a really nice panel and i want to use it.
There is 1 suggestion i can make which is vital to zpanel's future = security updates need to be applied to the panel it's self not in a github update so when there is a security update there should be a new version or update for zpanel within the panel it's self or even auto update. Maybe this has already been done i am not sure but that is the only thing i would like to see everything else is perfect i am a previous zpanel user and would like to go back to zpanel on some of my personal projects asap.
A month ago we still had 2-3 cases a week that could be traced to zpanel usage. However, there are fewer now. They might have changed something.
oh sounds promising
Once this is done zpanel will be as secure as any other panel no panel is uncrackable by the way everyone.
I can agree and disagree with you people. For me good admin will protect his site with his own knowledge. You can use any of this panels but if you don't know anything about security and basic coding don't be sure about your security.
You can never be sure about security. No matter what you know, there will be 0days because you cannot possibly review all the code you run. Even if you could you can still overlook some issues or very intelligent timed exploits or other, even more intelligent attacks will happen one day.
Security is gambling that when an exploit has been found, you will patch it soon enough before you get hacked or that you do not have a good hacker after you. Also, if one of those things happen, that you have good disaster recovery policies in place and you bet they will work fast enough and the leak is not so severe.
Im glad that someone from Zpanel commented to this tread
For all this people who has questions about security, i hope that there qustions are answered now
All I seen was someone with very poor grammar and written English come along and rant a bit. Not sure how that would satisfy anyone but the least conscious.
This is the only issue that needs to be rectified as far as i can tell
We lack security reports and would be great if you send us reports, that would help us improve security for your customers too.
Last weeks we got a reports a user had zpanel hacked, so I checked it my self and got his server access to check logs/files. It was a bot who hacked his server 9 month's ago using a flaw in 10.0.2. But since he patched it but the server remained under bot control until they started using.
So would be really happy if you keep us informed for any problems your users might face due to Zpanel.
@sz1hosting
Auto updating is no magic, check most of zpanel users don't update their OS already while it's easy to set an apt-get/yum update cron running daily that would do the job! Should we add that to Zpanel setup? I might submit that, but it's far from solving everything.
I see daily users upgrading 10.0.2 release that was over 9 month's old. While since we issued many hotfixes 10.1.0 THEN 10.1.1...
We have users running zpanel on Centos/ubuntu/ windows for official support but many jumping on debian, some kicking it on freeBSD, OSX and latest request is getting it working on Raspberry Pi!
So again over auto update we first improved install/upgrade script, and we could slowly move to auto-update and it require a lot of work. We have security mailing list. We have news section in control panel informing over issues, we have discussed in staff section sending emails to all forum subscribers to push for more updates or require registrations. So still thinking what is the best process and how to do it. So easy to say auto-update but getting it working is another round.
So if you care over security you will update manually... don't be so lazy. Any server require minimum maintenance.
We have made even the install too easy so too many newbies are using it and this is far more dangerous than any flaw we have in the panel.... Adding some questions over linux in install could deter them
and require they dig more over linux.
That said zpanel is currently in maintenance mode until we get the next XI release that would see a big change as we move from custom framework to Larvel. This require to rewrite the WHOLE panel. This is not easy. Hope that would help more developers jumping in the project but this whole dev is currently relying on 2 core developers. IT's a long way, and if you want features like that you can help implementing it instead of harrassing support like you did in the forum. It won't work that way. We do our best to bring more features and we do that for Free! And I'm currently helping to thank a bit the great job that Zpanel team already did.
So again everybody help is welcome and we need that. Either for security advises or development. We are doing our best for supporting users for free and you can see in the forum, when users get stuck to we offer more than once to login on his server to check the whole mess, that so many time is not caused by zpanel and for free.
Does free mean also, you could accept insecure products because they are free. NO! But I show here good will for moving on and getting things fixed if they are wrong. And don't forget the project is open source and you can fork it and fix it.
Nice reply : )
RE:
Auto updating is no magic, check most of zpanel users don't update their OS already while it's easy to set an apt-get/yum update cron running daily that would do the job! Should we add that to Zpanel setup? I might submit that, but it's far from solving everything.
This is the point people are lazy and they want auto updates and this is the only problem i see with zpanel this is not something that is recommended it is a must, i know zpanel is free so i do feel like i am asking a lot but this will surely make zpanel better and you saying there are only 2 core devs is not good more people should help zpanel out instead of complaining, my self i am not a vastly experienced coder in some aspects, but if i can help i will.
Do you have facts beside that? If you say zpanel is insecure due to my poor english, that would flag so many projects as insecure. I'm doing my best to write quickly & providing all my raw thoughts. English is not my first language but my third, so doing my best. If you wish to correct my posts and repost them you are welcome.
That said do you have any facts over security or advice's? Beside you don't love Zpanel Team and be sure we are not hiring Top models in support staff so you love us.
In all this thread no one come by with facts beside @Maounique reporting customers got hit over Zpanel.
And remind you this thread is over Zpanel secure or not? Back your claims?
I can detail a lot of security features implemented in Zpanel but do you have any bugs or improvement to offer/report/blame? Or just trash the project because joepie91 clashed with a stuff member that was "arrogant" to understand his request.
We are no more in objective facts here we are in sentimental area and I can't do any thing over that.
That is a fair point in a serious post. Suddenly I have hope
Unfortunately, it is not my job to inform you about hacked installations, also I have no right to disclose or even look at customer's data, let alone let a third party dig it, even in the event of hacking (we simply suspend and inform the user). If they say zPanel then it is pretty clear, however, I will ask which version from now on, at least this I can tell you then
You are WRONG admin's can't be lazy they are smart and will write some bash script to automate routine tasks. And keep always servers under watch. Don't tell me how a server might be run the proper way.
Thanks that's great. and it would help us tracking a bit more the problem.
i understand that but every other panel does auto updates why can't zpanel? anyways put it in the to do list plz it will only help zpanel grow further.
We need time to do that. You are keeping the request in a loop. Are you aware that with autoupdate you are handing your server control over to zpanel team? We can push an update that take over your server! I always love to be informed over updates and validate them first on some servers before deploying on all my servers. This is how serious admin do, even if it's an emergency update.
yes that is fine you guys have to much to lose by doing anything un-ethical, thats like saying do i trust cpanel with auto updates
Do you have facts beside that? If you say zpanel is insecure due to my poor english, that would flag so many projects as insecure.
I just don't know what to say to that.
The problem is not over trusting Zpanel team or cpanel team for auto-updates. An update will introduce likely new features and fix some minor bugs and sometime critical bugs. The backside an update might also add new bugs that could bother many users, despite our testing. And it happened in the past and would happen again like in any software development cycle. So that's why I would test updates my self before rolling them on all my servers. Unless they critical and in that case I would rather patch manually faster than wait 24 hours for fixes and Zpanel is not so hard to learn and understand.
So @sz1hosting I trust Zpanel team and will not remove my above statement as this is what is about autoupdates.
I see a lot of requests from Zpanel team and comparing to cpanel or other free panels but when it's about backing the project either by donating or just helping it turns another story, as few show up.
Zpanel have already as I said major framework revamp, we are trying to get an nginx release with the right security features. We might think about mutli-server Zpanel. BUT it's a long long road.
Here is my profile on Zpanel:
http://forums.zpanelcp.com/User-me-b
You are free to contact me if you have issues. What we require is staff respect, we don't expect worship but polite replies, you can express your opinion but rolling over and over some story while we did our best to reply/check the issue without facts can't help both.
See here the bug tracker is public:
https://github.com/zpanel/zpanelx/issues?page=1&state=closed
We are not hiding anything. We might some time move discussion to private on forum if issue is critical so we can prepare patch before turning it public, and I back transparency but for critical problems I would rather see the patch ready before disclosing it as any caring developer.
See here the long list of announcement/ security fixes:
http://forums.zpanelcp.com/Forum-News-Announcements--36
And it might get more as we are working on improving Zpanel and fixing any issues reported.
So would you one day help??