New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
The person running the webserver/doc is not the dev team. So stop mixing up things that are not the same.
We are doing our best to push up a free open source project and calling for even those who bash zpanel to help us secure it more. I have escalated webserver update request but server security had been locked down since last year hack ( forum hack!) and there is few people who can update the website.
My prioriyt is Zpanel/panel flaws as this is what we are discussing and my focus currently.
I said we are putting a new .htaccess in pro-active measure for reducing attack surface and tightening more security. For all known flaws we are reacting and already patched the panel.
Don't twist my word and you are only a lamer who don't have 1 exploit in hand only.
If you have tons EXPOSE then at least ONE! Come on? Expose one? You will keep more 0 days in your bags.
M B
Im not mixing things up, I understand it's two different pieces of software, just stating as is. I personally wouldn't trust ZPanel seeing that you (ZPanel) can't even secure your own website.
That on top of the fact that multiple providers stated that a ton of abuse came from ZPanel users (can't recall posts for quotes, sorry) You can't just blame this on users not updating, this is a common thing among a lot of software. Take a look at WordPress: http://wordpress.org/about/stats/, WordPress 3.0 is still being used by aprox. 23% of all WordPress users and is a version released in June 2010.
This would mean than the versions of ZPanel with exploits could be around for another 3 to 4 years on a percentage of your userbase. Gz, another few years of suffering for their hosts.
So solution we drop the panel? I'm using it without issues, patching as it should.
I'm pushing security with dev team and all hack cases are investigated. We offered a patch 2 month's ago and the current worm is using a FLAW WE MADE PUBLIC! ( this is what shows current investigations.
We are pushing to add more security layers, as any software won't be secure.
Upgrade now takes 1 command line, and we are thinking about auto-update BUT as you pointed in wordpress users are not updating. I got even an admin telling me for month's he won't update to 10.1.1 as he had an issue over a plugin. While I made obvious that he had security flaws. So instead of asking the plugin ( billing external ) to be fixed, he kept using zpanel with known public issue until he got back rumbling over Zpanel flaws. He could even fixed it manually...
Zpanel is unsecure, OpenSSL flaws too and I saw yesterday a flaw affecting centos, not in zpanel side and I'm pushing the team to find a solution even if it's not on our side.
Website will be fixed, as I said, most of the zpanel staff focus on dev/support, few have time for docs/website. And since hostwinds take over it's changing. Priority remain Zpanel security over features/web.
Still trying to improve the panel and protect zpanel users from their own sins. I think we will offer to lock zpanel with an apache password if user will be the only one using it. A lot of work in installers / panel ahead and few are really helping but once the panel will be mature everybody will be happy to pick the free stuff :-(.
I you are stupid to dont do the updates than you deserve to be hacked , and dont complain later if your server is hacked ! or get kicked by your VPS provider because the software you use has security issues, that is not the fault of the software but yours !
This above is mandotary for all kind of software & OS people using on there servers
Example:
I know lot of hosting providers dont want joomla 1.5 on there servers because its have security issues , but still people use this version and this makes joomla also a useless software ? no people are lazy with updates that is a fact !
Not everyone, just seems more common amongst zpanel users...
the "set and forget" hosting panel.
So does VetaCP have a user panel where users can manage FTP, Email accounts etc?
This might be true and linked to lower VPS pricing that get shared hosting users moving to VPS thinking they will get better control. Many don't have any clue over ADMIN. So how we do? Set skills test before installing Zpanel? Getting it complicated so only admin could install it? I don't agree on complicating install as an admin.
We will try to add more pro-active feature or may be offer after install to setup some extra security features. We will evaluate that. BUT update is key. It's the same when you use openSSL and you MUST update, millions of servers are not patched currently and all those appliances using it too like router. It's a huge problem.
So again if you have idea's to improve zpanel security design, you are always welcome.
All hoster upset over zpanel can ban it but their users will try again to use it! We do our best to help and find solution so they keep their users and get less issues. I can't say any more.
We should cooperate more with the industry and we are open.
M B
So is that .htaccess you posted on zPanel forums obligatory or just for the affected users? You (as a team) should really work on your communication skills, as I think that is the main problem you have right now. Have some guy that has good English knowledge organize the forums properly and keep all the important information also outside the forums. It's really messy as it is right now.
Posting from my standpoint - I personally use ZPanel and there have been a number of security vulnerabilities but the majority have been from third party libraries/modules.
When notified the devs usually push out a patch the same day and notify all those on the security mailing list - the problem is people are just not updating ZPanel!
I understand why you are discouraging your users from using ZPanel and TBH I would to any inexperienced admin as well but I would never outright ban it.
ZPanel's website is pretty outdated and has number of security wholes but a complete redesign and update are underway.
The ksoftirqx is a old bug and is fixed in the latest version.
Also, OpenSSL has had a security issue and I don't see everyone banning it - just update it haha.
If your providing a unmanaged service then you shouldn't need to worry about this anyway - if they want to use a few years out of date control panel then they are just asking for trouble. Notify them to either update or switch to a more newbie friendly panel.
Just my two cents
Funny you mention OpenSSL, went on and try to test www.zpanelcp.com / forums.zpanelcp.com, since they process login & payment details there:
(I know you dont test SSL connections with telnet, it's all about the Connection refused.)
Seems like zPanel does ban SSL
note: I have nothing against zPanel, haven't used it and haven't suffered any damage due to zPanel. Trying to show the impressions of zPanel on outsiders / potential users.
What about abuse?
I'm not a provider nor someone who uses zPanel, just a reader who's been following this issue out of curiosity, but I'm not too sure I trust the words of someone who has only visited LET four times between February 4 and now, with this defense of zPanel being your only comment.
By all means you could be telling the honest truth and it's just a set of unfortunate coincidences that make you seem so hard to believe, but to me it looks like you were brought in to help defend the service, which unfortunately does not lend zPanel further credibility and in fact does the opposite.
We should run a Blog/news section as everything can't fit in forums. I had asked for that a while ago, we lack resources mostly to manage more services.
For the forums we are doing our best already and every post is getting a quick and fast reply and a solution IF WE had enough information's.
The main purpose of blog would be information toward users and security bulletin IF ANY. So it remain public and don't require registration. ( we already change the rule that will require registration after 3 posts views).
M B
That would be right if we HAD HTTPS on forums. We plan to add https for forums but currently it's not the case, so we didn't ban openSSL as @xDutchy is trolling.
Keep on with Zpanel bashing...
I saw a post on the ZPanel forums (http://forums.zpanelcp.com/Thread-Advised-not-to-use-zpanel) which linked to this thread and decided to post what I thought. I don't usually go on low end talk as I prefer web hosting talk but will read something here if it catches my eye.
Back on topic(ish) - pick what control panel you want to pick but you shouldn't stop your customers from doing so - that's my point really. And also ZPanel's security problems have been cleaned up already, they just haven't had time to do the website/forums yet.
People might be a bit more open if you weren't so antagonistic, @Me_B. Your tone doesn't really war PR move to me. People have genuine concerns, it's not their fault your product (at least at one time) wasn't up to scratch.
No product is up to scratch, ANY SOFTWARE might have flaws. We learn everyday over security and new hacks techniques. I will again remind kloxo case that blow out 100.000 websites. Many here recommend it despite the past history. Same over many forum software you use, CMS (WP/joomla). They got their sins too.
What is happening here we are focusing on security, and we do our best as an OPEN SOURCE FREE package. You are welcome to send us reports and we will do our best to fix it. But what I see is only bashing and claims over "tons" of flaws while not showing any.
There might be flaws in the future like any other software. But we are committed to security and will do what ever we can to offer more secure product.
I've not come here for PR but ASKED for advises, how we should improve security? But no one either care or have an idea about security. Only war of words and EGO's.
That is true, however there are wa too many problems with zPanel. It is also true most are probably user issues withh not updating, but if there would have been less flaws, less updates would have been necessary.
Let's cooperate, shall we?
Solution for user issues:
Put up a version secured and simple by design for newbies. Apache or nginx whatever you like (own version compiled from sources), vsftp or something, same, own version compiled from sources, some small and simple dns server, php, mysql, phpmyadmin also compiled from sources, script to install own repositories and uninstall whatever other crap the os had (samba, postfix, things like those) Make it clear it only works for centos, debian, ubuntu whatever, something long term support and stick to that. Advanced users are unlikely to need a panel and when they do use virtualmin or cPanel to resell. So, make it small, make it simple, make it from sources and newbies will not even notice a change. Who needs fancy tools when they only want to post their cat pictures? ust run this script and when finished, go the url and input your ftp username and password, then you can connect to ftp and upload your site. Want awstats? Fine, use this script. Need proftp instead of vsftp? Fine, get this script, want email? Get this script with qmail and horde. Want encoding and streaming? Get this script with everything in place.
One person to maintain every flavour of the script and 2-3 people working on the core. On update, insert a warning page in apache to notify about the new version every new visitor and every 10th page, will force the user to update if a cron to run it automatically and backup content before is considered too dangerous.
Always remember your target audience is the newbie which switches from shared hosting because they had enough of abuse from neighbours or the host wont enable x feature.
Think is possible?
Should be, can't see zPanel embracing that structure though.
Yes but it's not going to happen. ZPanel is meant to be a complete hosting solution, not just a panel for newbies. The solution as I see it is to implement some sort of auto-update/patching feature. That means any vulnerabilities found will automatically be patched similar to how other commercial control panels do it. This means ZPanel is still feature packed and newbies don't need to worry about updates and patches.
Most newbies and many non-newbies dont need all features, so, a simplified and secured version should be made available. The full version should be made available with the caveats only for people which can take the risks, such as host at home or on own dedis.
lel. How else do you think every other control panel manages your server? They all need root access some way or another.
VestaCP's user account is locked to a specific directory of bin's (/usr/local/vesta/bin/*) to run as root. It can't run anything else without a password.
They mentioned at some point they were looking into this, I however foresee a day the devs push a broken update out and it all goes wrong.
We have already news module in the panel and we are evaluation how to be more pushy for updates and force users for more discipline. Latest issues were patched by the staff before they got used everywhere.
Thanks for the input and we are seriously doing our best in that direction. If you mind one day open an account on our forum and you will be welcome.
M B
>
You can use a localhost server with a API for run commands what need root, i never use a software where php run a sudo command.