Hosting Panel (Security Worry-free) Other than cPanel

ToggledNS

@mikho said:
I read alot of comments that VestaCP "might" be insecure. Can anyone post a link or post some "proof" that it really is insecure?

I haven't looked over the code myself so I can't say anything about it but I like the simplicity of VestaCP.

I'm about to do some major changes in my life when it comes to hosting my websites and as today I'm looking at using VestaCP as "backend" and create my own solutions from there.
I really want someone to post anything that would change my mind about this before I go to far......

I haven't taken a nose dive into the code myself, but there was at one point a vulnerability... https://www.exploit-db.com/exploits/37369/

it's been patched however.

mikho

@ToggledNS said:
it's been patched however.

The important part is how long did it take between knowing about it and a patch came out.....

ToggledNS

mikho said: The important part is how long did it take between knowing about it and a patch came out.....

Vendor Notification: May 20, 2015

Vendor Patch: June 3, 2015

vRozenSch00n

Mahfuz_SS_EHL said: Hi All, I installed CentOS Web Panel, it's loaded with many exciting featurex but the Only Problem is it's very resource hungry. Anyone using it ??

It is very resource hungry. Why don't you try Ajenti?

Mahfuz_SS_EHL

@vRozenSch00n said:

Once I tried Ajenti 2 Years back, It didn't look like a hosting control panel to Me.

vRozenSch00n

Mahfuz_SS_EHL said: Once I tried Ajenti 2 Years back, It didn't look like a hosting control panel to Me.

Yes it was a server control, but it has plugins now.

AlexanderM

If it's just for two web sites why even have a panel?

Leechum

@mikho said:
I read alot of comments that VestaCP "might" be insecure. Can anyone post a link or post some "proof" that it really is insecure?

I haven't looked over the code myself so I can't say anything about it but I like the simplicity of VestaCP.

I'm about to do some major changes in my life when it comes to hosting my websites and as today I'm looking at using VestaCP as "backend" and create my own solutions from there.
I really want someone to post anything that would change my mind about this before I go to far......

unless it's been properly audited, I'm assuming it's insecure

mikho

@Leechum said:
unless it's been properly audited, I'm assuming it's insecure

What would you consider a proper audit? Internal testing or must it be done by an external company?

In the VestaCP case the code is available on Github so everyone can audit it.

Leechum

it's kinda stupid assuming that because code is freely available it has been properly audited.
here's a good definition: https://en.wikipedia.org/wiki/Code_audit

A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the defensive programming paradigm, which attempts to reduce errors before the software is released.

Mahfuz_SS_EHL

@AlexanderM said:
If it's just for two web sites why even have a panel?

Correct indeed, it doesn't need a Panel actually, but I find it difficult to manage websites directly with Command Line Installation of everything !

vRozenSch00n

mikho said: I read alot of comments that VestaCP "might" be insecure. Can anyone post a link or post some "proof" that it really is insecure?

The last breach I know was https://www.exploit-db.com/exploits/37369/ and it is already patched.

Before that, it came from third party application.

alexnjh

Unplug server power cord best security.

ExonHost

You can use serverpilot.

@Mahfuz_SS_EHL said:
Correct indeed, it doesn't need a Panel actually, but I find it difficult to manage websites directly with Command Line Installation of everything !

mikho

@Leechum said:
it's kinda stupid assuming that because code is freely available it has been properly audited.
here's a good definition: https://en.wikipedia.org/wiki/Code_audit

A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the defensive programming paradigm, which attempts to reduce errors before the software is released.

It's kinda stupid to interpret it into something I never said.

I never stated it was properly audited, I asked what you considered a proper audit. Not for a link to the definition of a Code Audit. I'm pretty sure that every coder does his/her own audit of their code according to the definition of a Code Audit. Nowhere did I say that it ment it's done properly.

The only thing I ment with the source being available on github is that Everyone who can code can also do their own "audit" of the code. It is easier at most, nothing more.

Four20

Control panels are overrated.
Use something like vpssim.com, you can install it in 5 minutes and it's really easy to use, you can install/uninstall ionCube with one click, add/remove sites, add/remove db's, nginx, mariadb, etc...

cassa

@mikho well, I was able to change the admin password at Mxroute's MX1 server at some point. I sent an email to Vesta and CC'd @Jar and some days later it was fixed.

Four20

@cassa said:
mikho well, I was able to change the admin password at Mxroute's MX1 server at some point. I sent an email to Vesta and CC'd Jar and some days later it was fixed.

how did you end up doing it? you were just "exploring"? xd

jar

cassa said: I was able to change the admin password at Mxroute's MX1 server at some point

That feels like it needs a disclaimer that no customer data was accessed or viewed directly, and the panel was swiftly brought down upon discovery.

Otherwise that would've been a really painful announcement. Ultimately the worry of things like that are why I went to cPanel. At least then if something goes down, I know I have backup in the form of more man power than I can employ directly.

Mahfuz_SS_EHL

@Jar said:
Otherwise that would've been a really painful announcement. Ultimately the worry of things like that are why I went to cPanel. At least then if something goes down, I know I have backup in the form of more man power than I can employ directly.

Now, MXRoutes's Backend run on cPanel ?

jar

Mahfuz_SS_EHL said: Now, MXRoutes's Backend run on cPanel ?

It does, except some legacy customers that didn't want to move over. I still audit security, etc, and did my best to make it clear to everyone what my fears were with that system.

That said, I still use VestaCP a lot personally. One thing remains true: Potential points of entry are much higher if someone has an account on it than if it's just you. I haven't had a major security concern with it for a while either. It's just a "peace of mind" thing for me at this point, I don't know what the devs of it will be doing in a year, I know what that cPanel won't be abandoning their product.

I still very much recommend VestaCP, for now

mikho

@cassa said:
mikho well, I was able to change the admin password at Mxroute's MX1 server at some point. I sent an email to Vesta and CC'd Jar and some days later it was fixed.

This is somewhat what I am interested in; how fast do the man/team behind the panel act upon security flaws that are reported.

I've also had my fair share if strange behaviour from that panel.

I never will say that VestaCP is more secure then any other panel but I will say that it is one of my favourites.

cassa

@mikho I'm not sure if @Jar fixed it at that point, or if Serghey did. I thought the update was sent out later (after about 3-4 weeks).

Rolter

@masterqqq said:
Unplug server power cord best security.

Such servers can still be hacked by Red pandas ..but i find it ok since all they do is wiggle their tongue and tail ones inside the server.