New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I haven't taken a nose dive into the code myself, but there was at one point a vulnerability... https://www.exploit-db.com/exploits/37369/
it's been patched however.
The important part is how long did it take between knowing about it and a patch came out.....
Vendor Notification: May 20, 2015
Vendor Patch: June 3, 2015
It is very resource hungry. Why don't you try Ajenti?
Once I tried Ajenti 2 Years back, It didn't look like a hosting control panel to Me.
Yes it was a server control, but it has plugins now.
If it's just for two web sites why even have a panel?
unless it's been properly audited, I'm assuming it's insecure
What would you consider a proper audit? Internal testing or must it be done by an external company?
In the VestaCP case the code is available on Github so everyone can audit it.
it's kinda stupid assuming that because code is freely available it has been properly audited.
here's a good definition: https://en.wikipedia.org/wiki/Code_audit
Correct indeed, it doesn't need a Panel actually, but I find it difficult to manage websites directly with Command Line Installation of everything !
The last breach I know was https://www.exploit-db.com/exploits/37369/ and it is already patched.
Before that, it came from third party application.
Unplug server power cord best security.
You can use serverpilot.
It's kinda stupid to interpret it into something I never said.
I never stated it was properly audited, I asked what you considered a proper audit. Not for a link to the definition of a Code Audit. I'm pretty sure that every coder does his/her own audit of their code according to the definition of a Code Audit. Nowhere did I say that it ment it's done properly.
The only thing I ment with the source being available on github is that Everyone who can code can also do their own "audit" of the code. It is easier at most, nothing more.
Control panels are overrated.
Use something like vpssim.com, you can install it in 5 minutes and it's really easy to use, you can install/uninstall ionCube with one click, add/remove sites, add/remove db's, nginx, mariadb, etc...
@mikho well, I was able to change the admin password at Mxroute's MX1 server at some point. I sent an email to Vesta and CC'd @Jar and some days later it was fixed.
how did you end up doing it? you were just "exploring"? xd
That feels like it needs a disclaimer that no customer data was accessed or viewed directly, and the panel was swiftly brought down upon discovery.
Otherwise that would've been a really painful announcement. Ultimately the worry of things like that are why I went to cPanel. At least then if something goes down, I know I have backup in the form of more man power than I can employ directly.
Now, MXRoutes's Backend run on cPanel ?
It does, except some legacy customers that didn't want to move over. I still audit security, etc, and did my best to make it clear to everyone what my fears were with that system.
That said, I still use VestaCP a lot personally. One thing remains true: Potential points of entry are much higher if someone has an account on it than if it's just you. I haven't had a major security concern with it for a while either. It's just a "peace of mind" thing for me at this point, I don't know what the devs of it will be doing in a year, I know what that cPanel won't be abandoning their product.
I still very much recommend VestaCP, for now
This is somewhat what I am interested in; how fast do the man/team behind the panel act upon security flaws that are reported.
I've also had my fair share if strange behaviour from that panel.
I never will say that VestaCP is more secure then any other panel but I will say that it is one of my favourites.
@mikho I'm not sure if @Jar fixed it at that point, or if Serghey did. I thought the update was sent out later (after about 3-4 weeks).
Such servers can still be hacked by Red pandas ..but i find it ok since all they do is wiggle their tongue and tail ones inside the server.