Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

ZPanel hosting control panel - your opinion?

ZPanel hosting control panel - your opinion?

littleguylittleguy Member
edited October 2012 in General

Working as a freelancer, I am looking to offer clients web hosting that they can manage themselves if needed.

Found ZPanel http://www.zpanelcp.com/ - which seems perfect for my needs.

What are your guys opinion on ZPanel as opposed to more popular panels such as Webmin, cPanel etc?

Tagged:
«1

Comments

  • I installed it recently to see how it performed and it feels like it's just been slapped together without much thought.

    Installing is very straight forward, but I wouldn't let any clients loose with it in it's current state.

  • jhadleyjhadley Member
    edited October 2012

    Don't use that. I found this late last night - you can get a Plesk 11 (I know it's Plesk but v11 in "Service Provider" mode is actually really nice!) licence for under 2 euros a month: https://www.netsys-online.de/

    Bought mine yesterday, came through in a few hours and working fine.

    Loading Deck - Cloud Consultants: Server Management | Consultancy | Software Development
  • littleguylittleguy Member
    edited October 2012

    @ghoulnet said: I wouldn't let any clients loose with it in it's current state.

    What do you mean?

    @jhadley said: Plesk 11

    Will check it for sure. Tried Webmin but thought it was a bit too bloated for my needs. It also made my server idle at 0.10 load just because it keeps running background processes all the time. I really just need a super-simple admin, mostly for myself. Client isolation isn't critical (but nice to have!) as I maintain all the applications of each client.

  • Isnt zPanel the one where the devs are crazy on WHT and act like kids?

  • It's alright, I use it myself, not much issues.

    FiberVolt | Quality Los Angeles & Chicago Virtual Servers - http://fibervolt.com

  • It has some serious security issues in its current state.

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

    Thanked by 1HalfEatenPie
  • littleguylittleguy Member
    edited October 2012

    @joepie91 said: It has some serious security issues in its current state.

    Links to issues? Since I will only run private clients I can protect the login page behind standard http auth so most automated/probe attacks should be impossible.

    Thanked by 1connercg
  • The biggest issue I have wtih ZPanel X is not being able to run Ajaxplorer. I use eXtplorer instead, and...

    WebSec to provide a full security audit of ZPanelX

    forums.zpanelcp.com/showthread.php?7724-WebSec-to-provide-a-full-security-audit-of-ZPanelX

  • @connercg said: not being able to run Ajaxplorer.

    You mean it's not available as a core plugin?

    @connercg said: WebSec to provide a full security audit of ZPanelX

    Is it done yet? The post is almost four months old..

  • @littleguy

    You mean it's not available as a core plugin?

    I've not seen it as a core plugin, and I'm surprised no one has made it so.

    Is it done yet? The post is almost four months old..

    They released 10.0.0.0 and there have been bug reports about permission issues with WWW not reading or executing files uploaded via FTP. there were a couple issues wit the Dovecot as well, 10.0.0.1 is in BETA with the new installer right now, (been BETA for a couple months already) and I suspect that's why the Websec post is a few months old now, they'll probably update to resubmit 10.0.0.1.

    They did say in the forums they expected an update after the initial release to address bugs and issues as 'X' aka 10.0.0.0 was a rewrite.

    I only remember one security issue coming up and a hotfix was put in place quickly. I believe it's still in the announcements section.

  • @connercg said: 10.0.0.1 is in BETA

    I've been playing around with it and so far stuff seems to work well. Now I just pray Dovecot is setup correctly, that's usually the most PITA to get working.

    I haven't quite understood how ZPanel runs Apache, is it mod_php? How does it handle multiple users?

  • @littleguy said: Links to issues? Since I will only run private clients I can protect the login page behind standard http auth so most automated/probe attacks should be impossible.

    I've found and reported several issues myself, and those have been mostly fixed (two arbitrary code execution vulnerabilities and an SQL injection vulnerability), but some security issues remain (one of which can be exploited by reseller and up) - and I don't doubt that undiscovered issues exist, as the code style is very inconsistent (meaning it's easy for developers to overlook something). Seriously, in a security sense, you do not want to use ZPanel in its current state for anything serious.

    @connercg said: WebSec to provide a full security audit of ZPanelX

    WebSec missed a considerable amount of vulnerabilities - quite obvious ones, too.

    @littleguy said: I haven't quite understood how ZPanel runs Apache, is it mod_php? How does it handle multiple users?

    Apache + mod_php is used, all processes run under the same user, Suhosin and open_basedir restrictions are used to prevent users from escalating their access to other users. Seems to work pretty well.

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • @littleguy said: I haven't quite understood how ZPanel runs Apache, is it mod_php? How does it handle multiple users?

    I haven't had the need to run the particulars down yet -- I suspect they are using mod_php, it would explain the permission issues between Apache and the FTP User.

  • @joepie91

    There may be some issues, but it would almost certainly be better than Kloxo at this point in time.

  • @connercg said: There may be some issues, but it would almost certainly be better than Kloxo at this point in time.

    Why is that?

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • Not too bad for the price; just wish they'd get some sort of Nginx/Lighttpd support

  • @joepie91 said: Why is that?

    There is minimal development with Kloxo for several months now, and they are only supporting PHP 5.2.x at the moment. You can upgrade to 5.3 but there is no official support for it. Additionally, scripts are moving to 5.3 so more things will begin not to work on Kloxo. It's irrelevant to me as long as the packages are secure and it support current scripting. their codebase seems secure for the time being, but PHP 5.2 will become a larger issue in the future.

  • @joepie91 said: Suhosin and open_basedir restrictions are used to prevent users from escalating their access to other users.

    This is pretty awesome. My biggest gripe with Webmin that it didn't give you this kind of security without running FCGI, which completely breaks APC caching. (each fcgi child has own cache)

    @jkr1711 said: Not too bad for the price; just wish they'd get some sort of Nginx/Lighttpd support

    I'm thinking about amending this by running Squid in accelerator mode on top of Apache to increase the speed of static assets.

  • No one has mentioned ISPConfig 3 yet. I've looked at it, but never tried it myself yet. Can anyone that has used it chime in on the pros/cons?

  • joepie91joepie91 Member
    edited October 2012

    @connercg said: There is minimal development with Kloxo for several months now, and they are only supporting PHP 5.2.x at the moment. You can upgrade to 5.3 but there is no official support for it. Additionally, scripts are moving to 5.3 so more things will begin not to work on Kloxo. It's irrelevant to me as long as the packages are secure and it support current scripting. their codebase seems secure for the time being, but PHP 5.2 will become a larger issue in the future.

    I don't really see how that is worse than several arbitrary code execution vulnerabilities and an SQLi that allows you administrator access without any kind of authentication...

    @littleguy said: This is pretty awesome. My biggest gripe with Webmin that it didn't give you this kind of security without running FCGI, which completely breaks APC caching. (each fcgi child has own cache)

    Another thing to be aware of regarding FastCGI is that if you want to have a different cache per user, it will incur quite some RAM overhead. From the top of my head, it's 1-2MB per user.

    @kalam said: No one has mentioned ISPConfig 3 yet. I've looked at it, but never tried it myself yet. Can anyone that has used it chime in on the pros/cons?

    I've used an older version of ISPConfig a long time ago, found the interface quite painful to work with - but that may have changed.

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • @jhadley said: Don't use that. I found this late last night - you can get a Plesk 11 (I know it's Plesk but v11 in "Service Provider" mode is actually really nice!) licence for under 2 euros a month: https://www.netsys-online.de/

    Bought mine yesterday, came through in a few hours and working fine.

    Can you confirm for me that it's Plesk 11 that you purchaced?

    I'm only seing Plesk 9.5 and 10

    Thanks

    Thanked by 1djvdorp
  • littleguylittleguy Member
    edited October 2012

    @joepie91 said: Another thing to be aware of regarding FastCGI is that if you want to have a different cache per user

    The overhead is actually your apc.shm_size size. So if it's set to 128MB you are looking at that times the number of your users in worst-case.

    Also depending on the configuration the APC cache can also be per thread (worker), which immediately kills your server since standard config can happely spawn hundreds of threads.

  • @Torquemada said: I'm only seing Plesk 9.5 and 10

    I've bought a Plesk v10 license (from another reseller) and then installed Plesk v11 and everything was fine.

  • @Torquemada said: Can you confirm for me that it's Plesk 11 that you purchaced?

    Plesk 10 licences are good for Plesk 11.

    Loading Deck - Cloud Consultants: Server Management | Consultancy | Software Development
  • Wait for joepie91's release, I believe he is recoding it from scratch.

  • @SonicVPS said: Wait for joepie91's release, I believe he is recoding it from scratch.

    No, he's just re-writing portions of it and closing the security vulnerabilities.

    Catalyst Host - Pie Approved!
  • @HalfEatenPie said: No, he's just re-writing portions of it and closing the security vulnerabilities.

    Well, no, I'm actually rewriting the core from scratch, I'm just leaving the UI intact :)

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • For some reason, I've always viewed the development of ZPanel and the actual control panel to be a complete mess and a joke.

    Relax brah
  • @Jeffrey said: For some reason, I've always viewed the development of ZPanel and the actual control panel to be a complete mess and a joke.

    Care to elaborate? From my tests it seems to work perfectly fine and do what it says on the tin.

  • risharderisharde Member
    edited October 2012

    I'd like to know more about zpanel vs kloxo vs panel w.r.t security and facts hopefully as well

  • Just setup and configured ZPanel (v10) on a CentOS 6 box.

    I am very impressed, especially with the fact that email works out of the box, easy to add domains and high configurability (you can still SSH in and install APC, tweak Apache etc).

    Also I put the admin control panel behind basic authentication (.htaccess/.htpasswd) to lower the risk of drive-by/automated exploits.

    Two thumbs up so far, if anything changes I'll post here. ;)

  • Pretty much doing the same thing with a VPS from CrownCloud @Speedbus

    I'll post as well.

  • @jhadley said: Plesk 11 Personally I don't like Plesk

    kloxo - I don't recommend this ugly and unsecure control panel.

    ZPanel looks great!

  • ZPanel is still unsecure.

    This signature is brought to you by the NSA. Spying on the entire world since 1952!

  • @TheHackBox said: ZPanel is still unsecure.

    People keep saying that...

    I have only found one 0-day for ZPanel - link: http://forums.zpanelcp.com/showthread.php?12227-ZPanel-in-the-news-attacked-by-Anonymous&p=75821#post75821

    It was promptly patched. What more can you ask?

    I agree it's likely not as safe as Kloxo or Plesk because ZPanel has much smaller team and no product for sale (they don't even provide paid support). It's more like a hobby project in that aspect, really.

    But there is a right tool for everything. ZPanel might not be for hosting giants, but it does have clear advantages over the other big cpanels, and it performs its job very competently.

    tl;dr - probably don't run zpanel if you want to be the next godaddy

  • joepie91joepie91 Member
    edited November 2012

    @littleguy said: People keep saying that...

    I have only found one 0-day for ZPanel - link: http://forums.zpanelcp.com/showthread.php?12227-ZPanel-in-the-news-attacked-by-Anonymous&p=75821#post75821

    It was promptly patched. What more can you ask?

    Okay, this shit again.

    1. I was the person that discovered the mentioned vuln to start with. It was not taken as seriously as it should have been - in fact, the whole reason I found this vulnerability in the first place, was because they needed to be shown that their software was insecure, before they even considered thinking about using proper and secure coding practices. I'm sure many of the people that were in the IRC channel at that time, can shed some more light on this issue.
    2. They lied about the origin of said vulnerability report. Their "professional security firm" did not in fact report this vulnerability to them - I found this vulnerability after WebSec did their audit, and they were unaware of it at that point.
    3. Have a read here. Do I really need to say any more?

    @littleguy said: I agree it's likely not as safe as Kloxo or Plesk because ZPanel has much smaller team and no product for sale (they don't even provide paid support). It's more like a hobby project in that aspect, really.

    Yes, and it's treated by them as such. Meaning that until they beef up their security policies (because seriously, this is an unacceptable level of security for ANY kind of panel regardless of whether it is a commercial project or not), you should NOT be using this panel on any server that has ANYTHING you want to keep secure.

    EDIT: Oh yeah, did I mention that WebSec also missed all the vulnerabilities in the Pastebin above? And that there is at least one severe unpublished vulnerability in there?

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • I m currently using on my VPS. It seems to be working fine for a week or so. I m actually glad with the product. But I m not hosting any serious web sites or such on my VPS, currently. All little development stuff and test work.

    zPanel looks like a good project, works fine. I believe these guys should be supported. In anyways.

    But I recommend people with serious stuff on their VPS to wait a little more and try more reliable control panels. What joepie has been telling looks serious

  • littleguylittleguy Member
    edited November 2012

    Apparently ZPanel is now getting CSRF protection.

    http://i.imgur.com/ED9Rp.png

    Unfortunately he misspelled the term. D'oh.

    Edit: This is a happy post, because development is good!

  • If your clients were at all concerned about reliability and ability to contact support they would just go with cPanel, Kloxo, or Plesk. Virtualmin is okay, but it is nowhere as user friendly. I have one customer who refuses to RTFM with virtualmin and just keeps opening a ticket about things.

  • Kloxo: the development no futher update, not yet release 64 bit Virtualmin: very complicated, use their own term, use java based file manager (very slow). god for expert user Plesk: only popular on Windows, has limited users CPanel: the best and most popular hosting panel

    ZPanel since 10 version, called as ZpanelX has made very god improvement. Tehir release ZPanel 10.0.1 then 10.0.2 to fix any reported bugs. ZPanel very similiar to CPanel, support 32 and 64 bit, support both Linux and Windows.

    In short, for Share Hosting the only once choose is CPanel, but for VPS you may choose ZPanel for budget concern. ZPanel need more time to meet CPanel.

  • earlearl Member
    edited February 2013

    @kotakomputer said: Kloxo: the development no futher update, not yet release 64 bit

    Yeah it's really unfortunate how development never really progressed.. I think there is a fork by Mustafaramadhan called Kloxo-mr which may have support for 64bit but I think he is in the process of creating a new CP looks interesting cause he seems very helpful in the kloxo forum and also looks pretty capable..

    Link to his forum - kloxo-mr

  • @littleguy said: Tried Webmin but thought it was a bit too bloated for my needs.

    Webmin is the lightest control panel out there. It uses like 10MB of RAM!

  • i've read about zpanelcp article. it is compatible with virtualization XEN/KVM. OVZ is not recommended. but i've not tried it because my vps is lowend.

  • It's compatible with OVZ, I run ZPanelCP with OVZ 512 MB and running well ...

    ServerBorneo.Com - My VPS Journey

  • But because of some reason I can't get it working on Debian, keeps spitting out errors. While on Centos first install worked 100%

    Good for personal use and friends but not for selling.

  • I've used zPanel year ago, somewhere around 2006. It was a decent panel back then, missed some features but then again, it's free. Can't say anything about the current state of it though.

  • Anyone know if it's normal for the DNS service (bind, I believe) to be ripping an entire core constantly after installation?

  • @winston said: Anyone know if it's normal for the DNS service (bind, I believe) to be ripping an entire core constantly after installation?

    Seen that happen a couple times. Seems to clear up after a reboot I believe.

  • @jarland said: Seen that happen a couple times. Seems to clear up after a reboot I believe.

    Yep, thanks!

  • http://freesimplehosting.com ;) http://freesimplehosting.com/forums/index.php?p=/discussion/2/setting-up-early-beta-like-hosting-accounts#Item_1

    Please help me test out my ZPanel server. We are giving away free 10GB Shared Hosting accounts.

    Relax brah
Sign In or Register to comment.