Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


The security trainwreck that is ZPanel - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

The security trainwreck that is ZPanel

2»

Comments

  • axtuxaxtux Member

    Yes I know I don't need a panel but it is a good transition to dedicated servers for me. I think I'll have a try with ISPConfig. My SSH auth is done with keys.

    I heard about nginx but I'm wondering if it would be really reliable as a permanent solution. Cannot newer Apache versions (with good config) show similar performance ? Or is it about security ? I think if Google and OVH are both using Apache, it is not a coincidence. Also, I'll make an open hebergement as legtux and if all users know LAMP, they could be less familiar with nginx.

  • Nginx is MUCH better than apache in low-RAM environments. Try using Neon, http://www.neonpanel.com, which while it's still under development, is free, open-source, and is mostly complete. And it used Nginx!

  • joepie91joepie91 Member, Patron Provider

    @axtux said:
    Yes I know I don't need a panel but it is a good transition to dedicated servers for me. I think I'll have a try with ISPConfig. My SSH auth is done with keys.

    I heard about nginx but I'm wondering if it would be really reliable as a permanent solution.

    I don't see why not. It's a very commonly used HTTPd in production environments, and probably more reliable than Apache.

    Cannot newer Apache versions (with good config) show similar performance ?

    I have yet to see an Apache setup that provides similar performance to nginx/lighttpd on a similar amount of resources, and that didn't require an unreasonable amount of configuration to do so.

    Or is it about security ?

    There are many more issues with Apache than there are with nginx and lighttpd.

    I think if Google

    Google doesn't use Apache. Google uses Google Web Server, a custom HTTPd.

    and OVH are both using Apache, it is not a coincidence.

    OVH has a giant amount of (cheap) resources at their disposal. That they are using Apache says nothing about Apache itself.

  • marcmmarcm Member

    I have yet to see an Apache setup that provides similar performance to nginx/lighttpd on a similar amount of resources, and that didn't require an unreasonable amount of configuration to do so.

    @joepie91 just the fact that we run Nginx 1.4 in front of Apache on our cPanel servers, and there is a noticeable performance improvement, speaks volumes about how good Nginx is :)

  • https://www.facebook.com/ZpanelCP/posts/564520533598379?comment_id=5580551

    @joepie91 I think you need to see this :)

    Yeah thank-you. This guy has reported nothing new to us. And he's wrong on all accounts with his attitude towards our product. There are no Security Issues with our software. Our 3 Developers have checked and double checked the code and there are no issues.

  • @joepie91 If you found leak on ZPanel why not you go for ZPanel Zero Days?

  • marcmmarcm Member

    @CentrioHost The Nile is not just a river in Egypt, it's also known as "denial", or a new way of conducting business. In other words if no catastrophe has occurred yet, everything must be just peachy!

    Btw., I love your signature :P ... and to think that I was worried about mine, lol.

  • MitsuhashiMitsuhashi Member
    edited July 2013

    How vulnerable do you see ZPanel being for a single user (a.k.a. not-a-web-host)? As a web server noob, I've found it head-over-heels easier to use with near-flawless autoinstallation. Tried cPanel/WHM trial, Webuzo, Webmin/Virtualmin as well, but I keep coming back to ZPanel because it just freaking works from the get-go and takes up a very reasonable amount of resources. I definitely see that WHM and Webmin are more powerful, but Webmin is way too techie for the newbie while WHM is fat + attracts a stupid amount of bruteforce attempts. Webuzo is nice and simple but has too many dealbreaking bugs at the moment.

    Meanwhile, my ZPanel and its single forum are running along smoothly at Port 80 with nobody other than me and Google visiting.

  • marcmmarcm Member

    @Mitsuhashi have you tried ISPConfig? If you haven't you should know that you're missing out on allot of fun. Btw. it can also manage OpenVZ containers...

  • @marcm I've looked at screenshots but haven't tried installing it. Is it noob-friendly?

  • @CentrioHost said:
    https://www.facebook.com/ZpanelCP/posts/564520533598379?comment_id=5580551

    joepie91 I think you need to see this :)

    Yeah thank-you. This guy has reported nothing new to us. And he's wrong on all accounts with his attitude towards our product. There are no Security Issues with our software. Our 3 Developers have checked and double checked the code and there are no issues.

    I just had to respond there. They are not only ignorant to community feedback but they were also extremely rude towards joepie91. This was my response (my experience is that some of comments are removed):

    There are security issues with your product. I'm not sure who "you" are, but there was a guy on your forums (one of the developers I believe) that was extremely rude to joepie91 only because he wanted to help and indicate some security issues with your product. I confirmed the initial post there and at the time of the post it was indeed possible to completely take over a ZPanel server by uploading a malicious template. I'm not sure if anything has changed since, but there was really no denying there was a security issue at that time. I don't know of any other issues myself (haven't check), but I confirmed the template one.

  • CentrioHostCentrioHost Member
    edited July 2013

    I'm running several ZPanel servers at this moment. Only 3 things can make ZPanel secure:

    1. Admin > Module Admin > Protect Directories > Disabled
    2. Admin > Module Admin > Theme Manager > Uncheck for "Reseller" and "Users"
    3. Change SSH Port to something else.

    I really don't think anything else right now required / causes panic...

  • Joepie91 is just a hater of our product

    okay they just convinced me to use cPanel instead

  • twaintwain Member

    @axtux, ispconfig is great, and is also a super easy way to set IP a master slave dns cluster with a nice Web interface for mgmt. I have an ispconfig master plus two ispconfig dns slaves (running on 256M lebs)

  • @marcm @twain Tried the ISPConfig demo, and it looks great! We'll have to see if I can get everything to work, though.

  • joepie91joepie91 Member, Patron Provider
    edited July 2013

    @CentrioHost said:
    https://www.facebook.com/ZpanelCP/posts/564520533598379?comment_id=5580551

    joepie91 I think you need to see this :)

    Yeah thank-you. This guy has reported nothing new to us. And he's wrong on all accounts with his attitude towards our product. There are no Security Issues with our software. Our 3 Developers have checked and double checked the code and there are no issues.

    Sorry, not buying it. Previously, the guy that controlled the Facebook page (or at least, the one that was posting on it constantly just happened to be the same 'support team member' that lost his shit (ie. ps2guy). He also just happened to have the same writing style as the guy writing those comments you just linked to.

    @CentrioHost said:
    joepie91 If you found leak on ZPanel why not you go for ZPanel Zero Days?

    Hm?

    @CentrioHost said:
    I'm running several ZPanel servers at this moment. Only 3 things can make ZPanel secure:

    1. Admin > Module Admin > Protect Directories > Disabled
    2. Admin > Module Admin > Theme Manager > Uncheck for "Reseller" and "Users"
    3. Change SSH Port to something else.

    I really don't think anything else right now required / causes panic...

    There are probably many more issues in it. They just haven't been uncovered yet.

    EDIT: Sidenote, if you wish to ignore all that I said and use ZPanel anyway, then by all means go ahead. But realize that you're putting yourself at risk, and I'm not going to help you out when you get owned. This doesn't just apply to @CentrioHost, it's a general statement aimed at everybody that has been trying to wave away my warnings so far.

  • netomxnetomx Moderator, Veteran

    Do you recommend Webmin @joepie91 ?

  • @joepie91 said:
    There are probably many more issues in it. They just haven't been uncovered yet.

    Could be, right now not advised to use any 3rd party modules along with my 3 recommendations...

Sign In or Register to comment.