# Secure Dragon's Wyvern gets its biggest update yet!



## KuJoe (Dec 19, 2014)

Yesterday we were excited to push a rather large update to our custom Wyvern control panel for our OpenVZ services. With this update comes a lot of exciting new features that clients have requested along with some added security features for the less experienced server admins who are still learning the ropes.

Here's a quick list of some of the features that were added:


Ability to add custom IPv6 addresses.
Ability to add 10 random IPv6 addresses at a time.
Ability to enable Second Level Quotas on your VPS.
User created backups are extended to 30 days instead of 24 hours.
User created backups can now be deleted early to allow for a new backup to be taken.
User created backups can now be restored within Wyvern.
Clients can change the SSH port number to a random port number (within a safe, unused range).
Clients can disable password authentication from Wyvern.
Clients can upload their own SSH keys for root through Wyvern.
You can view the screenshots of the new features here and you can also view all of the features here. Also, you can read the whole announcement on our website for more specifics.

I basically sat down one night and knocked out every single feature request on my Any.do list so now I need some more ideas to add to the list. So what do you think we should add next? I'm all ears.


----------



## MannDude (Dec 19, 2014)

Wyvern is my favorite out of the custom panels so far. It's small, light and simple to use. One login for billing and VPS control, some neat and unique features... can't ask for much more.


----------



## raindog308 (Dec 19, 2014)

Just out of curiosity, what is the technical barrier to supporting KVM? Or is that a planned feature?


Congrats on Wyvern's development!


----------



## KuJoe (Dec 19, 2014)

raindog308 said:


> Just out of curiosity, what is the technical barrier to supporting KVM? Or is that a planned feature?
> 
> 
> Congrats on Wyvern's development!


The only barrier for KVM is that I don't like it and don't want to support it. SolusVM has kept it running this long so I'll let SolusVM keep those 2 nodes running.

I actually coded Wyvern so if I wanted to add KVM it already has the logic in place and the proper fields in the database.


----------



## Kalam (Dec 19, 2014)

Not a fan of running SSH on non-privileged ports. Good job on the rest of the updates though.


----------



## blergh (Dec 19, 2014)

Kalam said:


> Not a fan of running SSH on non-privileged ports. Good job on the rest of the updates though.


Not sure what you mean by this, but, wat.


----------



## KuJoe (Dec 19, 2014)

Kalam said:


> Not a fan of running SSH on non-privileged ports. Good job on the rest of the updates though.


We limit the random ports to a select few unused port numbers under 1024 for security. While I know a lot of people are against using anything other than port 22, those same people don't deal with the level of abuse we deal with on a daily basis because people who don't know what linux is orders a VPS with Debian and get hacked within hours. Changing your SSH port to anything other than port 22 will prevent 99.99% (I want to say 100%, but there's always that 1 attack where the bot will get a lucky guess so 99.99% is the best I'm willing to commit to) of non-targeted SSH attacks.


----------



## Nick (Dec 19, 2014)

Nice work! Only just saw this post but saw these features earlier.


When I tried the random SSH port I don't believe it told me anywhere on what port it was changed to? It was probably just me being blind though.


----------



## KuJoe (Dec 19, 2014)

Nick said:


> Nice work! Only just saw this post but saw these features earlier.
> 
> 
> When I tried the random SSH port I don't believe it told me anywhere on what port it was changed to? It was probably just me being blind though.


It'll be displayed at the top of Wyvern highlighted in yellow right after it's changed. You'll be able to find the port number in the Logs tab.


----------



## D. Strout (Dec 19, 2014)

Just ordered a VPS to give this a go.


----------



## raindog308 (Dec 20, 2014)

There's an argument that running ssh on a >1024 port is a bad idea because a non-root user could start a process on that port, imitate sshd, and capture passwords.  To be a real threat, this would mean 


the server would need to have local users beyond the owner (I'd wager the vast majority of VPSes bought by vpsboard denizens are for their own use solely)
the system sshd would have to be turned off or switched to a different port than the >1024 port it was previously using
someone from the outside would need to ssh in using the old port
It's kind of a stretch, honestly.  But it's always best to err on the side of caution and there are plenty of <1024 ports available.  

I'm wondering if that is what @Kalam is referring to or something else...?

Running on something other than port 22 *is* a good idea without argument.  Yes, it's security by obscurity, but it filters out so many dump scripted brutes that it's worth doing.  Of course, that's not the end of ssh-relate security measures.


----------



## Nick (Dec 20, 2014)

KuJoe said:


> It'll be displayed at the top of Wyvern highlighted in yellow right after it's changed. You'll be able to find the port number in the Logs tab.


Cheers. Pretty handy as the first thing I normally do is change the port, upload my public key and disable password auth which can now all be done before logging on


----------



## vampireJ (Dec 20, 2014)

MannDude said:


> Wyvern is my favorite out of the custom panels so far. It's small, light and simple to use. One login for billing and VPS control, some neat and unique features... can't ask for much more.


open source it!


----------



## Kalam (Dec 20, 2014)

raindog308 said:


> There's an argument that running ssh on a >1024 port is a bad idea because a non-root user could start a process on that port, imitate sshd, and capture passwords.  To be a real threat, this would mean
> 
> 
> the server would need to have local users beyond the owner (I'd wager the vast majority of VPSes bought by vpsboard denizens are for their own use solely)
> ...


I thought KuJoe had it random a port over 1024, I'm fine with how he actually does it. You're right that it is a stretch, but why risk it when you don't need to. Some applications do expect and only work if SSH is on port 22 though, whether that's a fault of the application itself is another topic.


----------



## D. Strout (Dec 20, 2014)

One nice feature would be the ability to _remove_ IPv6 addresses from the server. Probably wouldn't see too much use, but it would be nice if you're seeing a lot of junk on one address to just kill it and switch to another (the joys of "unlimited" addresses).


----------



## KuJoe (Dec 20, 2014)

D. Strout said:


> One nice feature would be the ability to _remove_ IPv6 addresses from the server. Probably wouldn't see too much use, but it would be nice if you're seeing a lot of junk on one address to just kill it and switch to another (the joys of "unlimited" addresses).


After giving it more thought, I think I will add it in the next release. I originally wasn't planning on it because we have quite a few people who add so many IPs that it breaks the server (I had to put a hard limit on each VPS) and some people were running scripts that break Wyvern so if they had the option to delete IPs they could just spam Add and Delete which I was trying to avoid. I'll have to add some more checks in place to prevent those scripts.


----------



## D. Strout (Dec 20, 2014)

KuJoe said:


> After giving it more thought, I think I will add it in the next release. I originally wasn't planning on it because we have quite a few people who add so many IPs that it breaks the server (I had to put a hard limit on each VPS) and some people were running scripts that break Wyvern so if they had the option to delete IPs they could just spam Add and Delete which I was trying to avoid. I'll have to add some more checks in place to prevent those scripts.


Wow... people seriously don't have anything better to do with their time? I can certainly understand why you didn't want to add a remove feature in that case, but I can't imagine it would be that hard to block that kind of scripting. Maybe you could require a CAPTCHA if requests are coming in at a rate of more than one per ten seconds.


----------



## KuJoe (Dec 20, 2014)

D. Strout said:


> Wow... people seriously don't have anything better to do with their time? I can certainly understand why you didn't want to add a remove feature in that case, but I can't imagine it would be that hard to block that kind of scripting. Maybe you could require a CAPTCHA if requests are coming in at a rate of more than one per ten seconds.


Some of the people weren't doing it on purpose, some just needed 12 thousand IPs per VPS for some reason.


----------



## MannDude (Dec 21, 2014)

For those of you who haven't seen Wyvern, here she is:



I _love_ the simplicity. Everything is right there and easy to get to.


----------



## kpmedia (Dec 31, 2014)

I just had a flashback to Dragon Warrior on the NES. 

Wyvern -- great name.


----------



## Geek (Dec 31, 2014)

Wyvern routinely leaves me delighted and jealous at the same time.

In other words, well done.

Seriously, the utilities and on-demand feature enhancements are what should have gone into SolusVM years ago. Am quietly hoping Joe releases something non-proprietary and license it.  I'd certainly pay for it, and I'm sure others would after seeing what Wyvern does.  

Regardless, it rocks, and you should be darn proud.


----------



## KuJoe (Dec 31, 2014)

Geek said:


> Wyvern routinely leaves me delighted and jealous at the same time.
> 
> In other words, well done.
> 
> ...


I've been wanting to release a basic, open source version. One of the longest things on my to-do list is making it easier to do a fresh install. Maybe I'll have something released next year.


----------



## MattKC (Dec 31, 2014)

I signed up last week just so I can play with Wyvern. Love that everything is right there in one location, well laid out and the self service you often have to submit requests for elsewhere.


----------



## KuJoe (Dec 31, 2014)

MattKC said:


> I signed up last week just so I can play with Wyvern. Love that everything is right there in one location, well laid out and the self service you often have to submit requests for elsewhere.


Thanks! 

If anybody wants to make some feature requests I'm all ears.


----------



## mikho (Jan 1, 2015)

I use one of my servers as a proxy to watch movies from Netflix and some sort of api to get the bandwidth usage would be nice.


Call me stupid if this already exists.


----------



## fixidixi (Jan 1, 2015)

+1 one an api with usage stats . you should limit the max requests /client / [timeframe] though


----------



## nunim (Jan 1, 2015)

The API usage would be nice but it's simple enough to install vnstat/vnstati and just generate a PNG of your bandwidth stats.

+1 for Wyvern, best control panel out there right now.  I've used the migration feature a few times now and it's always worked out, I'm sure this has reduced your support load quite a bit


----------



## qrwteyrutiyoup (Jan 1, 2015)

API would be great indeed, to complement this simple and nice panel. I wrote a silly script [1] to get the BW stats, although it's so slow it's likely @KuJoe has already provided a proper way to get this info before it finishes running 

[1] https://gist.github.com/qrwteyrutiyoup/0020630dcdcd0ef42eb7


----------



## KuJoe (Jan 3, 2015)

Wyvern just got a complete audit of the code tonight so I'll be moving forward on releasing a stripped down version on GitHub in the upcoming weeks. 

I'll look into getting an API setup, it's outside my comfort zone though so we'll see what happens.


----------



## mikho (Jan 3, 2015)

I really like how it is all in one place and the API is the only thing that I think is "missing". Not a high priority for me, it's a "nice to have feature" not "need to have".


----------



## KuJoe (Feb 7, 2015)

D. Strout said:


> One nice feature would be the ability to _remove_ IPv6 addresses from the server. Probably wouldn't see too much use, but it would be nice if you're seeing a lot of junk on one address to just kill it and switch to another (the joys of "unlimited" addresses).


I _finally_ got around to adding this to our production install tonight. Sorry for the delay. 



mikho said:


> I use one of my servers as a proxy to watch movies from Netflix and some sort of api to get the bandwidth usage would be nice.
> 
> 
> Call me stupid if this already exists.


I've added something really basic to our Dev install. It's basically just navigating to a URL and it outputs your current bandwidth usage in plain text. I'm adding an API tab for white listing IPs (you won't have to white list whatever IP you login to WHMCS with, only remote IPs). Here's what it looks like:

# curl "wyvern_getmybw.php?s=21&c=1&key=11111"

0.04


----------



## mikho (Feb 7, 2015)

KuJoe said:


> I've added something really basic to our Dev install. It's basically just navigating to a URL and it outputs your current bandwidth usage in plain text. I'm adding an API tab for white listing IPs (you won't have to white list whatever IP you login to WHMCS with, only remote IPs). Here's what it looks like:
> 
> 
> # curl "wyvern_getmybw.php?s=21&c=1&key=11111"
> ...



I like you more and more!


I will use this when it leaves DEV and comes into production.


Will it be "only" bandwidth or disk and ram later on?


----------



## KuJoe (Feb 7, 2015)

mikho said:


> I like you more and more!
> 
> 
> I will use this when it leaves DEV and comes into production.
> ...


For now it'll only pull bandwidth since that's the only number that is not generated "on-the-fly" meaning RAM, Disk, and CPU/Load are only pulled by Wyvern when you view your VPS in Wyvern. I can look into pulling additional resources, but I'll need to either cache the results or limit the queries.


----------



## D. Strout (Feb 7, 2015)

There's a pretty big bug with the custom IPv6 addition: almost anything I type in the four boxes, when I submit I get this:



I tried leaving the first three boxes blank and just putting 123 in the last, I tried feed:face:dead:beef, I tried just a 1 in the last box, all failed. Only thing that worked from what I tested was a single digit in all boxes. Not sure what's up there. Also, you should put a four-character maxlength on all the boxes, and auto-advance would be nice (type four characters, focus automatically moves to next box). Finally, I'm not yet seeing IPv6 deletion, but from the sounds of it, it might be because it hasn't rolled out to Chicago (where the server I'm testing with is).


----------



## KuJoe (Feb 7, 2015)

D. Strout said:


> There's a pretty big bug with the custom IPv6 addition: almost anything I type in the four boxes, when I submit I get this:
> 
> 
> 
> I tried leaving the first three boxes blank and just putting 123 in the last, I tried feed:face:dead:beef, I tried just a 1 in the last box, all failed. Only thing that worked from what I tested was a single digit in all boxes. Not sure what's up there. Also, you should put a four-character maxlength on all the boxes, and auto-advance would be nice (type four characters, focus automatically moves to next box). Finally, I'm not yet seeing IPv6 deletion, but from the sounds of it, it might be because it hasn't rolled out to Chicago (where the server I'm testing with is).


I fixed this. I had added an IF statement in the last update but I put it in the wrong spot in the prod version. I'll clear the WHMCS cache in case it's not showing the new buttons yet. Sorry about that.


----------

