Secure Dragon's Wyvern gets its biggest update yet!

[KuJoe]

Yesterday we were excited to push a rather large update to our custom Wyvern control panel for our OpenVZ services. With this update comes a lot of exciting new features that clients have requested along with some added security features for the less experienced server admins who are still learning the ropes.

Here's a quick list of some of the features that were added:

• Ability to add custom IPv6 addresses.
• Ability to add 10 random IPv6 addresses at a time.
• Ability to enable Second Level Quotas on your VPS.
• User created backups are extended to 30 days instead of 24 hours.
• User created backups can now be deleted early to allow for a new backup to be taken.
• User created backups can now be restored within Wyvern.
• Clients can change the SSH port number to a random port number (within a safe, unused range).
• Clients can disable password authentication from Wyvern.
• Clients can upload their own SSH keys for root through Wyvern.

You can view the screenshots of the new features here and you can also view all of the features here. Also, you can read the whole announcement on our website for more specifics.

I basically sat down one night and knocked out every single feature request on my Any.do list so now I need some more ideas to add to the list. So what do you think we should add next? I'm all ears.

 

[MannDude]

Wyvern is my favorite out of the custom panels so far. It's small, light and simple to use. One login for billing and VPS control, some neat and unique features... can't ask for much more.

 

[raindog308]

Just out of curiosity, what is the technical barrier to supporting KVM? Or is that a planned feature?


Congrats on Wyvern's development!

 

[KuJoe]

Just out of curiosity, what is the technical barrier to supporting KVM? Or is that a planned feature?


Congrats on Wyvern's development!

The only barrier for KVM is that I don't like it and don't want to support it. SolusVM has kept it running this long so I'll let SolusVM keep those 2 nodes running.

I actually coded Wyvern so if I wanted to add KVM it already has the logic in place and the proper fields in the database.

 

[Kalam]

Not a fan of running SSH on non-privileged ports. Good job on the rest of the updates though.

 

[blergh]

Not a fan of running SSH on non-privileged ports. Good job on the rest of the updates though.

Not sure what you mean by this, but, wat.

 

[KuJoe]

Not a fan of running SSH on non-privileged ports. Good job on the rest of the updates though.

We limit the random ports to a select few unused port numbers under 1024 for security. While I know a lot of people are against using anything other than port 22, those same people don't deal with the level of abuse we deal with on a daily basis because people who don't know what linux is orders a VPS with Debian and get hacked within hours. Changing your SSH port to anything other than port 22 will prevent 99.99% (I want to say 100%, but there's always that 1 attack where the bot will get a lucky guess so 99.99% is the best I'm willing to commit to) of non-targeted SSH attacks.

 

[Nick]

Nice work! Only just saw this post but saw these features earlier.


When I tried the random SSH port I don't believe it told me anywhere on what port it was changed to? It was probably just me being blind though.

 

[KuJoe]

Nice work! Only just saw this post but saw these features earlier.


When I tried the random SSH port I don't believe it told me anywhere on what port it was changed to? It was probably just me being blind though.

It'll be displayed at the top of Wyvern highlighted in yellow right after it's changed. You'll be able to find the port number in the Logs tab.

 

[D. Strout]

Just ordered a VPS to give this a go. 

 

[raindog308]

There's an argument that running ssh on a >1024 port is a bad idea because a non-root user could start a process on that port, imitate sshd, and capture passwords.  To be a real threat, this would mean 

• the server would need to have local users beyond the owner (I'd wager the vast majority of VPSes bought by vpsboard denizens are for their own use solely)
• the system sshd would have to be turned off or switched to a different port than the >1024 port it was previously using
• someone from the outside would need to ssh in using the old port

It's kind of a stretch, honestly.  But it's always best to err on the side of caution and there are plenty of <1024 ports available.  

I'm wondering if that is what @Kalam is referring to or something else...?

Running on something other than port 22 is a good idea without argument.  Yes, it's security by obscurity, but it filters out so many dump scripted brutes that it's worth doing.  Of course, that's not the end of ssh-relate security measures.

 

[Nick]

It'll be displayed at the top of Wyvern highlighted in yellow right after it's changed. You'll be able to find the port number in the Logs tab.

Cheers. Pretty handy as the first thing I normally do is change the port, upload my public key and disable password auth which can now all be done before logging on

 

[vampireJ]

Wyvern is my favorite out of the custom panels so far. It's small, light and simple to use. One login for billing and VPS control, some neat and unique features... can't ask for much more.

open source it!

 

[Kalam]

There's an argument that running ssh on a >1024 port is a bad idea because a non-root user could start a process on that port, imitate sshd, and capture passwords.  To be a real threat, this would mean 

• the server would need to have local users beyond the owner (I'd wager the vast majority of VPSes bought by vpsboard denizens are for their own use solely)
• the system sshd would have to be turned off or switched to a different port than the >1024 port it was previously using
• someone from the outside would need to ssh in using the old port

It's kind of a stretch, honestly.  But it's always best to err on the side of caution and there are plenty of <1024 ports available.  

I'm wondering if that is what @Kalam is referring to or something else...?

Running on something other than port 22 is a good idea without argument.  Yes, it's security by obscurity, but it filters out so many dump scripted brutes that it's worth doing.  Of course, that's not the end of ssh-relate security measures.

I thought KuJoe had it random a port over 1024, I'm fine with how he actually does it. You're right that it is a stretch, but why risk it when you don't need to. Some applications do expect and only work if SSH is on port 22 though, whether that's a fault of the application itself is another topic.

 

[D. Strout]

One nice feature would be the ability to remove IPv6 addresses from the server. Probably wouldn't see too much use, but it would be nice if you're seeing a lot of junk on one address to just kill it and switch to another (the joys of "unlimited" addresses).

 

[KuJoe]

One nice feature would be the ability to remove IPv6 addresses from the server. Probably wouldn't see too much use, but it would be nice if you're seeing a lot of junk on one address to just kill it and switch to another (the joys of "unlimited" addresses).

After giving it more thought, I think I will add it in the next release. I originally wasn't planning on it because we have quite a few people who add so many IPs that it breaks the server (I had to put a hard limit on each VPS) and some people were running scripts that break Wyvern so if they had the option to delete IPs they could just spam Add and Delete which I was trying to avoid. I'll have to add some more checks in place to prevent those scripts.

 

[D. Strout]

After giving it more thought, I think I will add it in the next release. I originally wasn't planning on it because we have quite a few people who add so many IPs that it breaks the server (I had to put a hard limit on each VPS) and some people were running scripts that break Wyvern so if they had the option to delete IPs they could just spam Add and Delete which I was trying to avoid. I'll have to add some more checks in place to prevent those scripts.

Wow... people seriously don't have anything better to do with their time? I can certainly understand why you didn't want to add a remove feature in that case, but I can't imagine it would be that hard to block that kind of scripting. Maybe you could require a CAPTCHA if requests are coming in at a rate of more than one per ten seconds.

 

[KuJoe]

Wow... people seriously don't have anything better to do with their time? I can certainly understand why you didn't want to add a remove feature in that case, but I can't imagine it would be that hard to block that kind of scripting. Maybe you could require a CAPTCHA if requests are coming in at a rate of more than one per ten seconds.

Some of the people weren't doing it on purpose, some just needed 12 thousand IPs per VPS for some reason.

 

[MannDude]

For those of you who haven't seen Wyvern, here she is:



I love the simplicity. Everything is right there and easy to get to.

 

[kpmedia]

I just had a flashback to Dragon Warrior on the NES.

Wyvern -- great name.