Running your own zpanel instance

[wlanboy]

I was searching for an open source panel that was able to manage apache, mysql, dovecot, postfix and named. My search ended up on zpanel.

Installation is quite simple:


su
mkdir /zpanel && cd /zpanel
#32 bit version
wget https://github.com/bobsta63/zpanelx/releases/download/10.1.0/installer-10-1-0-ubuntu-32.sh.x
#64bit version
wget https://github.com/bobsta63/zpanelx/releases/download/10.1.0/installer-10-1-0-ubuntu-64.sh.x

mv installer-10-1-0-ubuntu-32.sh.x installer-10-1-0-ubuntu-32.sh
chmod +x installer-10-1-0-ubuntu-32.sh
./installer-10-1-0-ubuntu-32.sh

The installer itself asks four questions:

1. Accepting GPL
2. Timezone
3. Subdomain for panel
4. Public ip of server

You will get the basic login information afterwards:



Enter your subdomain into the browser and login to your panel.



I would like to talk about the pros/cons of zpanel and about possible replacements.

 

[matt[scrdspd]]

Did they fix the security issues? I'm not a zPanel user, however there has been much talk of security issues in the software.

 

[RiotSecurity]

Did they fix the security issues? I'm not a zPanel user, however there has been much talk of security issues in the software.

Nope, the issues are still there.

 

[HalfEatenPie]

zPanel is known as an open source control panel with TONS of horrible security practice.  In addition, the developers refused to state that this was an issue and ended up with the explanation "It's an open source panel we made in our spare time, what do you expect?" (Obviously highly condensed statement here but the idea still gets across).

It's one of the panels I highly DISCOURAGE anyone from ever using especially with the attitude/view the developers have on security.  

 

[WebSearchingPro]

Could a mixture of mod_security, SELinux/Apparmor, suhosin php make up for the lack of security in zPanel or at least added layers of protection?

I have pretty much seen ISPConfig3 as the top recommended replacement for cpanel. Kloxo-MR coming in a close second. 

 

[wlanboy]

Well - I did not read anything about current security issues.

I only know the thread of one single person that got pissed off by the attitude of one developer of zpanel.

So is this "zpanel is baaaaad" based on the single "fu** you devs" LET thread or is there something more substantial?

 

[HalfEatenPie]

Well - I did not read anything about current security issues.

I only know the thread of one single person that got pissed off by the attitude of one developer of zpanel.

So is this "zpanel is baaaaad" based on the single "fu** you devs" LET thread or is there something more substantial?

Well, that general perspective has been around even before that post started (although if I recall someone who was friends with the devs or something came in and commented).  It just happened that during that string of posts the zpanel website was hacked and taken down.  

zPanel looks nice.  I'll 100% agree with it, and not looking directly at the code but looking at the responses the zPanel staff and the developers gave for the security conerns I wasn't a big fan.  They definitely did not handle it well.  

 

[ConnerCG]

It's how they move forward from the 'incident' that interests me.

They appear to have addressed issues, and made several changes in 10.1.0 for tokens and sanitation.

I have a copy on a public facing server with about 20 users, and so far so good. I still take backups...

 

[VPSCorey]

Virtualmin

 

[wlanboy]

I have a copy on a public facing server with about 20 users, and so far so good. I still take backups...

I am running my first zpanel vps for about 5 months (5 users, 10 domains). No hacks, no issues.

I do backups too, but this does not depend on the panel

 

[MannDude]

Wow, zPanel looks a lot nicer than it did last time I tinkered with it.

 

[peterw]

Version 10.1.0 is 7 days old. Will try this panel.

 

[ConnerCG]

They updated the installers and addressed a couple of bugs. I reported the following and it was corrected.

http://bugs.zpanelcp.com/view.php?id=635

0000635: Create a new FTP account - Default to / (root) when using - Use Domain directory
New FTP accounts created via Use Domain directory always default to / (root) irregardless of choice selected.
Admin is unable to assign anything, directory always defaults to / (root) using - Use Domain directory

The lead programmer commented in general on the update --

"I'm really against re-tagging releases and feel that new release numbers should be issued but given the complexities of our current release process and getting the installers updated etc. we've opted to re-tag in this instance."

 

[jarland]

Thanks for posting the guide. Tip in your direction, from another person who hates every ugly POS panel that requires more work than the CLI does in the first place, VestaCP. I even purchased their support package, love it that much.

 

[DomainBop]

Could a mixture of mod_security, SELinux/Apparmor, suhosin php make up for the lack of security in zPanel or at least added layers of protection?

Not installing a buggy script on your server in the first place is the best way to make up for the lack of security in a script.  Removing a buggy script from your server and using something else when it becomes apparent that the developers don't place a high priority on security is the second best way to make up for the lack of security in a script.

FYI, modsecurity also has a long history of security problems, including 2 vulnerability alerts in the past 7 months, one of which was critical:

http://web.nvd.nist.gov/view/vuln/search-results?query=modsecurity&search_type=all&cves=on

 

[peterw]

Still not sure if I should use zpanel or vestacp.

 

[scv]

Well - I did not read anything about current security issues.

I only know the thread of one single person that got pissed off by the attitude of one developer of zpanel.

So is this "zpanel is baaaaad" based on the single "fu** you devs" LET thread or is there something more substantial?

As far as I'm concerned the issue isn't that the software is vulnerable, it's how they handled the situation. Would you rather use software from a developer that vehemently denies security issues in their product, or a developer that rapidly patches the vulnerability and informs users of the issue?

Either way, the core design of ZPanel is flawed and should be scrapped. No web-facing application should ever run anything directly as root. Their 'zsudo' solution is not only flawed but pointless as it could be handled with regular sudo perfectly fine. Just look at this source and you'll get an idea of what I'm saying - it's a pile of hacks on top of hacks on top of hacks.

https://raw.github.com/cbcercas/zpanel-freebsd/master/config_packs/freebsd/bin/zsudo.c

(Let's just ignore the fact that they sprintf a user supplied string into a fixed sized buffer, there's easier ways to exploit this baby)

The install instructions are good for a laugh:

https://raw.github.com/bobsta63/zpanelx/master/etc/build/config_packs/centos_6_2/ZPX_Centos6.2_Install_Instructions.txt

My personal favorites:


[...]
chmod -R 777 /etc/zpanel/
chmod -R 777 /var/zpanel/
[...]
echo "apache ALL=NOPASSWD: /etc/zpanel/panel/bin/zsudo" >> /etc/sudoers
[...]
# Must be owned by root with 4777 permissions, or zsudo will not work!
[...]

tl;dr zpanel is shit and you shouldn't use it

 

[InertiaNetworks-John]

You get what you pay for. That also includes security and usability. No one truly has much motivation to fix a product if they know that they will not get rewarded for it.

 

[scv]

You get what you pay for. That also includes security and usability. No one truly has much motivation to fix a product if they know that they will not get rewarded for it.

By this logic nobody would have interest in developing the Linux kernel. Yet here we are, with even Oracle and other companies notorious for proprietary software providing patches to Linux.

There is plenty of reason for somebody to be motivated to redesign ZPanel or create an alternative solution. There is much demand for a free (and not even necessarily open source) webhosting panel and this gap hasn't been filled by any of the existing projects.

 

[InertiaNetworks-John]

By this logic nobody would have interest in developing the Linux kernel. Yet here we are, with even Oracle and other companies notorious for proprietary software providing patches to Linux.

There is plenty of reason for somebody to be motivated to redesign ZPanel or create an alternative solution. There is much demand for a free (and not even necessarily open source) webhosting panel and this gap hasn't been filled by any of the existing projects.

Agreed. What I meant by my post is that I see no motivation on behalf of ZPanel to fix these issues.