Running your own zpanel instance

Discussion in 'Tutorials and Guides' started by wlanboy, Nov 2, 2013.

Tags:
  1. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    I was searching for an open source panel that was able to manage apache, mysql, dovecot, postfix and named. My search ended up on zpanel.

    Installation is quite simple:


    su
    mkdir /zpanel && cd /zpanel
    #32 bit version
    wget https://github.com/bobsta63/zpanelx/releases/download/10.1.0/installer-10-1-0-ubuntu-32.sh.x
    #64bit version
    wget https://github.com/bobsta63/zpanelx/releases/download/10.1.0/installer-10-1-0-ubuntu-64.sh.x

    mv installer-10-1-0-ubuntu-32.sh.x installer-10-1-0-ubuntu-32.sh
    chmod +x installer-10-1-0-ubuntu-32.sh
    ./installer-10-1-0-ubuntu-32.sh

    The installer itself asks four questions:

    zpanelstart.jpg

    1. Accepting GPL
    2. Timezone
    3. Subdomain for panel
    4. Public ip of server
    You will get the basic login information afterwards:

    zpanelend.jpg

    Enter your subdomain into the browser and login to your panel.

    panel.jpg

    I would like to talk about the pros/cons of zpanel and about possible replacements.
     
  2. matt[scrdspd]

    matt[scrdspd] SecuredSpeed Verified Provider

    128
    21
    May 18, 2013
    Did they fix the security issues? I'm not a zPanel user, however there has been much talk of security issues in the software.
     
  3. RiotSecurity

    RiotSecurity New Member

    310
    37
    Jun 24, 2013
    Nope, the issues are still there.
     
    vRozenSch00n likes this.
  4. HalfEatenPie

    HalfEatenPie The Irrational One Retired Staff

    2,890
    1,386
    Mar 25, 2013
    HalfEatenPie
    zPanel is known as an open source control panel with TONS of horrible security practice.  In addition, the developers refused to state that this was an issue and ended up with the explanation "It's an open source panel we made in our spare time, what do you expect?" (Obviously highly condensed statement here but the idea still gets across).

    It's one of the panels I highly DISCOURAGE anyone from ever using especially with the attitude/view the developers have on security.  
     
    Lanarchy likes this.
  5. WebSearchingPro

    WebSearchingPro VPS Peddler Verified Provider

    493
    143
    May 15, 2013
    Could a mixture of mod_security, SELinux/Apparmor, suhosin php make up for the lack of security in zPanel or at least added layers of protection?

    I have pretty much seen ISPConfig3 as the top recommended replacement for cpanel. Kloxo-MR coming in a close second. 
     
  6. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    Well - I did not read anything about current security issues.

    I only know the thread of one single person that got pissed off by the attitude of one developer of zpanel.

    So is this "zpanel is baaaaad" based on the single "fu** you devs" LET thread or is there something more substantial?
     
  7. HalfEatenPie

    HalfEatenPie The Irrational One Retired Staff

    2,890
    1,386
    Mar 25, 2013
    HalfEatenPie
    Well, that general perspective has been around even before that post started (although if I recall someone who was friends with the devs or something came in and commented).  It just happened that during that string of posts the zpanel website was hacked and taken down.  

    zPanel looks nice.  I'll 100% agree with it, and not looking directly at the code but looking at the responses the zPanel staff and the developers gave for the security conerns I wasn't a big fan.  They definitely did not handle it well.  
     
    vRozenSch00n and lbft like this.
  8. ConnerCG

    ConnerCG New Member

    24
    13
    May 15, 2013
    It's how they move forward from the 'incident' that interests me.

    They appear to have addressed issues, and made several changes in 10.1.0 for tokens and sanitation.

    I have a copy on a public facing server with about 20 users, and so far so good. I still take backups... ;)
     
    vRozenSch00n, peterw and HalfEatenPie like this.
  9. VPSCorey

    VPSCorey New Member Verified Provider

    271
    57
    Jul 10, 2013
    Virtualmin
     
  10. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    I am running my first zpanel vps for about 5 months (5 users, 10 domains). No hacks, no issues.

    I do backups too, but this does not depend on the panel :)
     
  11. MannDude

    MannDude Just a dude vpsBoard Founder Moderator

    5,036
    2,634
    Mar 8, 2013
    MannDude
    Wow, zPanel looks a lot nicer than it did last time I tinkered with it.
     
    earl likes this.
  12. peterw

    peterw New Member

    800
    189
    Jun 14, 2013
    Version 10.1.0 is 7 days old. Will try this panel.
     
  13. ConnerCG

    ConnerCG New Member

    24
    13
    May 15, 2013
    They updated the installers and addressed a couple of bugs. I reported the following and it was corrected.

    http://bugs.zpanelcp.com/view.php?id=635

    0000635: Create a new FTP account - Default to / (root) when using - Use Domain directory
    New FTP accounts created via Use Domain directory always default to / (root) irregardless of choice selected.
    Admin is unable to assign anything, directory always defaults to / (root) using - Use Domain directory

    The lead programmer commented in general on the update --

    "I'm really against re-tagging releases and feel that new release numbers should be issued but given the complexities of our current release process and getting the installers updated etc. we've opted to re-tag in this instance."
     
  14. jarland

    jarland The ocean is digital

    873
    562
    Apr 4, 2013
    Thanks for posting the guide. Tip in your direction, from another person who hates every ugly POS panel that requires more work than the CLI does in the first place, VestaCP. I even purchased their support package, love it that much.
     
    Last edited by a moderator: Nov 4, 2013
  15. DomainBop

    DomainBop Dormant VPSB Pathogen

    2,260
    2,190
    Oct 11, 2013
    Not installing a buggy script on your server in the first place is the best way to make up for the lack of security in a script.  Removing a buggy script from your server and using something else when it becomes apparent that the developers don't place a high priority on security is the second best way to make up for the lack of security in a script.

    FYI, modsecurity also has a long history of security problems, including 2 vulnerability alerts in the past 7 months, one of which was critical:

    http://web.nvd.nist.gov/view/vuln/search-results?query=modsecurity&search_type=all&cves=on
     
    scv likes this.
  16. peterw

    peterw New Member

    800
    189
    Jun 14, 2013
    Still not sure if I should use zpanel or vestacp.
     
  17. scv

    scv Massive Nerd Verified Provider

    205
    98
    May 30, 2013
    scv
    As far as I'm concerned the issue isn't that the software is vulnerable, it's how they handled the situation. Would you rather use software from a developer that vehemently denies security issues in their product, or a developer that rapidly patches the vulnerability and informs users of the issue?

    Either way, the core design of ZPanel is flawed and should be scrapped. No web-facing application should ever run anything directly as root. Their 'zsudo' solution is not only flawed but pointless as it could be handled with regular sudo perfectly fine. Just look at this source and you'll get an idea of what I'm saying - it's a pile of hacks on top of hacks on top of hacks.

    https://raw.github.com/cbcercas/zpanel-freebsd/master/config_packs/freebsd/bin/zsudo.c

    (Let's just ignore the fact that they sprintf a user supplied string into a fixed sized buffer, there's easier ways to exploit this baby)

    The install instructions are good for a laugh:

    https://raw.github.com/bobsta63/zpanelx/master/etc/build/config_packs/centos_6_2/ZPX_Centos6.2_Install_Instructions.txt

    My personal favorites:


    [...]
    chmod -R 777 /etc/zpanel/
    chmod -R 777 /var/zpanel/
    [...]
    echo "apache ALL=NOPASSWD: /etc/zpanel/panel/bin/zsudo" >> /etc/sudoers
    [...]
    # Must be owned by root with 4777 permissions, or zsudo will not work!
    [...]

    tl;dr zpanel is shit and you shouldn't use it
     
    k0nsl likes this.
  18. InertiaNetworks-John

    InertiaNetworks-John Inertia Networks, LLC Verified Provider

    182
    26
    May 23, 2013
    You get what you pay for. That also includes security and usability. No one truly has much motivation to fix a product if they know that they will not get rewarded for it.
     
  19. scv

    scv Massive Nerd Verified Provider

    205
    98
    May 30, 2013
    scv
    By this logic nobody would have interest in developing the Linux kernel. Yet here we are, with even Oracle and other companies notorious for proprietary software providing patches to Linux.

    There is plenty of reason for somebody to be motivated to redesign ZPanel or create an alternative solution. There is much demand for a free (and not even necessarily open source) webhosting panel and this gap hasn't been filled by any of the existing projects.
     
  20. InertiaNetworks-John

    InertiaNetworks-John Inertia Networks, LLC Verified Provider

    182
    26
    May 23, 2013
    Agreed. What I meant by my post is that I see no motivation on behalf of ZPanel to fix these issues.
     
    scv likes this.