SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Aug 2013
    Location
    New Zealand
    Posts
    274
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)

    Are server panels inherently insecure?

    We have probably all worked with one of the server panels like cpanel, directadmin, plesk or zpanel. I am sure their are others I haven't mentioned. After talking to one VPS host they claimed they didn't offer server panels because they believed they were less secure than a ssh shell. Has anyone found this to be so? Or the reverse?

  2. #2
    Barefoot on the Moon! silver trophy
    Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,524
    Mentioned
    51 Post(s)
    Tagged
    1 Thread(s)
    It sounds like an excuse where they don't have the expertise on how to manage and/or secure them.

    There are always risks when you put things up on the Internet. Even SSH has security issues if things aren't properly addressed. As long as you (or your hosting provider) take the necessary security precautions and keep things up-to-date, you probably won't have an issue.

    If you want a control panel, it's probably best if you move on to another host that offers it.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,514
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    If a VPS providers service is primarily unmanaged, then it's commonplace for them to not provide a control panel. The licence cost would substantially increase the offering price, and the maintenance overhead would be uneconomic for what is supposed to be a bare-bones, hands off service. No VPS provider I've ever used has provided an installed control panel by default.

  4. #4
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    I would generally argue that they are fundamentally insecure -- you are exposing the control plane directly to the world, typically as an oldish, well know webapp running as root. There just isn't much good that come come of it. If you really do need one then you should try and at least put it behind a VPN of some sort -- in a pinch a ssh tunnel could do the trick.

    I'll note our general policy is to only expose public-facing services to the world, if we have something like SSH or RDP access going on there is always a VPN in front of things. It helps you sleep at night.

  5. #5
    SitePoint Addict
    Join Date
    Aug 2013
    Location
    New Zealand
    Posts
    274
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Yeah, I wondered if the issue was something around giving apache (or whatever webserver) escalated privileges to do everything needed to administer tasks in the control panel so cimpromising the webserver might be more likely to give you administrator access. (However thats only my theory as I dont know how server panels are implemented in practice.)

  6. #6
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    That pretty much covers it -- you have a webapp with appropriate permissions to configure itself and spin up other webapps. Do the math.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •