Are server panels inherently insecure?

We have probably all worked with one of the server panels like cpanel, directadmin, plesk or zpanel. I am sure their are others I haven’t mentioned. After talking to one VPS host they claimed they didn’t offer server panels because they believed they were less secure than a ssh shell. Has anyone found this to be so? Or the reverse?

It sounds like an excuse where they don’t have the expertise on how to manage and/or secure them.

There are always risks when you put things up on the Internet. Even SSH has security issues if things aren’t properly addressed. As long as you (or your hosting provider) take the necessary security precautions and keep things up-to-date, you probably won’t have an issue.

If you want a control panel, it’s probably best if you move on to another host that offers it.

If a VPS providers service is primarily unmanaged, then it’s commonplace for them to not provide a control panel. The licence cost would substantially increase the offering price, and the maintenance overhead would be uneconomic for what is supposed to be a bare-bones, hands off service. No VPS provider I’ve ever used has provided an installed control panel by default.

I would generally argue that they are fundamentally insecure – you are exposing the control plane directly to the world, typically as an oldish, well know webapp running as root. There just isn’t much good that come come of it. If you really do need one then you should try and at least put it behind a VPN of some sort – in a pinch a ssh tunnel could do the trick.

I’ll note our general policy is to only expose public-facing services to the world, if we have something like SSH or RDP access going on there is always a VPN in front of things. It helps you sleep at night.

Yeah, I wondered if the issue was something around giving apache (or whatever webserver) escalated privileges to do everything needed to administer tasks in the control panel so cimpromising the webserver might be more likely to give you administrator access. (However thats only my theory as I dont know how server panels are implemented in practice.)

That pretty much covers it – you have a webapp with appropriate permissions to configure itself and spin up other webapps. Do the math.