Current time: 11-24-2024, 12:55 AM Hello There, Guest! (LoginRegister)


Post Reply 
is it ready for production
Author Message
tolisoft Offline
Junior Member
*

Posts: 11
Joined: Sep 2010
Reputation: 0
Post: #1
is it ready for production
Mates,
I am just wandering what is your opinion. Is ispCPOmega ready for production usage?
I mean last 2 security issues was very bad for production server.
And they were:
# Users are able to change into other user's phpMyAdmin account and browse, manipulate or delete their databases and
# ispCP Omega's database password can be looked up from logs

We are looking for a sharing hosting panel and this project looks better than others.
09-09-2010 06:25 PM
Find all posts by this user Quote this message in a reply
gOOvER Offline
Banned

Posts: 3,561
Joined: Jul 2007
Post: #2
RE: is it ready for production
(09-09-2010 06:25 PM)tolisoft Wrote:  Mates,
I am just wandering what is your opinion. Is ispCPOmega ready for production usage?
I mean last 2 security issues was very bad for production server.
And they were:
# Users are able to change into other user's phpMyAdmin account and browse, manipulate or delete their databases and
# ispCP Omega's database password can be looked up from logs

We are looking for a sharing hosting panel and this project looks better than others.

In my Eye's it is. Such mistakes happend in every Open Source project. Wink But we fix it very fast. Smile
09-09-2010 06:30 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #3
RE: is it ready for production
Quote:Users are able to change into other user's phpMyAdmin account and browse, manipulate or delete their databases

So local user privileges were required. I don't know about you, but my clients don't usually fiddle around trying to break their server (and I would get rid of them instantly if they did). Nevertheless, some type of worm could get you on this, but there are backups to mitigate any damage. Additionally, it was quickly fixed after the report.

Quote:ispCP Omega's database password can be looked up from logs
Once again, you needed local user's privilege for that. Additionally, since ssh access is off and both ftp and php are chrooted, it was only exploitable through cgi.

So yes, we've had some security flaws. Everyone does, even more on a program covering such a wide area, requiring root operations, etc.. Despite that, our policy is to publish security flaws as soon as they are discovered and offer mitigations and patches as fast as we can. All other cp's have had security issues too, but you can't say that they all have such an open policy as we do...
09-09-2010 10:52 PM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #4
RE: is it ready for production
ispCP Omega has highly stable releases. Security issues will be fixed fast (and announced on Mailing List and Forum including the patch). At the moment we try to remove outstanding bugs and issues before we implement new features. Therefore, the development looks slow but it is rather vital.
09-10-2010 08:33 AM
Visit this user's website Find all posts by this user Quote this message in a reply
momo Offline
Junior Member
*

Posts: 148
Joined: Jun 2008
Reputation: 1
Post: #5
RE: is it ready for production
ispCP is very stable. Try it with few customers and see for yourself. Update your release a few times, get your hand dirty and never look back. Smile
09-10-2010 09:40 AM
Find all posts by this user Quote this message in a reply
tolisoft Offline
Junior Member
*

Posts: 11
Joined: Sep 2010
Reputation: 0
Post: #6
RE: is it ready for production
I have it installed on debian squeeze and it works Smile.
For this kind of servers i prefer freebsd but debian also is ok.
I will be glad if I can help you for better freebsd support.
I've read there is unsupported functionality with traffic counters etc.
(This post was last modified: 09-11-2010 12:32 AM by tolisoft.)
09-11-2010 12:29 AM
Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #7
RE: is it ready for production
Since we are just have a limited range developers, we just know a small range of Linux/Unix distributions. Feel free to help us as a freelancer or a team member.
09-11-2010 02:39 AM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #8
RE: is it ready for production
Quote:I will be glad if I can help you for better freebsd support.
I've read there is unsupported functionality with traffic counters etc.

You are right. The problem is that we use iptables for the traffic accounting, so it doesn't work in freebsd. AFAIK there are 2 "standard" firewalls in freebsd, so if you want to work on it choose one of them and try to setup rules that count traffic for the different services. Afterwards we can see how traffic checking can be scripted so the data is stored into ispcp's database....
09-11-2010 09:19 PM
Visit this user's website Find all posts by this user Quote this message in a reply
tolisoft Offline
Junior Member
*

Posts: 11
Joined: Sep 2010
Reputation: 0
Post: #9
RE: is it ready for production
(09-11-2010 09:19 PM)kilburn Wrote:  
Quote:I will be glad if I can help you for better freebsd support.
I've read there is unsupported functionality with traffic counters etc.

You are right. The problem is that we use iptables for the traffic accounting, so it doesn't work in freebsd. AFAIK there are 2 "standard" firewalls in freebsd, so if you want to work on it choose one of them and try to setup rules that count traffic for the different services. Afterwards we can see how traffic checking can be scripted so the data is stored into ispcp's database....

So there are not 2 standard firewalls Smile. There are 3 - ipf, ipfw and pf.
I have to look in the sources and need some time for orientation but in general I will try to adapt the panel with pf (Which is main OpenBSD firewall and has great performance. It's been ported to freebsd several years ago).
(This post was last modified: 09-11-2010 11:40 PM by tolisoft.)
09-11-2010 10:27 PM
Find all posts by this user Quote this message in a reply
Nuxwin
Unregistered

 
Post: #10
RE: is it ready for production
Can be very great if you can. Wink
09-11-2010 10:55 PM
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)