Control Web Panel

Developers => Suggestions => Topic started by: alam on January 16, 2021, 03:07:23 PM

Title: How secure is CentOS Web Panel?
Post by: alam on January 16, 2021, 03:07:23 PM

I have been using WebAdmin for years, Today i found http://centos-webpanel.com/ It seems to have a lot more features for running and managing a server. But how secure is it?

Title: Re: How secure is CentOS Web Panel?
Post by: cinique on January 16, 2021, 03:40:26 PM

Good Question!
https://rack911labs.ca/research/security-analysis-of-alternative-control-panels/
This mentions one of two key areas where CWP falls down: extremely poor communication and lack of a proper change log.
CWP stated sometime ago that the security points made by Rack911 had been addressed but we are supposed to trust them. There has been zero confirmation of this by any 3rd party and the obscured code makes it difficult for most people to assess.

CWP needs to use Blesta as an example and only encode a few core parts, leaving the rest to be scrutinised and fixed.

That being said, I use CWP (free), CWP Pro and Webmin. I hate the Webmin complex interface and actually think CWP is one of the best, from a functionality viewpoint (if it all worked and was spelled correctly). I assume that you mean Webmin, as opposed to WebAdmin but perhaps not.

Title: Re: How secure is CentOS Web Panel?
Post by: alam on January 18, 2021, 02:56:45 PM

Quote from: cynique on January 16, 2021, 03:40:26 PM

Good Question!
https://rack911labs.ca/research/security-analysis-of-alternative-control-panels/quickpay (https://www.quickpayportalx.co/)
This mentions one of two key areas where CWP falls down: extremely poor communication and lack of a proper change log.
CWP stated sometime ago that the security points made by Rack911 had been addressed but we are supposed to trust them. There has been zero confirmation of this by any 3rd party and the obscured code makes it difficult for most people to assess.

CWP needs to use Blesta as an example and only encode a few core parts, leaving the rest to be scrutinised and fixed.

That being said, I use CWP (free), CWP Pro and Webmin. I hate the Webmin complex interface and actually think CWP is one of the best, from a functionality viewpoint (if it all worked and was spelled correctly). I assume that you mean Webmin, as opposed to WebAdmin but perhaps not.

Thanks for sharing the article.

Title: Re: How secure is CentOS Web Panel?
Post by: Sandeep on January 20, 2021, 06:52:18 AM

its now almost 2 years old
we've already fixed those in 2019

Title: Re: How secure is CentOS Web Panel?
Post by: cinique on January 20, 2021, 10:51:13 AM

Quote from: Sandeep on January 20, 2021, 06:52:18 AM

its now almost 2 years old
we've already fixed those in 2019

The time elapsed is not relevant, especially as many basic older errors still remain.
How would we know?

Quote

..extremely poor communication and lack of a proper change log.

When simple errors are not fixed, how are we expected to believe more serious ones are?  :-\

Quote

CREATION FAILEDS: 0
CREATEDS: 0
RENEWAL FAILEDS: 0
RENEWEDS: 0

There is obviously a lack of testing..

Quote

2021-01-20 03:13:10 (231 KB/s) - ‘phpMyAdmin-5.0.4-all-languages.zip’ saved [14316903/14316903]

tr: write error: Broken pipe
tr: write error
Redirecting to /bin/systemctl reload httpd.service
Redirecting to /bin/systemctl reload httpd.service

Why?!

Quote

###########################
Firewall Flush Daily Blocks
###########################

Gives attackers another chance, each day.

Title: Re: How secure is CentOS Web Panel?
Post by: studio4host on January 20, 2021, 11:57:25 AM

as everyone you can report any issue you find to cwp team
https://control-webpanel.com/contact

Title: Re: How secure is CentOS Web Panel?
Post by: kingandfifthtech on April 16, 2024, 11:27:15 PM

Please how secure is CWP now? I really need to know coz i want to use it for a large project on my Contabo dedicated server. I can't afford to pay for cpanel

Title: Re: How secure is CentOS Web Panel?
Post by: overseer on April 17, 2024, 01:00:12 AM

You sound like a good candidate for CWP then! I am a cPanel refugee as well. I have a fair bit of admin experience (20+ years) running mail servers, FTP servers, then cPanel & Webmin managed servers, SSH, etc. I find CWP an invaluable tool, mostly for my end users to have a user panel but also makes my job a bit easier. It's as secure as you want to make it -- decent out of the box, but can (and should be) hardened beyond the default state.

https://www.inmotionhosting.com/support/edu/control-web-panel/how-secure-is-control-web-panel/ (https://www.inmotionhosting.com/support/edu/control-web-panel/how-secure-is-control-web-panel/)

Title: Re: How secure is CentOS Web Panel?
Post by: Starburst on April 17, 2024, 10:16:28 PM

If you run CWPpro with mod_security with the Comodo rule set along with CSF/LDF (configured correctly) then it is secure.

You have to worry more about keeping your scripts/carts/WordPress up to date.
That's where most security holes come from.

Title: Re: How secure is CentOS Web Panel?
Post by: overseer on April 18, 2024, 01:37:40 AM

If you're using an EOL older version of PHP, also consider adding PHP Defender / Sunffleupagus to your security hardening:
https://wiki.centos-webpanel.com/php-defender-snuffleupagus (https://wiki.centos-webpanel.com/php-defender-snuffleupagus)

This is a good in-depth fine tuning guide after the basic CWP install:
https://www.awsmonster.com/cwp-installation-and-configuration_12 (https://www.awsmonster.com/cwp-installation-and-configuration_12)