Vesta Control Panel - Forum

My server was hacked due to a security issue with Vesta and the lack of updates, the company in which I had the server with had to shut down the server, please, if you are using Vesta, switch for good.

I switched to HestiaCP (https://hestiacp.com/) a fork of Vesta which more features and updates but you can also check for MyVestaCP (https://myvestacp.com/) which is another Vesta fork more look-a-like to current Vesta and supports Softaculous but less new features.

You can check their forums.
https://forum.myvestacp.com/viewtopic.php?f=14&t=50
also https://forum.hestiacp.com/t/vestacp-ba ... hestia/388

Sad to hear about server.
And switch - It's free choice, man.

But every time you need to understand this:
Security it's process, not product.
If you're using every panel by deafult, you need to prepare for some advanture.

@skurudo

I know VestaCP is an open source product that is available free of charge and users should know what they are doing. With the fact that VestaCP is "free" + A lot of tutorials are available on the internet and so on it is still a popular control panel.

How ever it is a fact that multiple leaks have been found (See [email protected]) or Github and haven't been patched or have not been released. For any web control panel security should be number one. If there is a need for keeping update VestaCP their is a way to do it. On Github there are multiple users who want to help. How ever a lot of users have left due the issues same as above.

At least the developers for Hestia / MyVesta are willing to invest the time to keep their control panels safe and secure. Maybe it time for VestaCP to pull out the plug and let it die in silence...

Hi, eris and ScIT!
Nice to see.

Yep, there is a lot of stuff not done and prob not going anywhere. Don't get me wrong, I don't think that switching from VestaCP to Hestia/MyVesta is something bad like a betrayal. Not at all! This is really a choice and the choice is obvious now. That is why the topic is not closed here. However, it is also not worth shouting about it at every corner.

It's good that's you, ScIT and dpeca develop to VestaCP fork and rise this flag. I tried the panels and was happy - this project alive in Hestia and MyVesta. It's great that you were able to find the strength and time to develop and modernize the project. Well done!

As for security, I can't help but notice that problems can somehow overtake other projects. You also need to be prepared for this too. You can't make steel or bulletproof secure panel too - there will always be someone or some vulnerability that will break something.

I don't think Eris' words were meant to say that Hestia or MyVesta are bulletproof - there can be security holes, bugs or other problems everywhere.

It was probably more about the fact that Vesta - in the current version including the many exploits should simply no longer be available. Or if, then at least with a thick information banner. No matter how you want to look at it, the project is dead: Last code change in December respectively October 2020, several, partly critical security holes which some of them were still patched by dpeca, but never released in a new version - although I asked imperio several times for it (https://github.com/serghey-rodin/vesta/issues/2006), the only one who can release new releases (Serghey) seems to have no interest in the project anymore, and so on...

Also, the biggest incidents with Vesta were not even caused by the code, but by hacked infrastructure.

skurudo wrote: ↑

Fri Jul 16, 2021 6:23 am

As for security, I can't help but notice that problems can somehow overtake other projects. You also need to be prepared for this too. You can't make steel or bulletproof secure panel too - there will always be someone or some vulnerability that will break something.

The mentioned problems have all been patched in MyVesta as well as Hestia, so you can also get over a statement that Hestia and MyVesta are definitely more secure than Vesta. And as written at the beginning, we also will have exploits and potential security issues - that's for sure and we are not afraid of, but we try to patch them immediately and also providing a clean communication about it.

Maybe it would be really nice if you could either create the mentioned big banner, patch the current exploits respectively provide new packages or pull the plug on the project. You can also find various other vulnerabilities in the history of both forks, which were patched this year, but not transferred by dpeca - just in case you want to secure the remaining vesta installations.

skurudo wrote: ↑

Fri Jul 16, 2021 6:23 am

However, it is also not worth shouting about it at every corner.

Due to the fact, that vesta is insecure and have that amount of exploits, it should be worth to protect everyone using it.

From my side, I have now invested enough time in a dying project. I really liked Vesta, that's also the reason why Hestia exists. The whole Hestia team is grateful to Serghey and all the developers, but now it's time to look forward.

@skurudo Thanks for the discussion!

skurudo wrote: ↑

Fri Jul 16, 2021 6:23 am

Yep, there is a lot of stuff not done and prob not going anywhere. Don't get me wrong, I don't think that switching from VestaCP to Hestia/MyVesta is something bad like a betrayal. Not at all! This is really a choice and the choice is obvious now. That is why the topic is not closed here. However, it is also not worth shouting about it at every corner.

It is as currently + 50K servers are at risk for being hacked... As packages no new packages have been build for more then a year and in this year about 20 vurnebilities have been reported in last month. Including some minor ones but also major ones...

https://ssd-disclosure.com/vestacp-vulnerability-scope/

Says more then enough about the safety reading VestaCP ...
https://ssd-disclosure.com/ssd-advisory ... abilities/
https://ssd-disclosure.com/ssd-advisory ... scalation/

And I am sure the are a few more as there are few things regarding safety. User with "user" permission can view /usr/local/vesta/data/keys (If exists and then via an api call reset admin password.)

1 year ago VestaCP.com was expired for a short period. I don't want to know what happens when the domain get taken by a malicious person...