Page 1 of 1

Swiftway says Vesta is unsecure

Posted: Sat Nov 30, 2013 3:41 pm
by DennisXSNL
Dear VestaCP,

Today I received an email from Swiftway (my hosting ISP) that I am running Vesta, and that it is unsafe to use it. They state that Vesta has several vulnerabilities. They won't tell me what is unsafe, and they won't tell the developers what is the problem. I only got a warning that if I get hacked with your software, I will be suspended and that I should buy DirectAdmin instead.

Do you know what they are talking about?

Thanks,
Dennis

Re: Swiftway says Vesta is unsecure

Posted: Sat Nov 30, 2013 5:53 pm
by skid
Hello Dennis,

Swiftway never contacted us to express any concerns or issues with security. I can assure you that any security report will be treated with highest priority and we will do our best to fix it fast. Like linux or apache or php, vesta is open source project. We believe that this is a best way to make software. Many developers and security experts across the world has reviewed and improved vesta. I would appreciate if you forward me their message so I can ask them directly about it.

P.S. I personally think that this is astoundingly bad how they force you to buy DirectAdmin.

Re: Swiftway says Vesta is unsecure

Posted: Tue Dec 03, 2013 2:24 pm
by DennisXSNL
"Hello Dennis,

We never block any port of a dedicated server, unless instructed to do so by our clients or abuse department. Such a block would be communicated to all parties involved. We do not block currently any port of your server.
However, i must admit your service is now under inspection of our abuse department.

- You used Zpanel, there are multiple security issues with Zpanel at this time.
- Recently you switched to Vesta Control Panel, this control panel has even more exploits known to us.

We strongly advise you to not use a control panel at all or to install one of the well known control panels without known exploits.

- Plesk
- Cpanel
- Directadmin

Are panels without known exploits, this does not mean that you should not secure the operating system or keep the operating server secured continuously."

"Hello Dennis,

We know multiple vulnerabilities with the default setup, unfortunately we cannot share details with you. Use at your own risk. Note that spam activity or abuse from your server, could result in a suspension or cancellation form our abuse team."

"Hello,

I am certain that the developers are aware of the problems, it is a relatively new open-source Control Panel project. You may want to consider getting the paid support option, to help you tighten security. Control panels are generally not secure if you only use a default OS installation and a default installation of the CP. It may be advisable to install chkrootkit, tripwire and to configure IPtables with tight security.
We are certainly not scaring customers, just warning them of possible security issues when using opensource applications without security optimizations.
It is ultimately your responsibility to keep security up to date, as you have a unmanaged dedicated server.
"

Re: Swiftway says Vesta is unsecure

Posted: Tue Dec 03, 2013 8:34 pm
by skid
Last response sounds quite better. Advices to tighten up security are worth your time. Most likely we will come up with the firewall integration in the next releases.

Re: Swiftway says Vesta is unsecure

Posted: Wed Dec 04, 2013 10:00 am
by gtzen
skid wrote:Last response sounds quite better. Advices to tighten up security are worth your time. Most likely we will come up with the firewall integration in the next releases.
Look forward to.

However it won't be that difficult to deploy a single interface firewall to the VPS, I guess, just opening a few ports. Just install shorewall script for a single interface. Read more at http://www.shorewall.net/standalone.htm and http://www.shorewall.net/Multiple_Zones.html. The guy behind shorewall (Tom Eastep) is one among very prompt and helpful developers, I know of. ;-)