EHCP security question
Submitted by ehcpuser on Fri, 07/03/2009 - 16:23
Before I pull EHCP into testing it out as a free host, I want to ask bvidinli about the security of EHCP. I posted a thread incase other EHCP users wanted to have the same questions. How would you compare the security of EHCP to paid control panels? Before I go ever test it out, I want to make sure it's safe to prevent spammers, leechers, phishers and hackers. I also want to know if you know, if the security of my server will be at sake. I don't want hackers rooting my server, but if that's in the server, how can I prevent it?
Fri, 07/03/2009 - 21:30
Re: EHCP security question
I am not able to compare security to other cp's, because I dont know all of them in detail, I only have basic knowledge, Anyway, I will try to give an idea.
Currently (as of ver. 0.29.09) ehcp has no known big security hole.
It may have some unknown ones.
I will try to respond as quickly as possible if anybody or you report some sequrity issue.
Last week, we had a new bug, which is a minor security issue, and fixed it.
Usually, I think almost all security reports will be resolved in 1day-1week, regarding the degree of importance or fatality.
ehcp has basic immunity to xss and sql injection. Almost all inputs are escaped, all database writes are escaped.
However we did not do yet, a comprehensive security test, using some tools or by hand. We did only a few tests to see things.
Many production servers (including mine) uses ehcp.
Currently, approximately, 200 production servers use ehcp, and daily increasing.
50 download and installation per day. Some just testing, some are really installing on production servers.
So, I think we will be aware of any security issue as soon as it is recognized.
There may be some bugs related to these, I think these will be recognized all worldwide people and will be resolved asap by their respective developers. And I think all other control panels will be affected by these kind of bugs.
Since ehcp uses standard debian/ubuntu apt-get package management system, you may easily update your system by command "aptitude update ; aptitude upgrade", this way, you will have most up-to-date software for all system.
For ehcp itself related bugs, aptitude upgrade is useless (as of now, in future, maybe..) You need to upgrade ehcp separately (unfortunately)
ehcp does not automatically install any spam related software.
Because spam related softwares are hard to install automatically, and I could not manage to install them automatically yet. In future, I want to do that, it is on our roadmap, but currently, nothing installed by default.
So, your server may be used by bad-hosters to spam out.
You need to manually install spam related software or at least check out logs for abnormal activity.
Same as spam. ehcp does not install these.
Although any virus does not affect your server, i think, your servers may be used to spread some virus by some bad-hosters..
Just as spam, You are at your own.
As you know, some bad scripts of php or other, may be harmful to the server, if uploaded to your server by your hosters. ehcp can do little thing about these.
ehcp has basic coverage (open_basedir_restriction) over these scripts. So, with default config of ehcp/apache, these scripts cannot see directories outside its home dir. But anyway, this is a security risk and should be cared.
If you are most suspicious about your security, I suggest you to regularly check your web logs.
I will try to respond all security reports about ehcp asap.
I will try to improve security in all future versions, regarding all aspects of a hosting environment.