Is DirectAdmin fair and secure enough on production server?

[choto]

New to DirectAdmin and need to discuss.

Please understand that i have no bad intention for DirectAdmin.
This also applies to another web hosting Control Panel.

How can we sure that DirectAdmin does not steal users' data and send it out to another server?
Or how can we sure that DirectAdmin does not push bad code/backdoor to our server?

 

[floyd]

New to DirectAdmin and need to discuss.

Please understand that i have no bad intention for DirectAdmin.
This also applies to another web hosting Control Panel.

How can we sure that DirectAdmin does not steal users' data and send it out to another server?
Or how can we sure that DirectAdmin does not push bad code/backdoor to our server?

1. Somebody would have discovered it by now and reported it. DirectAdmin has been around for many years.

2. How can you be 100% sure of anything in this regard? How can you be sure your operating system on your own computer is not doing something like that? At some point you just have to trust in what you are buying.

 

[ranz]

You can actually monitor your network traffic to see what information is coming/going to/from your server - so if you get DirectAdmin - you could run such checks and be somewhat happier that nothing sinister is being done behind your back.

I also think it is worth considering the "applications" that are bundled with DirectAdmin and the thought that has gone into selecting them.

 

[floyd]

You can actually monitor your network traffic to see what information is coming/going to/from your server

I was thinking of mentioning that but at the same time I believe if a company really wanted to they could make it next to impossible for the average person to detect.

I believe there are lots of security people out doing independent test of things like DirectAdmin. I bet Cpanel is constantly trying to find flaw in DirectAdmin. They would love to be able to post security flaws with DirectAdmin. Maybe not Cpanel but somebody is and they will post it.

 

[ranz]

That's it - "we don't know what we don't know"

 

[tillo]

I have been using DA for years and know it quite well. Given my job title and experience, I can say with authority that DirectAdmin's security risk level is not top high but its developers patch vulnerabilities very fast and and are pretty open to suggestions in terms of security logics.

I would not suggest it for for banking or any other high risk data services, but that's not its purpose: it's purpose is shared hosting, and the level of security is higher than any similar solution I used in the past or currently use.

It also has the advantage of being relatively simple and is well designed, so vulnerabilities are difficult to find and patching is easy.

Of course it doesn't have the advantage of Virtualmin, which has an history of open source code and most of it is still GPL, but that's asking too much.

 

[randomuser]

I believe there are lots of security people out doing independent test of things like DirectAdmin.

I emailed DirectAdmin a week ago asking them if they'd be interested in purchasing vulnerabilities in their product if I were to audit it and find any (I have rooted it before, and found other issues). They never responded. They never posted anything about the bugs I reported to them in the changelog. I don't think DirectAdmin really cares about security issues, and there sure isn't any incentive to find and disclose any.

 

[randomuser]

It also has the advantage of being relatively simple and is well designed, so vulnerabilities are difficult to find

Vulnerabilities are difficult to find in it? Compared to what? It's been rooted before, a few times at least. Only took me about 30 minutes of poking around when I rooted it.

 

[ranz]

I don't think DirectAdmin really cares about security issues, and there sure isn't any incentive to find and disclose any.

I don't see how you can say that - based on no response in your email from them? Perhaps they thought your were soliciting business? Who knows.

I see that the core Operating System itself is usually the place where we need to start to lock down and secure a server. There are plenty of posts in this forum which do lead to this discussion - and there has been plenty of help offered accordingly.

There may well be vulnerabilities in the applications that are core to DirectAdmin - but this still isn't DirectAdmin's Control Panel area of responsibility - it's another application (like: Exim, Apache, MySQL, phpmyadmin, dovecot, spamassassin etc etc etc).

It is up to us as server administrators to maintain our own security.

 

[floyd]

It's been rooted before, a few times at least. Only took me about 30 minutes of poking around when I rooted it.

Put simply: I do not believe you. I also believe you are here to spread FUD in order to sell your services.

 

[randomuser]

Put simply: I do not believe you. I also believe you are here to spread FUD in order to sell your services.

What you believe doesn't matter to me, because it doesn't change reality. It's publicly available information that DirectAdmin has been rooted several times in the past (the control panel software, not the company).

I (re)introduced myself in my email to them as the person who discovered and responsibly disclosed several issues a few years ago, and my reason for contacting them again now, which was to see if they'd be interested in purchasing vulnerability information if I could obtain it. Label that how you want.

 

[floyd]

It's publicly available information that DirectAdmin has been rooted several times in the past (the control panel software, not the company).

I am not concerned about the past. Practically everything has been hacked or rooted in the past. That doesn't mean that we should not use it now.

responsibly disclosed several issues a few years ago

If you know of current problems then by your own words it is still your responsibility to disclose them.

 

[randomuser]

I am not concerned about the past. Practically everything has been hacked or rooted in the past. That doesn't mean that we should not use it now.

Nice strawman.

 

[floyd]

Well it sounded like your position is that since it had vulnerabilities in the past then it must have vulnerabilities now. If you are just going to resort to name calling instead of dealing with the real issues then I am done here.

 

[randomuser]

If you know of current problems then by your own words it is still your responsibility to disclose them.

I do not know of any problems in DirectAdmin at this time. I have not searched for bugs in it in quite a while. Whether it's anyone's responsibility to provide free QA for a company is just subjective.

 

[randomuser]

Well it sounded like your position is that since it had vulnerabilities in the past then it must have vulnerabilities now.

I suggest you re-read the thread, as that is not what I was saying at all.

If you are just going to resort to name calling instead of dealing with the real issues then I am done here.

The term "strawman" is not a derogatory one, nor is an insult. I was referring to how you attempted to argue a different point than the one that was being discussed. That's referred to as a strawman argument, and it didn't work. I never said DA shouldn't be used by anyone.

 

[floyd]

So to answer the question of the OP:

Is DirectAdmin fair and secure enough on production server?

I do not know of any problems in DirectAdmin at this time.

That is all he was asking.

 

[floyd]

I suggest you re-read the thread, as that is not what I was saying at all.

Then what was you point of

It's publicly available information that DirectAdmin has been rooted several times in the past (the control panel software, not the company).

If I misinterpreted what you said I want to really know what you meant by that. Does it have any bearing on the original question by the OP?

 

[randomuser]

So to answer the question of the OP:

That is all he was asking.

And what part of my response to tillo does that have to do with what you just said?

 

[randomuser]

Then what was you point of



If I misinterpreted what you said I want to really know what you meant by that. Does it have any bearing on the original question by the OP?

Good god man, are you serious? Seriously are you serious? It was a response to what you said to me. You have got to be trolling, right?