Results 1 to 25 of 30
-
11-03-2009, 12:55 PM #1Newbie
- Join Date
- Nov 2006
- Posts
- 6
HyperVM is now officially Open Source :)
Hello,
On last Sunday, HyperVM and Kloxo where announced as Open Source (Licensed under AGPL-3.0)
The official announcement and information to access the SVN repos can be found at:
forum.lxcenter.org/index.php?t=msg&th=13296&start=0&
-
11-03-2009, 01:12 PM #2Web Hosting Master
- Join Date
- Mar 2007
- Location
- Phoenix, AZ, United State
- Posts
- 1,525
Did anyone catch the url for the svn repo?
drew@slicie.com - Vertical Scaling Servers
30 Minute Backups - Pay for what you use
-
11-03-2009, 01:17 PM #3Newbie
- Join Date
- Nov 2006
- Posts
- 6
-
11-03-2009, 02:53 PM #4Web Hosting Master
- Join Date
- Mar 2007
- Location
- Phoenix, AZ, United State
- Posts
- 1,525
Not sure how I missed that, thanks
drew@slicie.com - Vertical Scaling Servers
30 Minute Backups - Pay for what you use
-
11-03-2009, 03:04 PM #5Corporate Member
- Join Date
- Feb 2008
- Location
- Houston, Texas, USA
- Posts
- 3,262
That's great news! But it'll take a few bumps before things stabilize later on this year.
Regards
JoeUNIXy - Fully Managed Servers and Clusters - Established in 2006
Server Management - Unlimited Servers. Unlimited Requests. One Plan!
cPanel Varnish Plugin -- Seamless SSL Caching (Let's Encrypt, AutoSSL, etc)
Slow Site or Server? Unable to handle traffic? Same day performance fix: joe@unixy
-
11-03-2009, 03:14 PM #6Uptime Aficionado
- Join Date
- Mar 2009
- Location
- /usr/bin/perl
- Posts
- 971
That project will need new management if it is ever going to recover.
The user NetTuningGroup, who I assume runs the show over there, seems . . . less than knowledgeable and professional.
I wonder if it isn't too little, too late with all of the new CP's that have sprung up.
-
11-03-2009, 03:19 PM #7Newbie
- Join Date
- Nov 2009
- Posts
- 6
Well, good news. Kloxo in a good web hosting panel. This is good for the small business
-
11-03-2009, 03:44 PM #8Web Hosting Master
- Join Date
- Dec 2007
- Posts
- 612
Now that the source is out there, what do you guys think of it?
-
11-03-2009, 05:34 PM #9Newbie
- Join Date
- Nov 2006
- Posts
- 6
I also believe that they took way too long to take an action, during all the waiting, looks like hypervm lost most of their customers. Sometimes it seens that they waited until the project turned into an "abandonware" to take an action....
There's almost no one posting on their forums now, most of the users are gone, but with hypervm becoming opensource there's a new hope.
Even with all the new panels on the market, I believe that hypervm still have a good chance to be on top again...
If you stop and think about it, HyperVM is an enterprise product mature and fully featured, "most" of the panels out there can't do 1/5 of the things that hypervm can do!
I may be wrong about this:
One other thing that you must be aware is: Nobody knows for sure if the vaserv problem was a zero day exploit or a bad password policy (passwords stored on gmail?)
Well, if someone have access to your admin password on your systems, you are in great danger
In the worst case scenario, if the administration of the consortium lxcenter fails to administer the source code, you will notice that the real programmers will fork HyperVM and you will probably see an "hypervm-ng" rising. But until they fail, I do believe that they deserve a second chance.
As far as i could know, NetTuningGroup (or Danny), invested allot of time and effort to make this happen.
Just My 2 Cents...
-
11-03-2009, 05:38 PM #10Newbie
- Join Date
- Nov 2006
- Posts
- 6
-
11-04-2009, 12:52 PM #11Web Hosting Master
- Join Date
- Aug 2007
- Posts
- 6,884
Its a good news. We can hope in the recent future we can see the bug eliminated HyperVM.
iHubNet Ltd - Premium Hosting Solutions 4 ALL
• Solid Support • Solid Equipment • Solid Network
Shared Hosting / Reseller Hosting / Managed Server
Matt A.
-
11-04-2009, 03:14 PM #12WHT Addict
- Join Date
- Jun 2007
- Posts
- 140
-
11-05-2009, 05:09 PM #13Web Hosting Master
- Join Date
- Apr 2000
- Location
- Nevada, US
- Posts
- 5,550
SmartHost™ - Intelligent Hosting! - Multiple Locations - US/EU! - Ultra-Fast NVME SSD VPS!
http://www.smarthost.net - sales@smarthost.net - Resale/Affiliate Programs
Cloud Hosting - VPS Hosting - Dedicated Servers - Colocation - Flux Capacitors
-
11-05-2009, 07:58 PM #14Web Hosting Master
- Join Date
- Sep 2008
- Location
- Dallas, TX
- Posts
- 4,568
-
11-06-2009, 07:17 AM #15Junior Guru Wannabe
- Join Date
- Sep 2009
- Location
- Australia
- Posts
- 39
Ecckk, their forum is currently down. Hope this is not a sign!
-
11-06-2009, 04:41 PM #16Web Hosting Master
- Join Date
- Jan 2004
- Posts
- 1,042
While their feature set is quite robust, the software is very poorly coded and its not worth the risk at this point to rest a companies reputation/clients data on it. I also really have no faith in how the new project has been taken forward and its leadership.
-
11-06-2009, 05:41 PM #17Web Hosting Master
- Join Date
- Oct 2007
- Posts
- 750
I must admit its about time it went OS, but, the biggest problem I saw and hence didn't return is the inability for the consortium to make and decision and do it...
The product feature set is very good as per MACscr, the leadership isnt from a "moving forward" pov.
Just my 2 centsNetEarth One
ICANN Accredited Registrar, https://reseller.netearthone.com
Full UK support, 7 days a week 365 days a year!
-
11-07-2009, 04:03 AM #18Web Hosting Master
- Join Date
- Aug 2004
- Location
- Shanghai
- Posts
- 1,475
How's HyperVM compared to our control panel? What's the features that we don't have?
I've just downloaded the svn of HyperVM, and got immediately stunned by what I could read in the LICENSE file on top of the sources:
PHP Code:You Agree to
* You will not distribute any information, source code or opinions without the approval from the board
ThomasGPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel
-
11-07-2009, 04:37 AM #19Web Hosting Master
- Join Date
- Aug 2004
- Location
- Shanghai
- Posts
- 1,475
Other things after I downloaded, that I could see...
I can see horrible stuff in this package, that I didn't even think was even possible for a Unix project. It seems that HyperVM is packaged using ZIP FILES!!! Yes, you are reading well. That's unbelievable for anyone with the minimum knowledge in Unix. A zip file, to what I know, doesn't have Unix rights in it. It means that there's absolutely zero Unix right management in the files of the panel.
I downloaded the files using SVN, but there's some CVS folders. WHY?
HyperVM seems to embed some libraries. I could see:
fckeditor (a version from 2007 it seems...)
extjs 1.1 (when the 3.0.0 is out !!!)
yui 2.2.2 (when Lenny has 2.5, and 2.7 at least is out !!!)
DOMcollapse (3.0 from 06.12.2005)
rsnapshot (from 2008/02/19)
vncviewer
sshterm-applet
...
The list goes and, and on, and on. At this time I stop my investigations.
Embedding libraries in a project is just *plain bad*, and forbidden by most distributions (at least in Debian), because that would be a security maintenance nightmare to maintain (X number of package to maintain instead of 1, plus all the duplication of files, difference of release number leading to patches that wouldn't apply, etc.). Embedding OUTDATED libraries is even worth, and god knows what security issue they have. That extjs is literally YEARS old.
I'm not even talking about the fact that nowhere, I could see a copyright file talking about these embedded libraries, which is normally the way to go.
Also, that makes me think that the original author of HyperVM didn't mention these libs, when it was his DUTY to make the source code of them available.
Another funny thing. I did:
PHP Code:grep --color -i -r \(c\) *
Do you guys still believe that HyperVM is usable after reading all these? I didn't even need to dive into the code to say it's not!!!
ThomasGPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel
-
11-14-2009, 02:41 AM #20Web Hosting Master
- Join Date
- Oct 2009
- Posts
- 590
I'm no coder but some of your 'logic' doesn't make sense to me. First of all, most of the things you mention are no secret. Of course there is swsoft code in there. HyperVM is quite intelligently designed to keep things like OpenVZ very much the way OpenVZ was intended to be. SSH-Term, well that is certainly no revelation. Run console in Hypervm and click on "About" and you see it is SSH-Term. Google it and you will find thousands of sites and all sorts of products using it. Install Hypervm and go to /usr/local/lxlabs/hypervm/httpdocs/thirdparty. There are the thirdparty apps you mentioned. So this is suddenly news to you?????
Speaking as a user, HyperVM is actually quite a brilliant piece of work for one guy considering everything it does and does quite well I might add. He could have used some help cleaning up the code and keeping up with maintaining it but for one guy it's quite amazing what he did. Not many people or even a team of people could have done all that half as good.
As far as the whole security thing. I looked into it further and although Kloxo may have some lingering problems HyperVM is not a security problem and HyperVM is the important one since it controls the Nodes. Less so now but never was a huge security threat. That incident with the one company turned out to be unrelated to HyperVM/Kloxo. They got a hold of the guys Master Server root password. They even posted online exactly what they did to prove it. Does not matter what software you are running if your not using keys and someone has your root password.Last edited by UnfinishedSentenc; 11-14-2009 at 02:49 AM.
-
11-14-2009, 05:58 AM #21Web Hosting Master
- Join Date
- Aug 2004
- Location
- Shanghai
- Posts
- 1,475
What exactly is not logic in what I wrote? Saying that EMBEDDING some OUTDATED VERSIONS of many things is a horrible way of doing things is quite logic no? What don't you understand here? You don't need to be a programmer to understand that having libraries separated from the security updates of the operating system AND not doing any update of the, is quite a bad practice, do you?
It quite is a security problem. What I just wrote above doesn't even consider the source code, and there's issues. Others had a look, there was issues they found too, especially in the general way HyperVM is written. Moreover, the people that took over the maintenance didn't seem to even understand what a symlink attack or a race condition is. They don't seem to have the necessary level to fix, and I saw them adding even more issues while trying to fix.
Who cares about that company's issue? That's not what we are talking about, we are talking about the multiple vulnerabilities and issues with the product itself, without considering anything else.
You wrote yourself that you are not a programmer and can't be the judge, so why are you insisting that HyperVM is ok, when everyone that had a look at the source code think it's not?
ThomasGPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel
-
11-14-2009, 06:37 AM #22Web Hosting Master
- Join Date
- Oct 2009
- Posts
- 590
When you figure out how he can update code from the grave get back to me
Ok, explain exactly how I can hack into my HyperVM server and I will verify. Tick tock tick tock!
You care enough to reply so maybe you can list these vulnerabilities seeing as how you seem to have it all figured out.
You insist that HyperVM is not ok so I insist you prove it. Define 'everyone'. So you have talked to 'everyone' have you?
But seriously, don't bother. I am simply pointing out you are just another clown talking out of your a$$ with no facts. Just adding to the background noise of all the other rumors which have no basis in fact once anyone with a few spare minutes of time does some basic fact checking like this guy.
h++p://forum.lxcenter.org/index.php?t=msg&th=12560&start=0&Last edited by UnfinishedSentenc; 11-14-2009 at 06:51 AM.
-
11-14-2009, 07:23 AM #23Web Hosting Master
- Join Date
- Oct 2007
- Location
- United States
- Posts
- 1,182
gplhost makes it his personal goal to pop up in every thread that mentions anything about HyperVM, and then to bad mouth it.
Well done gplhost, you found this thread as well...?www.opticip.com - Optic IP LLC
-
11-14-2009, 07:36 AM #24Web Hosting Master
- Join Date
- Oct 2009
- Posts
- 590
-
11-14-2009, 08:04 AM #25Web Hosting Master
- Join Date
- Oct 2009
- Posts
- 590
Perhaps gplhost needs to hire a security consultant for his own sites. Looks ripe for a spam relay at a minimum
HTTP TRACE / TRACK Methods Allowed
Synopsis :
Debugging functions are enabled on the remote web server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.
In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.
See also :
http://www.cgisecurity.com/whitehat-..._XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
Solution :
Disable these methods.
Risk factor :
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
Plugin output :
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------
TRACE /Nessus27813.html HTTP/1.1
Connection: Close
Host: www.gplhost.com
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Sat, 14 Nov 2009 11:56:06 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /Nessus27813.html HTTP/1.1
Connection: Keep-Alive
Host: www.gplhost.com
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485
Nessus ID : 11213
SSL Version 2 (v2) Protocol Detection
Synopsis :
The remote service encrypts traffic using a protocol with known
weaknesses.
Description :
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.
See also :
http://www.schneier.com/paper-ssl.pdf
Solution :
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C/I:N/A:N)
Nessus ID : 20007
MTA Open Mail Relaying Allowed
Synopsis :
An open SMTP relay is running on this port.
Description :
The remote SMTP server seems to allow the relaying. This means that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.
Solution :
Reconfigure your SMTP server so that it cannot be used as a relay
any more.
Risk factor :
High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE : CVE-1999-0512, CVE-2002-1278, CVE-2003-0285
BID : 6118, 7580, 8196
Other references : OSVDB:6066, OSVDB:7993
Nessus ID : 10262
SSL Weak Cipher Suites Supported
Synopsis :
The remote service supports the use of weak SSL ciphers.
Description :
The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.
See also :
http://www.openssl.org/docs/apps/ciphers.html
Solution :
Reconfigure the affected application if possible to avoid use of weak
ciphers.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C/I:N/A:N)
Plugin output :
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Nessus ID : 26928
Anonymous FTP Enabled
Synopsis :
Anonymous logins are allowed on the remote FTP server.
Description :
This FTP service allows anonymous logins. Any remote user may connect
and authenticate without providing a password or unique credentials.
This allows a user to access any files made available on the FTP server.
Solution :
Disable anonymous FTP if it is not required. Routinely check the FTP
server to ensure sensitive content is not available.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C/I:N/A:N)
Plugin output :
The contents of the remote FTP root are :
drwxr-xr-x 4 0 0 4096 Jun 2 19:24 debian
-r--r--r-- 1 0 0 332 Jun 2 15:07 mirror-config-file
drwxr-sr-x 2 0 0 4096 Jan 2 2007 misc
drwxr-sr-x 17 0 0 4096 Mar 19 2009 pub
-r--r--r-- 1 0 0 333 May 19 08:13 readme.mirrors
-r--r--r-- 1 0 0 1423 Jun 3 08:55 welcome.msg
drwxr-xr-x 3 1004 1004 4096 Sep 2 16:42 yum
CVE : CVE-1999-0497
Other references : OSVDB:69
Nessus ID : 10079Last edited by UnfinishedSentenc; 11-14-2009 at 08:08 AM.
Similar Threads
-
ServerSignature Open Source Solutions & Open Source Consulting
By serversignature in forum Employment / Job RequestsReplies: 0Last Post: 07-21-2009, 02:02 AM -
Open source and commercial open source
By kjetterman in forum Web Hosting LoungeReplies: 10Last Post: 07-08-2009, 11:04 AM -
[URGENT] Need an open source game panel (counterstrike:source) for linux
By HostVillage Sales in forum Dedicated ServerReplies: 0Last Post: 10-18-2007, 11:06 PM -
Webhosting - Officially Open!
By AtlasPC-Darren in forum Shared Hosting OffersReplies: 2Last Post: 04-03-2005, 02:57 AM -
BlastHosting Officially Open!
By jw in forum Shared Hosting OffersReplies: 0Last Post: 01-01-2002, 06:50 PM