Does anybody have indepth insight on the difference in security between cpanel and plesk.
I am mainly interested in these points but any insights are welcome.
Which panel is better in
Keeping hackers constrained to the account they hacked. Ie if a hacker or a malicious client would not be able to infect other clients on the server or escalate their privileges.
Knowing which account is causing outbound spam, either from smtp or from scripts on the hosting.
Provide an easy to use interface to a Web Application Firewall like modsecurity ( with ability to unselect rules per domain fromt the control panel)
The security of the server is not really dependent on the control panel you use. A control panel is basically just a web based graphical interface to automate the server side tasks.
Security itself is a whole different story. Regardless of the control panel you use, you still have to harden the server (ie, firewall), install extra security modules (ie, modsecurity, suphp, etc), and regularly scan the server (ie, rkhunter, chkrootkit, clamscan, etc), check logs, and update the system software (ie, apache, php, mysql, etc).
The users also have to be diligent in keeping their passwords secure and their scripts up to date to avoid common types of hacks (ie, update freeware scripts like WP, Joomla, etc).
Last edited by ServerManagement; 12-04-2013 at 12:06 PM.
PlatinumServerManagement (also known as PSM)
The OLDEST and LARGEST and MOST TRUSTED server management provider in the USA, with 15+ employees and growing! Providing quality support for OVER 18 years! Currently supporting over 3,000+ servers monthly! www.PlatinumServerManagement.com Proud member of the NJ BBB & Chamber of Commerce & Authorized cPanel Partner.
Sorry but you are not entirely correct. Control panels force you to do things their way and their way assumes certain security modes.
Also being able to manage security settings from the control panel like chrooting certain domains and safe mode for php is important since you do not want to edit apache files for every customer out there.
Try managing modsecurity for 100 clients and you will know that you really need a client control panel to be able to disable some rules for some scripts.
So no my original post is very important at least to hosters that want to have the best user experience both in security and in making security ( or some aspects of it ) easy to manage.
The control panel is not going to prevent you from being compromised.
A control panel is not going to prevent privileges from being elevated because you failed to upgrade something like the kernel.
Neither provide a easy to use mod_security panel. You have to use 3rd party modules.
Neither panel makes it incredibly easy to determine which site is spamming. There are ways to evade what both panels do. cPanel out of the two has more verbose logging out of the box. It completely depends on how you setup your server. Someone could setup a ssh tunnel and tunnel through 127.0.0.1 to send spam and the origin would not be logged. You would need to prevent this. It is not good enough to just firewall it off, they can do it locally. You would need to disable tcp tunneling inside the sshd_config.
If you want a secure server, its best for you to use something like cloudlinux with either Plesk or cPanel.. There is nothing else on the market that even comes close.
With that said, we have done extensive security audits of both control panels and reported countless flaws to both. Both panels have really stepped up their security teams as a result.
Ultimately, the security is going to be dependent on what you do to secure the server -- plain and simple.
Steven Ciaburri | Industry's Best Server Management- Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance