It is always a good idea to investigate how secure an uncommon software is before installing it. This applies to CyberPanel as it is one of the least popular Linux control panels we’ve covered. In this article, we’ll discuss some important CyberPanel security concerns and solutions.
- Cybersecurity Risks
- CyberPanel Security Features
CyberPanel is free open-source software (FOSS). Anyone can download and audit the source code to submit bug fixes or develop malware targeting the application. CyberPanel developers may have times when they focus more on their paid, Enterprise version than the free edition. This isn’t fear mongering, just important info to keep in mind.
We’ve found many bugs while creating CyberPanel content. Luckily, we were able to find workarounds to mitigate them. But for those unaware of those mitigation techniques, those bugs can easily be manipulated for malicious purposes. The easiest ways to track bugs:
- Recently reported GitHub issues
- GitHub commits to compare changes in source code
- Changelogs thread in official forum
Common Vulnerabilities and Exposures (CVEs)
Popular software is generally targeted more often by cyber attackers. One of the best ways to quantify known vulnerabilities is by searching for the app in the National Vulnerability Database (NVD). Each verified vulnerability is given a Common Vulnerabilities and Exposures (CVE) identifier.
As of July 2022, there is only a single unresolved CyberPanel CVE and it only applies to version 1.8.4 (current version is 2.4). Submitted in 2019, CVE-2019-13056 states that the lack of cross-site request forgery (CSRF) protection allows a cyber attacker to edit the administrator’s user credentials. But again, this CVE has since been negated through multiple software upgrades. The same applies to a remote code execution (RCE) flaw reported for CyberPanel version 2.1.
The lead CyberPanel developer stated in a Reddit post that the Rack911 security company regularly audits the software to mitigate vulnerabilities. This should provide some peace of mind that there likely aren’t many major security flaws present. Just remember that you should still apply best cybersecurity practices.
CyberPanel Security Features
CyberPanel free and enterprise versions use the LiteSpeed free and enterprise versions respectively. The most notable LiteSpeed security feature is how easily you can implement HTTP/3. Just force a website to use a valid SSL certificate and open UDP port 443 in your web application firewall (WAF). Done.
Most security DNS records are built as TXT records:
- Sender Policy Framework (SPF) authenticates which IP addresses can send email for a domain
- Domain-based Message Authentication Reporting and Conformance (DMARC) enforces SPF and blocks illegitimate emails
- Brand Indicators for Message Identification (BIMI) authenticates legitimate email with a special logo image in select email hosting platforms
CyberPanel Security Integrations
CyberPanel has graphical interfaces for some popular security applications.
ConfigServer Security & Firewall (CSF) is capable of stateful packet inspection (SPI), closing network ports, brute force login protection, and more. It is a popular, great most-in-one security solution.
ModSecurity is a signature-based firewall able to block cross-site scripting (XSS) and other various code injection attacks. This is a must-have for anyone running dynamically built sites with PHP and databases.
ImunifyAV is a virus scanner that can be enhanced with CSF. The premium Imunify360 version adds patching, backup functionality, and additional security features.
Use best security practices, regardless of what you have installed. And regularly review security logs for ways to improve your security posture. Let us know below if you still have questions about securing your CyberPanel VPS.