Welcome to Centmin Mod Community
Register Now

Security cPanel vs Centminmod

Discussion in 'System Administration' started by Jon Snow, Jun 14, 2020.

  1. Jon Snow

    Jon Snow Active Member

    855
    172
    43
    Jun 30, 2017
    Ratings:
    +261
    Local Time:
    12:24 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    If someone hacks a Wordpress install for example on a centminmod server, are they able to get root access if it's not properly secured like locking down the root user and using ssh keys?


    What's the difference with cPanel / Plesk that separates domains for an extra layer of security? Would a hacker be able to gain root access similarly if they hack one website on a cPanel powered server?
     
  2. eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    1:24 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    access would be limited to nginx user directory/files not root user

    similar, access would be limited to cpanel username owned directory/files just cpanel jail/chroot restricts each cpanel username while centmin mod has 1 user = nginx that owns all sites' directories and files centmin mod doesn't have jail/chroot support
     
  3. darnpunk

    darnpunk New Member

    6
    1
    3
    Sep 4, 2019
    Ratings:
    +1
    Local Time:
    11:24 AM
    Hello @eva2000, jumping in on this topic. I've been going through posts in forums and also FAQ stating that centminmod is not meant for shared hosting. Also understand that chroot is on the long term to-do list.

    Some questions that I hope you could clarify:

    1. Can we still setup chroot / jailed ourselves while still using centminmod? Will it be too much effort and could break sites?
    2. I noticed there's a recent update [nginx-announce] unit-1.18.0 which mentions about a new isolation option for chrooting application processes called "rootfs". Would this be the solution to the chroot / jailed isolation?
    3. In the case where using a VPS and setting up shared hosting for multiple Wordpress sites is the only option, what would you recommend keep the sites as isolated possible from each other using centminmod?
     
  4. eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    1:24 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    There's many different ways to implement chroot/jail users but it will fundamentally break existing Centmin Mod nginx vhost setup and various operations as centmin.sh menu and some of your web apps may no longer have access to services/processes and files they do have no without major changes in how it's all setup. It may also break any future Centmin Mod developments/features roled out which don't expect a chroot/jailed environment and expect directories and files to exist at certain locations which would of changed due to chroot/jailing.

    Nginx Unit is different from Nginx server. Nginx Unit is a application server while Nginx is a web server. See Nginx Unit info at NGINX Unit | NGINX
    Long term plans is to also see how Centmin Mod can integrate Nginx Unit as well for application serving.

    Strictest isolation is to have 1 VPS server per web site. This is what I usually do myself even if their is jailed/chroot access. It makes it easier to scale and move specific sites to newer/upgraded servers and web hosts and gives resource usage isolation to each site = better performance for each site ;) :)
     
  5. darnpunk

    darnpunk New Member

    6
    1
    3
    Sep 4, 2019
    Ratings:
    +1
    Local Time:
    11:24 AM
    Thank you for the clarifications @eva2000. I too agree 1 VPS per website is the best route and security. Just so happen that sometimes the project restricts us to only use 1 VPS to host multiple sites.

    There are other options out there like Virtualmin which has chroot implemented but seeing it only has basic nginx support makes me wonder how it performs.

    I am so used to centmin and feel confident with it. Hopefully we can convince the client on 1 VPS per website.