You are here: Home / Do Not Use ISPConfig

Do Not Use ISPConfig

by Hawke Robinson last modified Mar 30, 2016 02:35 PM
Against my decades of experience and better judgement, and giving into laziness, I went ahead and installed ISPConfig about a year ago. Big mistake!

I have discussed for over a decade on my show and blog telling people to avoid PHP, CGI, and similarly highly vulnerable related technologies. They are notoriously vulnerable, and event with nearly monthly overhauls of the PHP core language to address serious vulnerability issues, and implementing all the PHP-related hardening best practices, anyone that has to admin a publicly accessible PHP-based website is setting themselves up either for very busy job security or insecurity (when your users/boss become sick of the sites being compromised so much).

CGI has been notoriously "bad" since the 90s.

I finished moving all of my websites away from PHP in 2004, but have had to help many users/businesses undo the damage of their PHP sites all the time. One would think after so many years they could get their act together, apparently not.

While ISPConfig is a great utility to make life easier for admin of a multi-services server, it unfortunately relies on PHP and FastCGI (though web server).

I have not had a server under my care compromised even slightly (as far as I know of course), since 2004. Until last week.

Even though I had the latest patches, the FastCGI portion became compromised. As far as I can tell, it didn't go beyond that leading to a compromise of the httpd files.  Fortunately my rkhunter notified me within hours of the compromise, and I removed apache, fastcgi, php, and related modules. And then installed clean ones. However, since I can't ever be sure if it was rooted, I am formatting the system clean.

Fortunately since all my sites are running on Python-based Plone, the sites seem to be completely untouched. However, it is going to take me a while to rebuild everything, especially email and security certs. I won't use the same certs in case they were compromised (again, no signs that they were, but best not to take the risk).

I had no other reason to install PHP or FastCGI than ISPConfig. Won't do that again. 

I strongly recommend others do not take the risk either.

Cheers!

Navigation