[Updated][Module] Universal Server Module - Manage Dedicated Servers And Colocation

[Abdy]

Update:

Hi,

I'm started to work in the next update of this module, If you have ideas or suggestions for the next update, Please tell me or send me a PM.

Best Regards.

-------------------------------

Hi Blesta users

Today I bring a module that it could be useful for some, a module based on theuniversal module.

This module its extensible, you can implement your own api

Features:

• Colocation Manager
• Client and Admin Side Information
• Web SSH Client
• Web FTP Client
• Statistics
• Off and Reset Button function without API
• Live Screenshot
• Automatic Detection of Control Panel
• Colocation Tab hides automatically if you don't use anything colocation parameter
• And lot of love

Update June 25, 2015

• Documentation Available.
• Internal Improvements [Thanks naja7host]

Update July 04, 2015

• If you don't provide an API for the Off and Reset Button, automatically the module uses SSH for make this actions.
• The On Button only appears if you are defined an API
• Requires SSH2 Extension of PHP Installed
• ServerTools its not more required, All data its get via SSH
• Optimised code (more fast)
• FTP Client its Self-Hosted and its included with the module
• Available on GitHub https://github.com/CyanDarkInc/Universal-Server-Module

Update August 19, 2015

• Update Software from Blesta
• Change Root Password from Blesta
• Change hostname from Blesta
• Internal and Important Changes

Note: This module is not more in beta and you can use for production.

If you want make a Donation you can send to order@cyandark.com, And thanks for your contribution. And Again, Sorry for my bad english.

Enjoy

You can Download the Module from my repo on GitHub https://github.com/CyanDarkInc/Universal-Server-Module

Screenshoots

[Abdy]

You can read the Official Documentation in the GitHub Repository.

 

https://github.com/CyanDarkInc/Universal-Server-Module

[Blesta Addons]

is a great plugin again mr CyanDark , we are waiting your documentation .

jus i little suggestion ,

- in the view put the .js and .css files in the images directory or add new directory for them . this is just to preserve the standard directory tree .

- the tabs you have not aded a view for them , you are returning the output directly , is better to send the output to a view file (ex. ssh_console.pdt , client_ssh_console.pdt ...ect )

- in the view file, you have some regex that can be already done in the module function rather than the view file .

i have not yet installed or tested your module , this observation is just from the first view of the code .

al final un gran trabajo campeon !

[Abdy]

Thanks

[Abdy]

is a great plugin again mr CyanDark , we are waiting your documentation .

jus i little suggestion ,

- in the view put the .js and .css files in the images directory or add new directory for them . this is just to preserve the standard directory tree .

- the tabs you have not aded a view for them , you are returning the output directly , is better to send the output to a view file (ex. ssh_console.pdt , client_ssh_console.pdt ...ect )

- in the view file, you have some regex that can be already done in the module function rather than the view file .

i have not yet installed or tested your module , this observation is just from the first view of the code .

al final un gran trabajo campeon !

 

 

I take note of your advice for the next update. 

 

Tomare nota de tus consejos para la próxima actualización.

[PauloV]

A Huge Tank You cyandark for your hard work

 

P.S- love the root password from the first screenshot

 

[Michael]

Wow that's like amazing thanks mate. I do have to say this though mate, what's the server tools for?

[Max]

Screenshots sure look nice.

But I do think you should at least document that:

 

• FTP function is not implemented in module itself, but outsourced to https://file-manager.cyandark.com/ meaning the password the customer enters is sent there.
• SSH function is not implemented in module itself, but outsourced to https://ssh.cyandark.com/ meaning user's password is sent there.
• Furthermore the SSH function submits the user's password as GET parameter, meaning it can end up in the web browser history...

<iframe style="width: 100% !important; height: 500px; margin-top: -10px; border: 1px solid #ccc; backround: #000;" border="0" src="https://ssh.cyandark.com/?host=<?= base64_encode($host) ?>&puerto=<?= base64_encode($port) ?>&user=<?= base64_encode($user) ?>&password=<?= base64_encode($pass) ?>"></iframe>

 

I do not doubt your good intentions, but I do am pretty uncomfortable with the concept of sending customer's passwords through any third-party...

 

 

Not a big fan of including resources from external sites either (like "@import url(https://fonts.googleapis.com/css?family=Inconsolata);")

Some browsers like IE and Firefox allow Javascript inside CSS. If external site is compromised, so will your panel be.

[Abdy]

A Huge Tank You cyandark for your hard work

 

P.S- love the root password from the first screenshot

 

 

The Best Password ever created.

[Blesta Addons]

this is a duplicated thread , no ?

it prefered to make your plugin in one thread to group all the replies and is easy for us nd you to follow one thread .

Moderators can merge the two thread if OP accept the deal .

[EidolonHost]

Hooboy, this is quite the advanced module. I'm almost tempted to stop development of my Dedicated Server Module and let this one take over... but I think, that is probably not a wise idea.

 

More modules may be a good thing... but I think this one will probably win out in the end.

[Adam]

Hooboy, this is quite the advanced module. I'm almost tempted to stop development of my Dedicated Server Module and let this one take over... but I think, that is probably not a wise idea.

 

More modules may be a good thing... but I think this one will probably win out in the end.

Merge the projects. @cyandark should post this on some public code repository (self-hosted git/svn or github, bitbucket, etc).

/adam

[Abdy]

Hooboy, this is quite the advanced module. I'm almost tempted to stop development of my Dedicated Server Module and let this one take over... but I think, that is probably not a wise idea.

 

More modules may be a good thing... but I think this one will probably win out in the end.

 

More Modules its better  

 

Merge the projects. @cyandark should post this on some public code repository (self-hosted git/svn or github, bitbucket, etc).

/adam

 

Good idea, We can merge our projects and make an unique but powerful module.

[Abdy]

Wow that's like amazing thanks mate. I do have to say this though mate, what's the server tools for?

 

Its for the Statistics Section

[Adam]

Why is servertools obfuscated? May you please undo that, along with posting this on a public source code repo .. so others can contribute to it?

A lot of work needs to be done in order to make this more modular. Injecting HTML within the controller does not seem good MVC approach nor is using shell_exec without escaping the string with escapeshellarg.

It also seems you are hard coding OS values, hard drive values rather then taking a more general approach of pulling from database via the Record object provided from the base class.

-Adam

[Abdy]

Why is servertools obfuscated? May you please undo that, along with posting this on a public source code repo .. so others can contribute to it?

A lot of work needs to be done in order to make this more modular. Injecting HTML within the controller does not seem good MVC approach nor is using shell_exec without escaping the string with escapeshellarg.

It also seems you are hard coding OS values, hard drive values rather then taking a more general approach of pulling from database via the Record object provided from the base class.

-Adam

The tools.php file generates an encoded string used by the module, and have the algorithm to encode the string, this its the reason that its encoded. for security reasons.

 

Im working in a new update with some improvements of the code

[Adam]

The tools.php file generates an encoded string used by the module, and have the algorithm to encode the string, this its the reason that its encoded. for security reasons.

 

Im working in a new update with some improvements of the code

It is no secret what algorithm you use to encode that string .. since you told us how to decode it (via your module). I do not understand your argument on it being obfuscated for security reasons.

You first output the server status via base64 encode as hex. Then each character is shifted by 13 places via str_rot13. After that you reverse the entire character stream via strrev. Finally, you compress the output via gzencode. All this for what appears to be server status. I say what appears as server status because I have not taken the time to reverse engineer the script to see if any malicious intent is also included.

What is so secretive about the status of the server? With a little investigative work (thanks to your screenshot) I can see your server has 3 CPUs, ~25GB of disk and roughly 256MB of memory with an uptime of almost two days. If you are worried about attackers, outputting the version of Apache you use, along with OpenSSL and PHP can do more harm (which is what you currently have setup).

Again, all this for server status. Yet, as Max pointed out, your passwords are sent as a GET parameter to a 3rd party site. Regardless if the connection is SSL or not, GET parameters are not part of the encrypted payload in TCP/IP (they are part of the packet header). It seems more focus should be addressed in other areas is all I am saying.

I say these things not to make you feel bad, but because code review is an integral part of making software better.

-Adam

[Max]

Regardless if the connection is SSL or not, GET parameters are not part of the encrypted payload in TCP/IP (they are part of the packet header).

 

That's incorrect.

Only the hostname is sent unencrypted (by the SNI TLS extension, so the server knows which certificate it should use, if more than one site shares the IP).

All HTTP communication including URL and request headers does is sent over encrypted SSL.

Only problems are the GET parameters ending up in web browser history, and that URLs including GET parameters are usually logged in web server logs.

 

 

Do note that this module is not the only one with security flaws regarding to GET parameters.

When you enable Blesta's two-factor-authentication it submits your secret master seed code -of which all TOTP codes derive from- as GET parameter to chart.googleapis.com in order to generate a QR code of it...

Reported over a year ago, but apparently it was not considered worth fixing.

[EidolonHost]

Merge the projects. @cyandark should post this on some public code repository (self-hosted git/svn or github, bitbucket, etc).

/adam

 

Merge the projects? Hmm. I suppose that'd be doable...

 

We'll see. Mine's on Github, though I've yet to push updates to the repository as I'm working out a few issues before I push a new updated build.

[Abdy]

Im working in  a new update and i put this on GitHub  

[EidolonHost]

Im working in  a new update and i put this on GitHub  

 

Github link?

 

Edit: Mine's at: https://github.com/EidolonHost/dsm

[Abdy]

Github link?

 

Edit: Mine's at: https://github.com/EidolonHost/dsm

 

 

Available in github https://github.com/CyanDarkInc/universal_server_module

[Abdy]

Updated

[Fantasma]

Any thought given to integrating this module with the NOC-PS module? or taking the functions available in the NOC-PS module and putting them in yours so that a customer of NOC-PS could also get your features and awesomeness?

 

This would give your Server Module the ability to reboot via PDU or IPMI, OS (Re)Installs, Rescue Boot Mode, Bandwidth Usage Graphs, etc if the user is also a customer of NOC-PS.

[Michael]

Any thought given to integrating this module with the NOC-PS module? or taking the functions available in the NOC-PS module and putting them in yours so that a customer of NOC-PS could also get your features and awesomeness?

 

This would give your Server Module the ability to reboot via PDU or IPMI, OS (Re)Installs, Rescue Boot Mode, Bandwidth Usage Graphs, etc if the user is also a customer of NOC-PS.

 

That could be against @Max's terms and conditions for using their module, or as Blesta would say stealing code (taking it from the coder and then calling it your own).