Jump to content

Vultr For Blesta Provisioning Module


timnboys

Recommended Posts

logo.png

CubeData is proud to announce we have made a vultr provisioning module for blesta

The cost is $7.00 per month for monthly license $100 for owned license with optional $25/year support/upgrades renewal if you want support/upgrades for the module(if you don't renew this you just will not get any support/upgrades/patches/etc for your module)

Screenshots of the module:

v9Eu67.jpg
3zVxfi.jpg
zR4QE6.jpg

PrM7bI.jpg

Y1ytV3.jpg

Order Links: https://cubedata.net/vultr

Also this module has been independently reviewed by a security researcher.

Link to comment
Share on other sites

I'm very big on UI. I've had every plugin currently in use for Blesta custom themed to fit my blesta install. Is there a way to do this with your encoded module? And when I talk modification, it's not just colours :) - it's placement, looks, amount of clicks to do X and Y. 

Also, what are the current features for the module? Can it load a custom snapshot from Vultr? I have a few there with custom init scripts to simplify setup and clustering.

Will it support hourly billing eventually? 

How is the security of this module? Has it been peer-reviewed, or reviewed by a third party? 

I'm interested in this one. Just need to know a bit more about it before plunking down the recurring cash for it. 

Edit : Is there a way for this module to get the ip data back from vultr, and send it to another module (let's say a monitoring module)? 

Link to comment
Share on other sites

On 9/12/2016 at 5:14 PM, AnthonyL said:

I'm very big on UI. I've had every plugin currently in use for Blesta custom themed to fit my blesta install. Is there a way to do this with your encoded module? And when I talk modification, it's not just colours :) - it's placement, looks, amount of clicks to do X and Y. 

Also, what are the current features for the module? Can it load a custom snapshot from Vultr? I have a few there with custom init scripts to simplify setup and clustering.

Will it support hourly billing eventually? 

How is the security of this module? Has it been peer-reviewed, or reviewed by a third party? 

I'm interested in this one. Just need to know a bit more about it before plunking down the recurring cash for it. 

1. it isn't like it doesn't use blesta's UI lol :) :blesta: Though I am not exactly sure how you would "theme" this considering it's a module it has no custom UI it uses blesta's UI that you have on your install.

2. The current features of it since this is just the first release is the usual provisioning functions though I do know I could implement init scripts quick though since the API library I am using to talk to vultr supports provisioning with custom init scripts and it also supports loading a "vm" with a custom snapshot as well

3. Yes as soon as I figure out how to implement hourly billing since I don't have a clue yet how to do this yet.

4. Audit done see report later in the thread.

Link to comment
Share on other sites

Thanks for the info :) 

1 - I'll have to look into this more. Currently, a module like cPanel Extended was modified and the entire thing looks different than it does stock. No icons, etc. - Is this the same with yours? Sorry, I'm just not 100% sure how it would match Blesta is all. There has to be an interface the customer uses, right? 

2 - Good to know. 

3 - Great :)

4 - Honestly... yes. If I'm going to trust a module that accesses the Vultr account that has access to all vm's, and it has the capability to terminate/suspend/create.. that's a huge, huge huge issue of trust. I need to know there are no obvious holes in the module that would allow a customer to hijack it and connect to other vm's. Part of this is the Vultr API, but the credentials to connect to that API are stored in the module. 

I don't code, so when I suggest an audit, it's just a suggestion. Another one would be talk to the Blesta guys, get them to review it. I don't know. But module security should be a very important aspect of all this. 

Don't take this personally :) I'm super interested in the module, but if I'm going to trust it by giving access to Vultr like that, there needs to be some sort of check and balance in place 

Link to comment
Share on other sites

I wasn't saying you would do that at all. I'm saying a customer signs up, the module provisions their vps on vultr. 

What stops them from hijacking the module via sql injection or whatever the cool new way to hack into things is, and taking over functions of the vultr account? That's what I'm most concerned about. Same thing with other modules like cPanel Extended, and others where there's a possibility of a hack.

Nothing is 100% hack proof, so all i'm asking for is if there is a way to have someone else review the code for you, a second set of eyes that could catch something obvious that 99.999% of the hackers would know how to do. And for the 0.001% chance of being hacked, well, we all live with that risk and mitigate it as much as possible. 

Link to comment
Share on other sites

1 hour ago, timnboys said:

after thinking of this more you do realize I don't use sql at all right? and if I do I use blesta's native functions to access blesta's db so technically if you feel this module isn't secure you are kinda saying blesta isn't secure then which you would be wrong on as there is no way I make my own sql functions up I would rather use blesta's native exposed db functions that are much more secure then something I can come up with.

see this: https://docs.blesta.com/display/dev/Database+Access

^ this is what I use; what is so insecure about that?

in my opinion @AnthonyL your making a big issue out of something that isn't.

It's unlikely that any SQL injection exists in your module because of the way Blesta is designed, so long as you're not running your own queries outside of the record component. Still, security is a legitimate concern and modules could be vulnerable to XSS or other vulnerabilities. I don't think @AnthonyL is trying to attack you, and it doesn't mean that you've done anything wrong. 

Link to comment
Share on other sites

Ugh guys. This is bordering on the ridiculous. All I asked was if he could get his code reviewed so those purchasing the module can have a good amount of trust that obvious exploit vectors are checked and eliminated

he said "no, costs too much"

end of story as far as I'm concerned. I'd love a vultr module, but not at the cost that the module could be exploited in an obvious way and wreck the business

no one is attacking anyone. I asked a question

Link to comment
Share on other sites

1 hour ago, AnthonyL said:

Ugh guys. This is bordering on the ridiculous. All I asked was if he could get his code reviewed so those purchasing the module can have a good amount of trust that obvious exploit vectors are checked and eliminated

he said "no, costs too much"

end of story as far as I'm concerned. I'd love a vultr module, but not at the cost that the module could be exploited in an obvious way and wreck the business

no one is attacking anyone. I asked a question

first of all yes I can get it examined the guy on twitter that found the RCE in blesta said he would "audit" my code for me(said that to me in a ticket a while back) I don't see how you can do it with it ioncubed but I will give him the source code also if he asks for it, but the point is no one has asked me for an "audit" on my code before that is where I got confused anyway if it makes you happy @AnthonyL I will go and get that guy on twitter to "audit" it for me then.

Link to comment
Share on other sites

Awesome :) - I'm not a coder, but from what I know, these people sign NDA's and can be held legally responsible if code leaks out. There has to be some sort of trust, but an NDA is a good way to protect each party too. 

When it comes to running a business and the implications involved, I'm very strict with what runs where. Never take that personally, it's a business thing. Anything that even remotely touches something that can cripple the business needs to be vetted in some fashion. 

I look forward to the results! 

Link to comment
Share on other sites

On 9/13/2016 at 5:21 PM, AnthonyL said:

Awesome :) - I'm not a coder, but from what I know, these people sign NDA's and can be held legally responsible if code leaks out. There has to be some sort of trust, but an NDA is a good way to protect each party too. 

When it comes to running a business and the implications involved, I'm very strict with what runs where. Never take that personally, it's a business thing. Anything that even remotely touches something that can cripple the business needs to be vetted in some fashion. 

I look forward to the results! 

Security Report finished

look here for the pdf: Link to Report

https://twitter.com/pwnsdx/status/775897491367661568

^ hash 

 

Link to comment
Share on other sites

FYI : My questions are not about being picky. I realize now you're a college student, so I hope this is more of a learning experience for you, and for other module developers. When you run a business that holds other peoples' critical data, it's extremely important to vet everything that touches or can affect that data.

You just had the misfortune of having me interested in your module and these questions asked of you. But I'd ask these questions from any module developer that handles critical functions. Module developers should recognize you don't just cowboy code something, slap on a bit of UI and it's good to go. Businesses don't work that way. 

In my own environments, there's development, alpha, staging, and then production servers. And at each step, everything is checked over and over how any change interacts with other software on the server. And then there's the security, VPN, 2 factor, 1 time token codes, IP geolocation.. because it's data. Peoples' data and livelihoods, and you never take a chance with that. 

Link to comment
Share on other sites

4 hours ago, AnthonyL said:

I'll put my money where my mouth is :) 

Can we expect continued development of this module? Especially the customization options like using snapshots, or allowing customers to take snapshots, etc

 

  1. Yes you can expect continued development I haven't abandoned any of my other modules yet either
4 hours ago, AnthonyL said:

FYI : My questions are not about being picky. I realize now you're a college student, so I hope this is more of a learning experience for you, and for other module developers. When you run a business that holds other peoples' critical data, it's extremely important to vet everything that touches or can affect that data.

You just had the misfortune of having me interested in your module and these questions asked of you. But I'd ask these questions from any module developer that handles critical functions. Module developers should recognize you don't just cowboy code something, slap on a bit of UI and it's good to go. Businesses don't work that way. 

In my own environments, there's development, alpha, staging, and then production servers. And at each step, everything is checked over and over how any change interacts with other software on the server. And then there's the security, VPN, 2 factor, 1 time token codes, IP geolocation.. because it's data. Peoples' data and livelihoods, and you never take a chance with that. 

  1. Yes I agree you're very strict for security reasons
  2. Yes and I should have expected that
  3. Yes but let me inform you it was already production ready when it was announced considering it went through a lot of Q&A testing before even being released/announced by me and before even getting the "Stable" category label.
  4. @AnthonyL does this answer all of your questions?
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...