You might not have heard about the term “KLOXO”. But this is a very popular, something-to-talk-about these days. Kloxo is a web hosting control panel used in Red Hot and CenTOS Linux Distribution. It is free and an open source. It was earlier known as Lxadmin but then it came to be known as Kloxo, which led to the uproar of its users since it involved updating of its entire file structure to change the name. The hosting companies got their updated script after two weeks of the name change.

Kloxo is integrated with Install app which is a bunch of around 130 web applications. These install app can be installed on the hosted websites. An installation which can be used as a plug-in also supports it.

With the use of Kloxo, the host administrators are allowed to run a combination of lighttpd or Apache with djbdns or BIND. It also provides a GUI to toggle between these programs with the security of data, i.e., there is no issues of losing data while switching between these programs. It is also known as a good free alternative to cPanel hosting control panels, since it allows to move mail/dns/web from one server running Apache to another server running lighttpd.

If we speak of the benefits of Kloxo, we find that it is very easy to use. Kloxo also requires very few resources. It generally needs 15 MB of memory. The developers of Kloxo say that it is the lightest control panel and offers a security mode level 5.

Kloxo provides a wide variety of services for its clients. Few of among them are:

  • Control domain and subdomain
  • DNS Management Model
  • File Manager on the Web
  • Management and installation of SSL Certificate
  • Resource Management Plan
  • Host Access via Secure Shell (SSH)
  • Configuring device driver
  • Reboot and power control
  • Administration of MySQL and Postgres SQL
  • Add and remove dedicated IP addresses
  • FTP session management
  • Configuring PHP and SuPHP, modPHP
  • PhpMyAdmin Access
  • Ability to create and delete email accounts
  • Web-based interface
  • Access to queue mail
  • Several applications of spam filter
  • SSH configuration
  • Ability to block and remove hosts
  • Enforcement watchdog over FTP, e-mail and Web-server
  • Control brute force attacks through LxGuard
  • Menu status for the server process
  • Server Status Menu
  • A menu in the status of server components
  • HTTP, mail, and MySQL
  • Cron-job and task scheduler
  • Install App

We have seen that how beneficial it is to use Kloxo. But, although Kloxo provides many advantages, it has some concerns too. Let’s see what are they?

There are several security and other issues that have led to the downfall of Kloxo;

Issue 1: reuse of uid/gid

Kloxo allows unprivileged users to create and remove user accounts. This is a common feature of the more popular web hosting control, whereby the users with this privilege are referred to as “resellers”.

  1. A reseller creates an account called “user1”, which is automatically assigned the next available uid and gid on the system.
  2. The reseller then logs into the user1 account, such as via FTP.
  3. As user1, they upload a file; let's say to /home/user1/testfile
  4. As user1, they copy or move testfile to /tmp
  5. Now, as the reseller, they remove the user1 account. When the user1 account was removed, all of /home/user1 was destroyed. However, the testfile file will still exist in /tmp, and will have the uid and gid which user1 previously held .
  6. The reseller then creates a new account; let's call it “user2”.
  7. “user2” now owns /tmp/testfile, because the uid and gid were the next available ids.

The problem with this design is that the testfile could have been a suid/sgid helper shell, with calls to setregid and setreuid, and the reseller could have waited for the next account to be created. Once the new account was created (perhaps by another reseller, or by root), the reseller could execute the helper shell and have full access to the new user's account.

Issue 2: unprivileged port use

Kloxo uses multiple unprivileged ports 7777,7776,7778,7779, by default. If any event is requested, for the service these ports provide, they stop listening to them. Here, a local user can easily bind to these ports, preventing Kloxo from being using them. Say, for e.g. ports 7777/7778 are the ports for login. A local user could create an authentic looking login page and obtain the username and password of the next person attempting to log in.

Issue 3: Default passwords

Kloxo uses a default password “21232f297a” which is saved in its database. Round cube database is “pass”. The root account is “admin”. The admin account is “admin”. Attackers can exploit this issue to authenticate to the application with full root privileges.

Issue 4: useradd string in the process list

Whenever a new account is added via Kloxo, the useradd string appears in the process list along with the password in a hash.

Issue 5:

The application creates FTP users in an insecure manner. Local attackers can exploit this issue to overwrite sensitive files via a symbolic-link attack, which can lead to a complete compromise of the computer.

Issue 6:

A security-bypass issue affects the ‘Newfile' feature of ‘File Manager'. Local attackers can overwrite random files through symbolic-link attacks, which can lead to a complete compromise of the computer.

Issue 7:

An SQL-injection issue affects the ‘frm_clientname' parameter of the ‘login/index.php' script. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Issue 8:

Local attackers can alter ownership permissions on random files and directories when adding a new domain by supplying paths containing directory-traversal characters.

There are many other security-related issues that have led to the deterioration of the Kloxo popularity. Because of these issues, people are opting for other free control panels to fulfill their requirements regarding their website. Amongst them, one is ISPConfig and the other is Virtualmin GPL. ISPConfig is yet another free and open source control panel for Linux. The setup is not automated like the other options. It is also the most powerful as it does everything a web hosting company would need, is easy to customize, offers full API support, is able to control multiple servers with 1 panel, and the documentation is very well written. On another hand, Virtualmin GPL is also a free, open source control panel for Linux, based on Webmin. With Virtualmin, you can rectify your problems and errors, no matter wherever you are since it is accessible by any web-enabled mobile device. It can send you an SMS on your mobile whenever a problem arises. Also, it manages network settings, firewalls, PostgreSQL and MySQL databases, users and groups, startup services, system logs, directory services, filesystems, quotas, software packages, name service and redundancy, mail, spam and anti-virus, and much more. It works well with others with the use of Parsers. It is easy to use, flexible and very cost-effective.

The downfall of Kloxo has to lead to the rise in the popularity of paid control panels to a greater extent. Clients find it more convenient to pay and use paid control panels than to use those free ones. Some reasons behind this are:

  1. Frequently your server can be showed error/missing.
  2. Most of the paid hosting server does not support free domain.
  3. Customer support is not available always.
  4. You will not able to use the control panel in according to your wish.

In contrast to this, using paid control panels can be beneficial as:

  1. A server is free from error/missing problem.
  2. Paid hosting server does not support free domain.
  3. You will get customer care support always 24/7.
  4. You will get a full control panel for controlling everything and will get the chance to use a different utility.
  5. To upload anything to the site you will not face huge time.
  6. As you know before buying about hosting and bandwidth, you will get the same way to work.
  7. There is enough security for file backup and for hacking.
  8. If your website will get huge visitor then your website will not face incorrect.

Among the paid ones, the most popular are cPanel for Linux and Plesk for Windows.

cPanel is a UNIX based graphical control panel, which permits automation tools designed to make the procedure of hosting a website easier. The software is distributed by cPanel Inc. One more important point is that users have to pay the monthly license cost for this control panel. cpanel is compatible with Redhat Enterprise Linux, CentOS, and FreeBSD. cPanel is now most popular control panel which helps the users to simplify the server administration and management. The reason for its popularity is not only because it is the simplest control panel, but that it is the most eye gratifying or attractive control panel. cPanel is also the cheapest control panel which allows monitoring all aspects of your website. One can find-out the utilized amount of bandwidth and also find-out the daily or monthly or yearly website traffic details with it. If one wants to personalize, then one can do that very easily with cPanel. It is very easy to use, that’s why you don’t require previous experience. It is very famous for its stability, simplicity, and functionality. Other than these advantages there are other advanced features with cPanel control panel. It permits you to manage your complete server remotely with any Mac OSX, Windows or Linux workstation.

On the other hand, Plesk is another paid hosting controller, which is suitable for both Linux and Windows. The installation and activation process for Plesk is also simple and painlessly one. You can use it in any of the environments like VPS, Dedicated, and Shared etc easily. The Plesk also has the ability to create thousands of virtual accounts. By using this you can simply manage mails, ftp, backups etc simply and fast. Plesk offers users the possibility to easily install web applications using the (APS) Application Packaging Standard. APS packages are updated by the packaging vendor when a security update is made available. So these are secure and reliable.

With this article, I would like to conclude that though everything has its own pros and cons. One should opt for those suits them the best. Though Kloxo has issues with it, it has managed to compete for the other free control panels and is still one of the best amongst them.