Hardcoded domain and external scripts in panel.sh

Habet

Hi, I was running your panel.sh installer and I found several items that look problematic or unexpected. Please clarify and fix the points below:

1. Hardcoded domain

Script uses /etc/letsencrypt/live/chandpurtelecom.xyz and other chandpurtelecom.xyz references (see copy_conf_for_ols).
Why is a third-party domain hardcoded in an installer? This causes my server to create/point SSL and config for a domain I do not own.

2. Remote downloads & execution

The script downloads and executes multiple remote scripts at runtime, e.g.:
- https://olspanel.com/panel_setup.zip
- https://olspanel.com/extra/*.sh (several curl | bash calls)
- https://raw.githubusercontent.com/osmanfc/olspanel/... (requirements, files)
Why are you fetching and executing code from these external URLs without verification? This is a high risk for supply-chain injection.

3. Plaintext credentials on disk

Files created/used under /root/ store secrets in cleartext:
- /root/item/mysqlPassword
- /root/db_credentials_panel.txt
- /root/webadmin
Please explain how these are protected and why secrets are written in plain files. Also provide a plan to encrypt/remove these after use.

4. Automatic cronjobs & restart triggers

Script installs multiple cron jobs (backup, limit_check, fail2ban task, and a watcher that restarts OpenLiteSpeed on certain .htaccess conditions).
Explain what each cron job does and why automatic service restarts are triggered by file changes (this could be abused to cause instability).

5. Random port and service changes

Script replaces port 2083 with a random port saved to /root/item/port.txt. Why is this randomized and how should I find/control the port?
It also installs a systemd cp.service and replaces Python paths to /root/venv/bin/python. Please provide the service file sources and explain behavior.

6. Files and paths modified

The installer copies many config files to system locations and changes permissions:
- /usr/local/lsws/Example/html/*
- /etc/powerdns/..., /etc/postfix/..., /etc/opendkim/*
Confirm which files are provided inside the package and which are fetched remotely.

7. Commands executed as root

A lot of sudo/root operations happen automatically (package installs, systemctl, iptables/ufw modifications). I need an explicit list of required changes before running the script.

8. Supply / source verification

Please provide:
- Link to the canonical source repository for this project (not a raw file).
- Release tag or commit hash used to generate this panel.sh.
- SHA256 checksum or signed release of any downloaded artifacts (panel_setup.zip, extra scripts).
- License and contact for security issues.

9. Security audit / assurance

Has this installer been security audited? If not, will you allow a short third-party review or provide a safe mode that does not download/execute remote scripts or touch LetsEncrypt for domains I don’t own?

Immediate requests (please reply):

Confirm you will remove or parameterize the hardcoded domain (or provide a version that prompts for domain).
Stop curl | bash without checksum/signature — provide checksums or repository to verify.
Provide a quick checklist of what the script will modify (packages, files, services, ports).
- Provide a safe, non-destructive installer or a dry-run mode.

Thanks, I need these answers before I continue using this installer on any server with real data.

administraktor

No reply from OLSPANEL team 8 days since question?
I'm curious about those issues too since I'm using your panel to provide free hosting for my users...

admin

Sorry for the delay

Title: Response to Security & Installer Concerns

Hi everyone,

Thank you for your detailed feedback and for helping us improve OLSPanel. Here’s clarification for the points raised regarding the panel.sh installer:

1. Hardcoded domain

The installer currently uses chandpurtelecom.xyz as a default domain for panel SSL during first-time login.
This is required because OLSPanel depends on OpenLiteSpeed to serve HTTPS. Without a domain, the panel cannot start SSL on a fresh Ubuntu installation.
After first login, you can replace the default domain with your own and generate a proper SSL.
Future releases will allow domain input during installation instead of a hardcoded placeholder.

2. Remote downloads & execution

Some scripts are downloaded during installation for panel configuration and templates, e.g.:
- https://olspanel.com/panel_setup.zip
- extra/*.sh
- GitHub raw files for dependencies
Planned improvements:
- Provide SHA256 checksums for verification.
- Move scripts to the main repository with tagged releases.
- Add a safe mode installer that skips remote execution and shows a dry-run of changes.

3. Plaintext credentials

Previously, temporary credentials were stored at:
- /root/item/mysqlPassword
- /root/db_credentials_panel.txt
- /root/webadmin
All plaintext credentials are now removed. No secrets remain on disk.
Future updates will encrypt or remove temporary credentials immediately after use.

4. Cronjobs & automatic restarts

Cron jobs handle backup, fail2ban maintenance, and limit checks. Watchers may trigger service restarts.
Planned improvements:
- Provide a checklist of cron jobs and their purposes.
- Allow users to disable automatic restarts/watchers if desired.

5. Random port & service changes

Ports are randomized to reduce attacks; /root/item/port.txt stores the selected port.
cp.service uses /root/venv/bin/python for Python dependencies.
Future improvements:
- Prompt users to select a port during installation.
- Document the service file and Python paths.

6. Files and paths modified

Installer copies configuration files to:
- /usr/local/lsws/Example/html/*
- /etc/powerdns/...
- /etc/postfix/...
- /etc/opendkim/...
Planned improvements:
- Provide a full list of modified/copied files.
- Clearly separate local installer files vs remote downloads.

7. Commands executed as root

Installer runs commands that require root privileges for:
- Package installation
- Service management (systemctl)
- Firewall rules (iptables/ufw)
Planned improvements:
- Provide a pre-install checklist of all root-level actions.
- In safe mode, show dry-run of all changes.

8. Supply / source verification

All scripts are downloaded from official sources.
Planned improvements:
- Provide canonical repository links and release tags.
- Include SHA256 checksums for downloaded artifacts.
- Publish license and security contact information.

9. Security audit / assurance

Installer has not undergone formal third-party audits yet.
Planned improvements:
- Provide a dry-run mode for safe evaluation.
- Reduce reliance on hardcoded domains and remote execution until verified.

Immediate guidance for users:

Avoid running the current installer on production servers until the next release.
Plaintext credentials are removed, so no secrets remain on disk.
The default domain chandpurtelecom.xyz is only temporary for first-time SSL setup and can be replaced with your own domain afterward.
Upcoming versions will allow:
- Domain and port selection
- Safe mode / dry-run
- Verification of downloaded scripts

We appreciate your diligence and feedback — it helps make OLSPanel safer and more reliable for all users.

— OLSPanel Team

administraktor

Thank you for prompt reply to these issues, all seems valid but I was curious about that domain that is hardcoded too. I saw today you released version 3.0.4 thank you for prompt update also, keep up the good work.

admin

administraktor etc/letsencrypt/live/chandpurtelecom.xyz use for temp ssl domain.

Habet

Thanks for the detailed clarification, this clears up a lot.

I’ll wait for the next release with:

Domain input instead of hardcoded
Safe/dry-run mode
SHA256 verification for downloads

It’s good to see these security improvements planned.
Please post an update or changelog when the new version is published so users can test safely.

I'm just playing around and found this good panel and easy to manage. Good luck for all of you.