Pterodactyl Panel — The Free & Open-Source Server Control Panel

Status
This thread has been locked.

Fishfish0001

Feedback score
4
Posts
41
Reactions
106
Resources
0
Banner%20Logo%20Black@2x.png

Github :|: Website :|: Discord Chat :|: Community
Licensed under a MIT License


Looking to control all of your game and voice servers from a single unified interface? Looking for open-source software that allows you to extend and customize every aspect to match your company branding? Looking for software that doesn't require you to pay for every server, and is built using modern standards? Look no further.

Features:
  • Designed from the ground up with security in mind, we make use of BCrypt hashing, AES-256-CBC encryption, and have always supported Two-Factor Authentication out of the box. HTTPs support is also included, and it is possible for all nodes to communicate with the panel and users over secure protocols.
    • All server processes run inside Docker containers on the nodes preventing malicious users from having access to your filesystem. These containers employ a variety of different hardening mechanisms including read-only filesystems, strict resource limits (which can be changed on-the-fly), and limited networking. Only ports and IPs that you define in the panel are open for each server, so no more worrying about a user running their servers on the wrong IP or port.
    • SFTP is used rather than FTP to provide a more secure management interface. SFTP is also isolated from the main host by using a specialized Docker container. While each server has their own SFTP account, this account does not physically exist on the machine itself, only in the Docker container.
  • Design is a major factor in today's world, but all too often panels fall short by either using a poor design, or going overboard and spending more time designing their views than designing how the software should work. We've taken the middle ground and included a simple, pleasing theme that can be easily extended to match your companies branding if necessary, but can also be used out of the box and is intuitive and mobile friendly.
  • Truly live console and server statistics. Pterodactyl Panel leverages Websockets to display your server console in realtime, as well as live memory and CPU usage. No server plugins necessary, and no taxing file reads to show the log.
  • Custom designed file manager to easily edit, upload, and handle all of your files. Need to unzip a file on your server? Easy, just select the decompress option from the file manager. None of that Net2FTP stuff here.
  • Sub-Users are supported out of the box. Have a friend or two (or twenty) that you want to let access your server to manage configurations and keep an eye on the console? Easily add friends and select specific permissions that they have. Only want them to be able to view the console and make sure the server stays on but not be able to read any files? Easy as checking a few boxes. Want them to be able to help you manage other subusers on that server? Also as easy as checking a few boxes.
  • Scheduled Tasks are all the rage now-a-days, and Pterodactyl ships with a powerful command scheduler. We might not have all of the fancy scheduler gimicks that other panels have, but we support extremely configurable cron syntax, and are actively working on adding even more task options. Want your server to restart at 3:32am every third Tuesday of the month? We got you.
  • Per-Server Databases allow you to easily create a new database for a server right from the panel, and let the user control the password.
  • Easy-peasy memory, swap, disk IO, and CPU throttling and limits all from the panel, and without having to restart servers.
  • Custom designed control daemon to control servers, no need to install any plugins on your servers.
Since everyone really just wants to see pictures:
server_console_v5.png


Server Statistics (live output, updates every 2 seconds):
server_graphs_v5.png


Server File Manager:
file_manager_v5.png


Admin Server Overview:
admin_server_overview_v5.png

API Controls:
api_controls_v5.png

Scheduled Tasks
scheduled_tasks_v5.png

User Editable Startup Parameters:
startup_config_v5.png

Advanced Server Configurations:
admin_new_server_v5.png

Reviews:
MatthewSH on Spigot said:
I got to say, Pterodactyl is one of the best panels, if not the best panel, I've ever used. The developers are both active and super friendly. It's Laravel so I'm confident in the security. The support team is very helpful, especially for being community volunteers. The documentation is on point too.

Along with that, the API is pretty awesome too. So if you're a developer and you're wanting to integrate something like this into your site or create a standalone product. It's pretty straight-forward and easy to get use too.

All around, it's just a fantastic product. Totally worth a try. If you use something like Multicraft, it may be a change...but totally worth it! If you use PufferPanel, it's worth the migration time. If Pterodactyl was a paid product, I would be on board in a heartbeat.

electronicboy on Spigot said:
as a terminal (l)user, I can honestly say that using panels really isn't for me, however pterodactyl is the only software that I've seen so far that even remotely looks and handles sanely, as well as uses modern technologies instead of re-inventing the wheel with daemons that are either closed source, so you have no idea what they're up to behind the scenes, or a severely insecure setup.

At the heart of everything is Docker, which provides a nice boost in terms of security, and doesn't cost you in terms of performance, allowing for games that run in the system to perform just as if they're running directly on the system!

The support team is brilliant, always running around for people (even if they do go further than any sane person would in terms of trying to provide a good user experience...), and it's the type of software that you'd expect them to charge for, yet they provide it for free! (Honestly though, watching the dev team run around the software, if you're using it and can donate, I'd suggest considering the fact that alternatives generally are subscription based, I think the guy deserves a pizza every once in a while!)

a5yDh.png

dkKXv.png

uZx7y.png

KJ5uT.png

CRgAb.png

0Bv2Z.png

isghw.png

WDPvh.png

GAj9W.png

vkJFz.png

nvk2d.png
 
Type
Offering
Last edited:
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

yeetstar

Supreme
Feedback score
2
Posts
71
Reactions
24
Resources
0
Vouch, been using this panel on my dedicated server for a couple of weeks and it is really good. I recommend it! <3
 

Fishfish0001

Feedback score
4
Posts
41
Reactions
106
Resources
0
A bit late on this announcement, but we released v0.6.0 last week, and so far everyone is loving the improved experience! If you've been waiting to try this panel, I'd recommend giving this version a spin, I guarantee you'll be amazed by its power, flexibility, speed, and great looks.

We also have some new community forums if you're looking for help in a different manner, or want to join the community!
 

Fishfish0001

Feedback score
4
Posts
41
Reactions
106
Resources
0
As part of our efforts to reach out and involve the community in more of our development, we are announcing Pterocasts, a weekly live-stream on Saturdays at 16:00 CST that allow the community a chance to ask questions, and hear directly from the Project and Support team about different facets of this software.

Please check out our announcement on our forums (https://forums.pterodactyl.io/announcement/1-announcing-pterocasts/) for more information about this, and how to submit topics for discussion, as well as a link for easy timezone conversion.

These Pterocasts will also be live-streamed, and recorded and posted to YouTube, so if you can't make it, no fret.
 

Seasver

Feedback score
0
Posts
61
Reactions
11
Resources
0
Hooly shit it's getting better and better.
Is there an existing BoxBilling module or is there an API so I can make one?
 

Fishfish0001

Feedback score
4
Posts
41
Reactions
106
Resources
0
Hooly shit it's getting better and better.
Is there an existing BoxBilling module or is there an API so I can make one?

There is an API, but the documentation is still mostly out of date so it won't be much help unless you are comfortable digging down into the route files and figuring what needs to be passed to everything.
 

Fishfish0001

Feedback score
4
Posts
41
Reactions
106
Resources
0
ATTN: Critical Security Vulnerability affecting all versions of Daemon from 0.4.0-pre.1 to 0.4.1

This is a critical security release to address a bug in the Socket.io implementation of the daemon. You should update immediately.

Upgrade Guide: https://daemon.pterodactyl.io/docs/upgrading-from-previous-versions

Due to an oversight in how the websockets were configured in the daemon, the last person to load the console socket would apply their permissions for anyone who had the console loaded. This caused anyone who should not have had permissions to send commands to the console to suddenly have permissions to do so.

The root cause of this exploit was setting the authentication token on line 34 of socket.js which applied it globally to the socket, rather than locally to the connected client. This issue has been rectified to read the token passed on each call to the Socket, and removes the global token apply which should not have existed.

This exploit required a valid user authentication token to be provided in order to even authenticate with the websocket, as such any non-subusers would not have been able to access data from or send data to the websocket. However, due to the structure of the code, a user could spam the websocket connection and cause all other authenticated users to be de-authenticated with the spammed invalid token. This method would still have required a user to know a server's UUID, which is generally not public information unless the user already had some type of access to that server. Users who had both a valid server UUID and authentication token would have been able to bypass their own lower permissions if a user with higher permissions loaded the websocket in their browser.

This was a fairly unique "edge" case, but is none-the-less something that should not have been introduced. Moving forward we will be sure to include this type of dual-user load testing on the application and daemon to ensure that permissions are not overwritten when a new user loads the page.

Thank you to Mohron#9350 who discovered this issue and reported it to us on Discord. This vulnerability was disclosed on June 14, 2017 at 20:44 U.S. Central Time and a fix was pushed to Github at 21:34.

Affected Versions
This bug was introduced in c73056ff; this exploit is present in all versions of the Daemon from 0.4.0-pre.1 to 0.4.1 and is patched in 0.4.2.
 
Last edited:

Fishfish0001

Feedback score
4
Posts
41
Reactions
106
Resources
0
Security Vulnerability Disclosure: June 26th, 2017

On June 26th, 2017 we made an immediate hot-fix security release to address a critical application bug that allowed unauthenticated users the ability to execute arbitrary code aganist any server running on Pterodactyl Panel. At the time this incident was determined to be too significant to warrant an immediate full-disclosure and we made only basic detail available encouraging all users to update immediately. As we have now passed our cut-off date that we announced, a full disclosure will be happening in this post.

Due to an implementation in the jQuery based terminal we were using, anything that was passed inside of double square brackets was determined to be a new command, and was executed as such. This exploit hinged on a user loading the web-console within Pterodactyl to execute any commands sorrounded by brackets. As soon as this bug was reported I took immediate action to narrow down the exact scope of the bug, and determine if it was isolated to specific games and if it required specific knowledge to execute. Unfortunately it quickly because clear that all software running via the Panel was at risk, and that no special knowledge was required in order to execute commands. The full attack vector quickly became more obvious as any commands in the server's console history would also be executed, even if the console was not open at the time of the command execution.

This exploit did not require any access to the panel, and any user who could send input to the server that was rendered in a log would be able to execute arbitrary commands aganist the game server. Commands simply needed to be sorrounded in square brackets, and it did not matter where in the line they were. An example of this exploit is below.

Code:
this is my [[op Username]] text

In this instance, the output would be parsed by the web terminal to execute `op Username` as a second command as the currently authenticated panel user. This execution also caused the original message to be lost in most cases. Because of the way the terminal loaded messages on page load, any commands in the console buffer history were also executed. This allowed a malicious user to send a command, and even if the terminal was not currently open, as long as the message remainined in the scrollback history, it would be executed when the page was loaded.

Narrowing down the scope of this bug to determine which versions of the Panel were affected it discovered that the bug was introduced in `v0.4.0` resulting in a significant vulnerability that affected nearly every panel that was being operated.

Upon discovery I attempted to find a solution that would allow us to continue using the web-console that we were already using, but all solutions hinged on client-side JS, and were not something I felt comfortable pushing onto production environments, nor was I positive that it would cover all edge cases. The jQuery terminal plugin in use did provide functionality to escape brackets, however that caused color formatting to be escaped which made it impossible to filter ANSI codes. Because of these issues, I made the decision to completely strip the web-terminal from the project and a few hours later pushed up a hot-fix using a custom written terminal that did not execute any commands, it simply took the output and pasted it to the browser (escaping code as necessary, and handling ANSI color codes).

This fix was pushed later that night, and a subsequent patch to address residual JS issues and formatting a few days later.

In all previous software bugs, some level of Panel access has been required, and the bugs had been deemed to be something that could be disclosed at the time of the bug-fix release. This bug highlighted a danger in relying on external software to handle different actions, and also highlights a danger in not fully reading the documentation for software being used. During the review phase of this incident, I discovered a small amount of documentation for the web terminal that indicated this behavior was possible that was not seen during the initial implementation.

One of the core principals of this software is to be transparent about any security issues that arise in the course of development. I aim to never make these notifications, unfortunately that has not been the case in recent months. I welcome any questions, comments, or concerns that you might have about this announcement.

Timeline:
June 26th @ 15:00 CST — Support Team member is alerted to the presence of a vulnerability in command handling process. Project team is notifed immediately, basic testing performed to verify legitimacy of bug.

18:00 CST — Full investigation into source of bug is launched, patching begins immediately.

22:36 CST — Bug is patched in `develop` branch, and releases are prepared.

23:08 CST — `v0.6.3` release is pushed to GitHub and made available to all users, minutes later notification is made in Discord to alert all inidividuals on the server of the urgency. CDN files updated to reflect a new update that began propigating to all active Panels.

July 27th — Second notification made in Discord to alert users during more active peak times of the security disclosure, and to urge them to update immediately.

July 30th — `v0.6.4` released with a memo at the bottom to encourage updates. An email was sent to the mailing list to reach out to more individuals.

July 8th — Additional notification made in Discord to alert users to update pending this announcement.
 

Surx

Supreme
Feedback score
10
Posts
160
Reactions
102
Resources
0
Security Vulnerability Disclosure: June 26th, 2017

On June 26th, 2017 we made an immediate hot-fix security release to address a critical application bug that allowed unauthenticated users the ability to execute arbitrary code aganist any server running on Pterodactyl Panel. At the time this incident was determined to be too significant to warrant an immediate full-disclosure and we made only basic detail available encouraging all users to update immediately. As we have now passed our cut-off date that we announced, a full disclosure will be happening in this post.

Due to an implementation in the jQuery based terminal we were using, anything that was passed inside of double square brackets was determined to be a new command, and was executed as such. This exploit hinged on a user loading the web-console within Pterodactyl to execute any commands sorrounded by brackets. As soon as this bug was reported I took immediate action to narrow down the exact scope of the bug, and determine if it was isolated to specific games and if it required specific knowledge to execute. Unfortunately it quickly because clear that all software running via the Panel was at risk, and that no special knowledge was required in order to execute commands. The full attack vector quickly became more obvious as any commands in the server's console history would also be executed, even if the console was not open at the time of the command execution.

This exploit did not require any access to the panel, and any user who could send input to the server that was rendered in a log would be able to execute arbitrary commands aganist the game server. Commands simply needed to be sorrounded in square brackets, and it did not matter where in the line they were. An example of this exploit is below.

Code:
this is my [[op Username]] text

In this instance, the output would be parsed by the web terminal to execute `op Username` as a second command as the currently authenticated panel user. This execution also caused the original message to be lost in most cases. Because of the way the terminal loaded messages on page load, any commands in the console buffer history were also executed. This allowed a malicious user to send a command, and even if the terminal was not currently open, as long as the message remainined in the scrollback history, it would be executed when the page was loaded.

Narrowing down the scope of this bug to determine which versions of the Panel were affected it discovered that the bug was introduced in `v0.4.0` resulting in a significant vulnerability that affected nearly every panel that was being operated.

Upon discovery I attempted to find a solution that would allow us to continue using the web-console that we were already using, but all solutions hinged on client-side JS, and were not something I felt comfortable pushing onto production environments, nor was I positive that it would cover all edge cases. The jQuery terminal plugin in use did provide functionality to escape brackets, however that caused color formatting to be escaped which made it impossible to filter ANSI codes. Because of these issues, I made the decision to completely strip the web-terminal from the project and a few hours later pushed up a hot-fix using a custom written terminal that did not execute any commands, it simply took the output and pasted it to the browser (escaping code as necessary, and handling ANSI color codes).

This fix was pushed later that night, and a subsequent patch to address residual JS issues and formatting a few days later.

In all previous software bugs, some level of Panel access has been required, and the bugs had been deemed to be something that could be disclosed at the time of the bug-fix release. This bug highlighted a danger in relying on external software to handle different actions, and also highlights a danger in not fully reading the documentation for software being used. During the review phase of this incident, I discovered a small amount of documentation for the web terminal that indicated this behavior was possible that was not seen during the initial implementation.

One of the core principals of this software is to be transparent about any security issues that arise in the course of development. I aim to never make these notifications, unfortunately that has not been the case in recent months. I welcome any questions, comments, or concerns that you might have about this announcement.

Timeline:
June 26th @ 15:00 CST — Support Team member is alerted to the presence of a vulnerability in command handling process. Project team is notifed immediately, basic testing performed to verify legitimacy of bug.

18:00 CST — Full investigation into source of bug is launched, patching begins immediately.

22:36 CST — Bug is patched in `develop` branch, and releases are prepared.

23:08 CST — `v0.6.3` release is pushed to GitHub and made available to all users, minutes later notification is made in Discord to alert all inidividuals on the server of the urgency. CDN files updated to reflect a new update that began propigating to all active Panels.

July 27th — Second notification made in Discord to alert users during more active peak times of the security disclosure, and to urge them to update immediately.

July 30th — `v0.6.4` released with a memo at the bottom to encourage updates. An email was sent to the mailing list to reach out to more individuals.

July 8th — Additional notification made in Discord to alert users to update pending this announcement.
Glad to see you guys fixing issues immediately!
 

Fishfish0001

Feedback score
4
Posts
41
Reactions
106
Resources
0
I've been working on a lot of things with the Panel recently, mostly code refactoring and making things more maintainable in the future. I've also been working on re-designing the existing task system to be much more powerful and making it possible to run multiple commands at once or as part of a single task. The picture below is a good example of what will be possible with the new Scheduler system (which is designed to replace the current 'Task' system).

LSsz6.png
 

Davyy

MC-Market Addict
Supreme
Feedback score
3
Posts
429
Reactions
278
Resources
0
I was wondering, would it be possible to have a main panel on a VPS, that would control multiple different servers?
 

Severingcastle8

Backend Web Developer
Supreme
Feedback score
27
Posts
736
Reactions
270
Resources
0
I use this panel it is amazing I just think these things would be amazing if you added them!
  • Ability for clients to have a sub domain creator (multiple domains, cpanel integration for the SRV records)
  • Fix the text editor when you put special characters in it
  • Add permissions for admin roles or a role system for admins.
  • Make it easier to change the colors, favicon for panel)
  • Ability to change the SFTP name from the panel name.
I was also wondering what is a good WHMCS addon that 100% works and the auto setup works
 

kayohmedy

Premium
Feedback score
2
Posts
187
Reactions
79
Resources
0
I can personally vouch for this. I use this for my server and I love it so far. Very user friendly, amazing discord support if you need any, and overall it's free and a very good competitor against paid options.

10/10 would recommend!
 

vvvvv

Premium
Feedback score
5
Posts
138
Reactions
59
Resources
0
It's amazing, I'll be switching from Multicraft to this.
I'm suprised it is free!
 

NyhmsQuest

Premium
Feedback score
1
Posts
38
Reactions
24
Resources
0
I have 0 experience using Linux and I managed to install this panel on a Linux server without much problem and the problems I had I just asked for help on their Discord and received a lot of help.
After using the panel for a little while now I can say that it is very nice and works like a charm.
 
Status
This thread has been locked.
Top