We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
-
- Posts: 33
- Joined: Sat Jan 20, 2018 3:45 am
- Os: Debian 8x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
Felix wrote: ↑Wed Apr 11, 2018 7:40 amimperio, skid and other VESTA Stuff,
Please consider offering an option for certificate-based access to VESTA Panel!
When enabled, only the persons with the correct certificate installed in their browsers can be presented with VESTA Panel at https://[FQDN]:8083
You also can add custom additional security layer to vesta login using htaccess similar auth.
create your password directory similar to /home/admin/.htaccess/vesta/login
in the directory create a password file
Code: Select all
printf "USER:$(openssl passwd -crypt PASSWORD)\n" >> .htpasswd
PASSWORD : your choosen password
open /usr/local/vesta/nginx/conf/nginx.conf and locate this string
Code: Select all
location / {
expires max;
index index.php;
}
Code: Select all
location / {
auth_basic "Restricted Login";
auth_basic_user_file /home/admin/.htaccess/vesta/login/.htpasswd;
expires max;
index index.php;
}
location ~ /\. { deny all; }
Re: Got 10 VestaCP servers exploited
good morning.
are we getting somewhere with the poll?
i mean could you (vesta staff) retrive some similarieties or shrink the vector area?
i kinda want to move on with my life, but without assurance i cant leave my server out of view.
or is there a place you guys having "private" discussions?
i might be able to help you, as i digged much :)
are we getting somewhere with the poll?
i mean could you (vesta staff) retrive some similarieties or shrink the vector area?
i kinda want to move on with my life, but without assurance i cant leave my server out of view.
or is there a place you guys having "private" discussions?
i might be able to help you, as i digged much :)
Re: Got 10 VestaCP servers exploited
Hello All,
Watching the thread since Saturday and also had 1 server infected out of 15. After working hard since Sunday I am now ready to explain few things to everyone here and share my experience which might help people facing issues. Just for the people who are not technical enough and running the server which is infected and need someone to help please let me know and I will help. There will be no charges for fixing the server.
Every piece of software out there have some vulnerabilities like Microsoft , Facebook ,Cpanel, Plesk all so no need to blame vestacp.
I am now running a new server with latest vestacp since last 24 hours and no infection yet nor any alarm for the same.
Here are the steps to make sure you are secure
1) If the server is infected move to a new server, you just cant trust the old one.
2) Once the new server is installed and up running change the vestacp port to anything you want in the file /usr/local/vesta/nginx/conf/nginx.conf search for 8083 and change it. Make sure you open the new port in your firewall.
3) Run SSH on different port and if possible use keys. Disable root logins as well
5) Download Linux Environment Security https://www.rfxn.com/projects/linux-env ... -security/ and run it
6) Download Linux malware detect http://www.rfxn.com/downloads/maldetect-current.tar.gz and once installed run maldet -a / and see the report after that run it in monitor mode maldet --monitor / (make sure you make changes in /usr/local/maldet.conf and enter your email id to see the reports in your email)
7) This is the most important thing - Install config server firewall from https://configserver.com/cp/csf.html. This is the most important script for securing the server. On one of my server csf was installed and it didnt get infected cause csf marked it a suspicious file and disabled all the binaries and sent an alert to me. Read the conf file carefully and enable the rules as needed most importantly enable DIR watch and FILE watch. If need help please do let me know I will provide my csf conf file.
8) Block CN (China) in firewall if you do not have customers from that country.
9) To track outgoing traffic install ntopng the best traffic monitoring app.
Cause of above I didnt see any infection however seeing lots of blocked IPs :)
Hope this will help you all !!
Watching the thread since Saturday and also had 1 server infected out of 15. After working hard since Sunday I am now ready to explain few things to everyone here and share my experience which might help people facing issues. Just for the people who are not technical enough and running the server which is infected and need someone to help please let me know and I will help. There will be no charges for fixing the server.
Every piece of software out there have some vulnerabilities like Microsoft , Facebook ,Cpanel, Plesk all so no need to blame vestacp.
I am now running a new server with latest vestacp since last 24 hours and no infection yet nor any alarm for the same.
Here are the steps to make sure you are secure
1) If the server is infected move to a new server, you just cant trust the old one.
2) Once the new server is installed and up running change the vestacp port to anything you want in the file /usr/local/vesta/nginx/conf/nginx.conf search for 8083 and change it. Make sure you open the new port in your firewall.
3) Run SSH on different port and if possible use keys. Disable root logins as well
5) Download Linux Environment Security https://www.rfxn.com/projects/linux-env ... -security/ and run it
6) Download Linux malware detect http://www.rfxn.com/downloads/maldetect-current.tar.gz and once installed run maldet -a / and see the report after that run it in monitor mode maldet --monitor / (make sure you make changes in /usr/local/maldet.conf and enter your email id to see the reports in your email)
7) This is the most important thing - Install config server firewall from https://configserver.com/cp/csf.html. This is the most important script for securing the server. On one of my server csf was installed and it didnt get infected cause csf marked it a suspicious file and disabled all the binaries and sent an alert to me. Read the conf file carefully and enable the rules as needed most importantly enable DIR watch and FILE watch. If need help please do let me know I will provide my csf conf file.
8) Block CN (China) in firewall if you do not have customers from that country.
9) To track outgoing traffic install ntopng the best traffic monitoring app.
Cause of above I didnt see any infection however seeing lots of blocked IPs :)
Hope this will help you all !!
Re: Got 10 VestaCP servers exploited
your links alarming my antivirus! mainly link at point 6.vishne0 wrote: ↑Wed Apr 11, 2018 8:36 am5) Download Linux Environment Security https://www.rfxn.com/projects/linux-env ... -security/ and run it
6) Download Linux malware detect http://www.rfxn.com/downloads/maldetect-current.tar.gz and once installed run maldet -a / and see the report after that run it in monitor mode maldet --monitor / (make sure you make changes in /usr/local/maldet.conf and enter your email id to see the reports in your email)
Last edited by kobo1d on Wed Apr 11, 2018 8:46 am, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
well seems like you got a nasty antivirus these tools are most secured and trusted ones. which one you are using?
Re: Got 10 VestaCP servers exploited
Code: Select all
*
* AVG Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, April 7, 2018 8:50:11 AM
*
11.04.2018 10:37:25 https://www.rfxn.com/downloads/maldetect-current.tar.gz|>https:\\www.rfxn.com\downloads\maldetect-current.tar|>maldetect-1.6.2\files\sigs\rfxn.yara [L] PHP:Agent-BS [Trj] (0)
Re: Got 10 VestaCP servers exploited
ah its checking the .sig files and marking them as malware. These tools are safe to use.. rest is on you..
Re: Got 10 VestaCP servers exploited
Thank you for the tips. I also like CSF and I believe I have not had problems with this security flaw, because I have CSF installed on my servers.vishne0 wrote: ↑Wed Apr 11, 2018 8:36 am7) This is the most important thing - Install config server firewall from https://configserver.com/cp/csf.html. This is the most important script for securing the server. On one of my server csf was installed and it didnt get infected cause csf marked it a suspicious file and disabled all the binaries and sent an alert to me. Read the conf file carefully and enable the rules as needed most importantly enable DIR watch and FILE watch. If need help please do let me know I will provide my csf conf file.
Can you give more details on how to activate these features you mentioned?
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
I think we need mod_security on VestaCP Nginx
that way we could have prevented this.
100%
that way we could have prevented this.
100%
-
- Posts: 3
- Joined: Wed Apr 11, 2018 1:44 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
I reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?