Vesta Control Panel - Forum

Hi there,

A security vulnerability has been identified within VestaCP, and it appears that your Droplet may be running this software. In an effort to avoid a potential compromise, or to prevent abuse traffic from your Droplet if it is already compromised, we have disabled networking on your Droplet. This means your Droplet is no longer connected to the Internet, and all hosted sites and services are unreachable. We know that this action is disruptive, but it's necessary to protect you, our network, and the potential target of your Droplet's attack in the event of a compromise. These vulnerable instances are being overtaken rapidly, across the Internet, hence the urgency of the action to disable potentially impacted Droplets.

Because your Droplet may have been compromised, you'll need to back up your data and transfer it to a new Droplet. We have a recovery tool to assist you, but any databases on your Droplet will need to be backed up before we boot your Droplet into the recovery tool because you will not be able to make the backups afterwards.

Specific backup steps vary depending on the database software in use, which is most commonly MySQL. If you're not sure how, http://do.co/1h0uWgm will show you how to backup your databases from MySQL.

Once you have finished backing up your data, the next step is downloading and transferring your data to your new Droplet. Please update this ticket when you're ready and we'll configure this Droplet so you can proceed.

If you've enabled our backup service or have a snapshot of the Droplet, you can restore directly from that image instead of going through the recovery process. Be aware that this will destroy any changes or additions made to the Droplet since the creation date of the image you use to restore from. If you do this, please update the ticket as we will need to reconfigure networking to get your Droplet back online.

If you don't need the data from this Droplet, you can destroy this Droplet at your convenience. If you'd like to keep the current IP address, you will need to use our rebuild function. This acts like a clean install of your OS and is currently the only way to ensure you retain your IP. As with restoring from an image, please let us know once you've done this.

If you have questions or require additional assistance, please open a ticket with our Support team: https://cloudsupport.digitalocean.com/s/createticket

For more details about the vulnerability, please refer to this Q&A: https://do.co/vesta-vuln

Regards,

Trust & Safety
DigitalOcean Support

nextgi wrote: ↑

Sun Apr 08, 2018 8:23 pm

The best way to secure just about any web application is to use a firewall. White list the hosts that are necessary.

mxroute wrote: ↑

Sun Apr 08, 2018 8:28 pm

nextgi wrote: ↑

Sun Apr 08, 2018 8:23 pm

The best way to secure just about any web application is to use a firewall. White list the hosts that are necessary.

Doesn't cut down the support tickets much though ;)

ivcha92 wrote: ↑

Sun Apr 08, 2018 8:34 pm

nextgi wrote: ↑

Sun Apr 08, 2018 8:23 pm

The best way to secure just about any web application is to use a firewall. White list the hosts that are necessary.

Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes

nextgi wrote: ↑

Sun Apr 08, 2018 8:45 pm

ivcha92 wrote: ↑

Sun Apr 08, 2018 8:34 pm

nextgi wrote: ↑

Sun Apr 08, 2018 8:23 pm

The best way to secure just about any web application is to use a firewall. White list the hosts that are necessary.

Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes

Completely understandable,

This is where a unique solution may come in. You could change the panels port and deny all access to the API except for the allowed hosts you wish to have access.

ivcha92 wrote: ↑

Sun Apr 08, 2018 8:57 pm

nextgi wrote: ↑

Sun Apr 08, 2018 8:45 pm

ivcha92 wrote: ↑

Sun Apr 08, 2018 8:34 pm

Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes

Completely understandable,

This is where a unique solution may come in. You could change the panels port and deny all access to the API except for the allowed hosts you wish to have access.

It might be a good idea to implement API IP whitelist in vesta config and check in PHP to only allow access from those hosts. Will be easily manageable and there won't be a need to block API with firewall