Vesta Control Panel - Forum

Is it possible there is a security problem with vestacp?

My server was exploited. I did a complete re-fdisk and reinstall.

I don't know how to stop this server from being hacked. I was going through securing it as it was hacked. Can't login under any accounts. I know ubuntu should not be this insecure. I have no idea how to stop this.

I then:
Installed VestaCP
Secured shared memory
Disabled SSH root login and change SSH default port
Protected su by limiting access only to admin group
Hardened network sysctl settings
Disabled OpenDNS recursion
Prevented IP spoofing
Installed and configure ModSecurity
Protected from DDoS attacks with ModEvasive
Installed and configured Fail2Ban
Installed and configure PSAD intrusion detection application
Installed RKHunter for future Rootkit scanning
Installed and configure NMAP to scan and monitor ports
Installed LogWatch for monitoring logs
relocated phpmyadmin and restricted to ssl connection

and then... user accounts all vanished. mysql stopped worked properly, can't login to my server and have to have the entire thing reinstalled again.

This is before even web files are uploaded

I am at a complete loss as to what to do - the only thing I can wonder is if there is a security issue someone is exploiting in vestacp itself.

Almost every post you made in the last year makes almost no sense and it looks like you always come up with a security bug without really understanding the fundamental working of apps.

here are a few vague posts you made past year:
viewtopic.php?f=11&t=14743&p=60766#p60766
viewtopic.php?f=44&t=13902&p=60737#p60737
viewtopic.php?f=10&t=14723&p=60736#p60736
viewtopic.php?f=11&t=14697&p=60572#p60572

If you want help, please describe things clearly and state your observations with log files.

lol nothing like some disinformation - but since thats what you want to claim I will explain each:

I never called any of the 4 links you shared a security bug.

The first link, I asked a question, then came back and answered it myself in case others had similar issues.
The second link, I had reached out to support but was not getting their replies - that was sorted by the admin after I posted.
The third link, someone asked a question and was told it was not possible, I told them how it was in fact possible to do manually bypassing vestacp using mysql manually.
The forth link half was answered - until recent updates that have fixed the second half, where users couldn't access their log files.

Not one of them did I ever call a security issue.

This time I ASKED if it COULD be. Still I never called anything a security bug.

I explained it rather well I thought but I will explain again.

One of my servers was hacked.
So I had my datacenter re-fdisk and resinstall the server from scratch.
I installed vestacp
I hardened the system using the exact methods laid out in the previous message.
Before I even got to adding any other users back to server, the server was hacked again, the admin account deleted.
As part of my hardening the system - I disabled root ability to access ssh and only allowed admin account to sudo.
That means the account I was using to do root administration, was removed by the hacker
Now I cannot log back into server again.

Nothing was installed except security software and vestacp.
The only user added was the default admin account setup by vestacp.

Next phpmyadmin became unavailable.
Then all of vestacp.

So I asked if its possible someone found an exploit in vestacp.

There are no logs - as I cannot access the server. I have been locked out.
It was not a website bug, as no websites other than the vestacp itself had been installed.

So either someone is exploring and hacking into my server from a default ubuntu application,
through an application installed by vestacp,
or through vestacp itself.

So unless you have some magical way to access my server I cannot display log files and have to have the datacenter once again reinstall the OS.

But not at any time did I accuse vesta of having a security problem I simply asked a question

Well,
Fail2ban is part of VestaCP, you don't need to install it separately.

There cannot be anything like "no logs" whatsoever

For the hack... it doesn't make sense.
May be the image source of DC is vulnerable or something that is inside their custom install image ?

1.Try to re-install using ubuntu minimal network install method manually
2. change VestaCP & SSH default ports.
3. Disable Password login and enable only SSH Keys

4. Disable apache/nginx from your VestaCP console and tail your auth log to see if you are getting any attacks
5. Watch your outgoing connections and traffic to find out any abnormal behaviour

I think you are restoring infected sites on server again and again which have php shell. but if that is not the case then Disable passwords via ssh altogether and only allow logins using a public/private key pair.
Configure fail2ban properly.
Using the sshd log to block attacks
Using tcp_wrappers to block attacks
Port Knocking
Use: http://denyhosts.sourceforge.net/

I think these are enough securities to secure your server if there is no shell already located on server.
One and last possibility is private exploit located in ubuntu in itself. I mean a bug located in ubuntu which we do not know about publicly and someone on earth found it.