Got 10 VestaCP servers exploited

[codycook]

Both my servers running VestaCP on DigitalOcean. It has been a complete nightmare. One server affected, the other isn't... blocked both networking and required restoring from either backups or redo the whole box. I just rebuilt one on the 1st so no backup so there goes all that effort... the one I was trying to migrate from was unaffected but had backups as early as Friday.
Will there be a release to -20 for these fixes or are we going to have to patch manually?

[snakom23]

this is digital ocean email notification:

Hi there,

A security vulnerability has been identified within VestaCP, and it appears that your Droplet may be running this software. In an effort to avoid a potential compromise, or to prevent abuse traffic from your Droplet if it is already compromised, we have disabled networking on your Droplet. This means your Droplet is no longer connected to the Internet, and all hosted sites and services are unreachable. We know that this action is disruptive, but it's necessary to protect you, our network, and the potential target of your Droplet's attack in the event of a compromise. These vulnerable instances are being overtaken rapidly, across the Internet, hence the urgency of the action to disable potentially impacted Droplets.

Because your Droplet may have been compromised, you'll need to back up your data and transfer it to a new Droplet. We have a recovery tool to assist you, but any databases on your Droplet will need to be backed up before we boot your Droplet into the recovery tool because you will not be able to make the backups afterwards.

Specific backup steps vary depending on the database software in use, which is most commonly MySQL. If you're not sure how, http://do.co/1h0uWgm will show you how to backup your databases from MySQL.

Once you have finished backing up your data, the next step is downloading and transferring your data to your new Droplet. Please update this ticket when you're ready and we'll configure this Droplet so you can proceed.

If you've enabled our backup service or have a snapshot of the Droplet, you can restore directly from that image instead of going through the recovery process. Be aware that this will destroy any changes or additions made to the Droplet since the creation date of the image you use to restore from. If you do this, please update the ticket as we will need to reconfigure networking to get your Droplet back online.

If you don't need the data from this Droplet, you can destroy this Droplet at your convenience. If you'd like to keep the current IP address, you will need to use our rebuild function. This acts like a clean install of your OS and is currently the only way to ensure you retain your IP. As with restoring from an image, please let us know once you've done this.

If you have questions or require additional assistance, please open a ticket with our Support team: https://cloudsupport.digitalocean.com/s/createticket

For more details about the vulnerability, please refer to this Q&A: https://do.co/vesta-vuln

Regards,

Trust & Safety
DigitalOcean Support

[ivcha92]

The best way to secure just about any web application is to use a firewall. White list the hosts that are necessary.

Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes

[nextgi]

The best way to secure just about any web application is to use a firewall. White list the hosts that are necessary.

Doesn't cut down the support tickets much though ;)

True,

But a unique solution is why im in business haha. Cybersecurity is not cut and dry. You may need to work around customer needs when developing your security protocols. An example you could make part of your server deployments would be to change VestaCPs port and deny access to the API accept to certain hosts.

[nextgi]

The best way to secure just about any web application is to use a firewall. White list the hosts that are necessary.

Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes

Completely understandable,

This is where a unique solution may come in. You could change the panels port and deny all access to the API except for the allowed hosts you wish to have access.

[ivcha92]

The best way to secure just about any web application is to use a firewall. White list the hosts that are necessary.

Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes

Completely understandable,

This is where a unique solution may come in. You could change the panels port and deny all access to the API except for the allowed hosts you wish to have access.

It might be a good idea to implement API IP whitelist in vesta config and check in PHP to only allow access from those hosts. Will be easily manageable and there won't be a need to block API with firewall

[lukapaunovic]

Serghey is going to hash POST password variable (because it's being passed to verify script, instead of plain/escaped string) that is the best way.

[usr999]

When does fix will be ready?

[lukapaunovic]

As soon fix is ready on GitHub it will be pushed to main servers. Serghey is still working on it.

[albertus]

Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes

Completely understandable,

This is where a unique solution may come in. You could change the panels port and deny all access to the API except for the allowed hosts you wish to have access.

It might be a good idea to implement API IP whitelist in vesta config and check in PHP to only allow access from those hosts. Will be easily manageable and there won't be a need to block API with firewall

Wouldn't be better if the API came with a default "deny all but localhost" rule? Then whoever needs to use it, can just change it.