We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
Both my servers running VestaCP on DigitalOcean. It has been a complete nightmare. One server affected, the other isn't... blocked both networking and required restoring from either backups or redo the whole box. I just rebuilt one on the 1st so no backup so there goes all that effort... the one I was trying to migrate from was unaffected but had backups as early as Friday.
Will there be a release to -20 for these fixes or are we going to have to patch manually?
Will there be a release to -20 for these fixes or are we going to have to patch manually?
Re: Got 10 VestaCP servers exploited
this is digital ocean email notification:
Hi there,
A security vulnerability has been identified within VestaCP, and it appears that your Droplet may be running this software. In an effort to avoid a potential compromise, or to prevent abuse traffic from your Droplet if it is already compromised, we have disabled networking on your Droplet. This means your Droplet is no longer connected to the Internet, and all hosted sites and services are unreachable. We know that this action is disruptive, but it's necessary to protect you, our network, and the potential target of your Droplet's attack in the event of a compromise. These vulnerable instances are being overtaken rapidly, across the Internet, hence the urgency of the action to disable potentially impacted Droplets.
Because your Droplet may have been compromised, you'll need to back up your data and transfer it to a new Droplet. We have a recovery tool to assist you, but any databases on your Droplet will need to be backed up before we boot your Droplet into the recovery tool because you will not be able to make the backups afterwards.
Specific backup steps vary depending on the database software in use, which is most commonly MySQL. If you're not sure how, http://do.co/1h0uWgm will show you how to backup your databases from MySQL.
Once you have finished backing up your data, the next step is downloading and transferring your data to your new Droplet. Please update this ticket when you're ready and we'll configure this Droplet so you can proceed.
If you've enabled our backup service or have a snapshot of the Droplet, you can restore directly from that image instead of going through the recovery process. Be aware that this will destroy any changes or additions made to the Droplet since the creation date of the image you use to restore from. If you do this, please update the ticket as we will need to reconfigure networking to get your Droplet back online.
If you don't need the data from this Droplet, you can destroy this Droplet at your convenience. If you'd like to keep the current IP address, you will need to use our rebuild function. This acts like a clean install of your OS and is currently the only way to ensure you retain your IP. As with restoring from an image, please let us know once you've done this.
If you have questions or require additional assistance, please open a ticket with our Support team: https://cloudsupport.digitalocean.com/s/createticket
For more details about the vulnerability, please refer to this Q&A: https://do.co/vesta-vuln
Regards,
Trust & Safety
DigitalOcean Support
Re: Got 10 VestaCP servers exploited
Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes
Re: Got 10 VestaCP servers exploited
True,
But a unique solution is why im in business haha. Cybersecurity is not cut and dry. You may need to work around customer needs when developing your security protocols. An example you could make part of your server deployments would be to change VestaCPs port and deny access to the API accept to certain hosts.
Re: Got 10 VestaCP servers exploited
Completely understandable,ivcha92 wrote: ↑Sun Apr 08, 2018 8:34 pmProblem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes
This is where a unique solution may come in. You could change the panels port and deny all access to the API except for the allowed hosts you wish to have access.
Re: Got 10 VestaCP servers exploited
It might be a good idea to implement API IP whitelist in vesta config and check in PHP to only allow access from those hosts. Will be easily manageable and there won't be a need to block API with firewallnextgi wrote: ↑Sun Apr 08, 2018 8:45 pmCompletely understandable,ivcha92 wrote: ↑Sun Apr 08, 2018 8:34 pmProblem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes
This is where a unique solution may come in. You could change the panels port and deny all access to the API except for the allowed hosts you wish to have access.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Serghey is going to hash POST password variable (because it's being passed to verify script, instead of plain/escaped string) that is the best way.
Re: Got 10 VestaCP servers exploited
When does fix will be ready?
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
As soon fix is ready on GitHub it will be pushed to main servers. Serghey is still working on it.
Re: Got 10 VestaCP servers exploited
Wouldn't be better if the API came with a default "deny all but localhost" rule? Then whoever needs to use it, can just change it.ivcha92 wrote: ↑Sun Apr 08, 2018 8:57 pmIt might be a good idea to implement API IP whitelist in vesta config and check in PHP to only allow access from those hosts. Will be easily manageable and there won't be a need to block API with firewallnextgi wrote: ↑Sun Apr 08, 2018 8:45 pmCompletely understandable,ivcha92 wrote: ↑Sun Apr 08, 2018 8:34 pm
Problem to many of us is that we have dynamic IPs from our ISPs and it can make accessing the vesta difficult since one ip is changed there iptables will have to be updated via ssh. And I have clients that want to be able to access the admin panel to add new webistes
This is where a unique solution may come in. You could change the panels port and deny all access to the API except for the allowed hosts you wish to have access.