Vultr Vulnerability
-
Hey Cloudron Team,
I just got an email this evening that VMs and bare metal machines spun up since Oct 2022 with Vultr's Ubuntu image have had a vulnerability where theubuntu
user password was not random. They're being really vague about the whole thing and claiming it was patched before anyone exploited it, but I'm very concerned. Who knows what that password was.I appear to have followed the instructions for securing a server found here, because I'm seeing the recommended ssh port change in
sshd_config
, however I'm worried that I didn't properly disable password authentication over SSH. I seePasswordAuthentication no
but it is at the very bottom benethSubsystem sftp internal-sftp
, not up higher in the file. I assume this means password auth was enabled, correct?I'm trying to see if there is anything suspicious visibly consuming resources. When I run
top
after stopping all apps in Cloudron I am still seeing twonode
processes running under theubuntu
user andspamd
andspamd child
. Are these normal Cloudron processes?I appreciate the help.
-
For SSHd configs, have you tried to log in via password? If you don't provide an ssh key (and make sure some default is not applied) you can just try if it allows passwords. If you run the ssh client with
-v
then you see all offered authentication methods to proceed in the logs. It looks like:... debug1: Authentications that can continue: publickey ...
Otherwise it would also have
password
next topublickey
. -
Thanks @nebulon , it does in fact look like password authentication via SSH was left enabled. Do you know if Cloudron could be the source of those Node processes running under the ubuntu user, even after I've stopped all apps?
-
@ryangorley you can use
top -c
orhtop
to see the full command args on what those processes are. -
Thanks @girish , I'm seeing:
node /app/code/haraka/bin/haraka -c /run/haraka
node /app/code/service.js
These look familiar to you?
-
@ryangorley yes, that's from the mail container
-
@ryangorley If in doubt, the only safe/secure way is to start over. Fresh install of Cloudron and restore from backup. I think just inspecting the server is just too error prone.
-
@girish Yeah, I'm thinking the same thing.
ubuntu
is a sudo user, and if the default password Vultr was using was exploited, then I'd have to be looking or processes run by anything. I'll migrate. Thanks again. -
-