Vultr Vulnerability

ryangorley

Hey Cloudron Team,
I just got an email this evening that VMs and bare metal machines spun up since Oct 2022 with Vultr's Ubuntu image have had a vulnerability where the ubuntu user password was not random. They're being really vague about the whole thing and claiming it was patched before anyone exploited it, but I'm very concerned. Who knows what that password was.

I appear to have followed the instructions for securing a server found here, because I'm seeing the recommended ssh port change in sshd_config, however I'm worried that I didn't properly disable password authentication over SSH. I see PasswordAuthentication no but it is at the very bottom beneth Subsystem sftp internal-sftp, not up higher in the file. I assume this means password auth was enabled, correct?

I'm trying to see if there is anything suspicious visibly consuming resources. When I run top after stopping all apps in Cloudron I am still seeing two node processes running under the ubuntu user and spamd and spamd child. Are these normal Cloudron processes?

I appreciate the help.

nebulon

For SSHd configs, have you tried to log in via password? If you don't provide an ssh key (and make sure some default is not applied) you can just try if it allows passwords. If you run the ssh client with -v then you see all offered authentication methods to proceed in the logs. It looks like:

...
debug1: Authentications that can continue: publickey
...

Otherwise it would also have password next to publickey.

ryangorley

Thanks @nebulon , it does in fact look like password authentication via SSH was left enabled. Do you know if Cloudron could be the source of those Node processes running under the ubuntu user, even after I've stopped all apps?

girish

@ryangorley you can use top -c or htop to see the full command args on what those processes are.

ryangorley

Thanks @girish , I'm seeing:
node /app/code/haraka/bin/haraka -c /run/haraka
node /app/code/service.js

These look familiar to you?

girish

@ryangorley yes, that's from the mail container

ryangorley

@girish Oh, good. Maybe I got lucky. I'll keep investigating. Thanks to you (and @nebulon ) for teaching me a couple new command line tricks as well.

girish

@ryangorley If in doubt, the only safe/secure way is to start over. Fresh install of Cloudron and restore from backup. I think just inspecting the server is just too error prone.

ryangorley

@girish Yeah, I'm thinking the same thing. ubuntu is a sudo user, and if the default password Vultr was using was exploited, then I'd have to be looking or processes run by anything. I'll migrate. Thanks again.