Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Vultr Vulnerability

Vultr Vulnerability

Scheduled Pinned Locked Moved Solved Support
securityvultr
9 Posts 3 Posters 1.5k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ryangorleyR Offline
      ryangorleyR Offline
      ryangorley
      wrote on last edited by girish
      #1

      Hey Cloudron Team,
      I just got an email this evening that VMs and bare metal machines spun up since Oct 2022 with Vultr's Ubuntu image have had a vulnerability where the ubuntu user password was not random. They're being really vague about the whole thing and claiming it was patched before anyone exploited it, but I'm very concerned. Who knows what that password was.

      I appear to have followed the instructions for securing a server found here, because I'm seeing the recommended ssh port change in sshd_config, however I'm worried that I didn't properly disable password authentication over SSH. I see PasswordAuthentication no but it is at the very bottom beneth Subsystem sftp internal-sftp, not up higher in the file. I assume this means password auth was enabled, correct?

      I'm trying to see if there is anything suspicious visibly consuming resources. When I run top after stopping all apps in Cloudron I am still seeing two node processes running under the ubuntu user and spamd and spamd child. Are these normal Cloudron processes?

      I appreciate the help.

      1 Reply Last reply
      2
      • nebulonN Offline
        nebulonN Offline
        nebulon
        Staff
        wrote on last edited by
        #2

        For SSHd configs, have you tried to log in via password? If you don't provide an ssh key (and make sure some default is not applied) you can just try if it allows passwords. If you run the ssh client with -v then you see all offered authentication methods to proceed in the logs. It looks like:

        ...
        debug1: Authentications that can continue: publickey
        ...
        

        Otherwise it would also have password next to publickey.

        1 Reply Last reply
        2
        • ryangorleyR Offline
          ryangorleyR Offline
          ryangorley
          wrote on last edited by ryangorley
          #3

          Thanks @nebulon , it does in fact look like password authentication via SSH was left enabled. Do you know if Cloudron could be the source of those Node processes running under the ubuntu user, even after I've stopped all apps?

          1 Reply Last reply
          0
          • girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by
            #4

            @ryangorley you can use top -c or htop to see the full command args on what those processes are.

            1 Reply Last reply
            1
            • ryangorleyR Offline
              ryangorleyR Offline
              ryangorley
              wrote on last edited by
              #5

              Thanks @girish , I'm seeing:
              node /app/code/haraka/bin/haraka -c /run/haraka
              node /app/code/service.js

              These look familiar to you?

              girishG 1 Reply Last reply
              0
              • ryangorleyR ryangorley

                Thanks @girish , I'm seeing:
                node /app/code/haraka/bin/haraka -c /run/haraka
                node /app/code/service.js

                These look familiar to you?

                girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #6

                @ryangorley yes, that's from the mail container

                1 Reply Last reply
                0
                • ryangorleyR Offline
                  ryangorleyR Offline
                  ryangorley
                  wrote on last edited by
                  #7

                  @girish Oh, good. Maybe I got lucky. I'll keep investigating. Thanks to you (and @nebulon ) for teaching me a couple new command line tricks as well.

                  1 Reply Last reply
                  1
                  • girishG Offline
                    girishG Offline
                    girish
                    Staff
                    wrote on last edited by
                    #8

                    @ryangorley If in doubt, the only safe/secure way is to start over. Fresh install of Cloudron and restore from backup. I think just inspecting the server is just too error prone.

                    1 Reply Last reply
                    0
                    • ryangorleyR Offline
                      ryangorleyR Offline
                      ryangorley
                      wrote on last edited by
                      #9

                      @girish Yeah, I'm thinking the same thing. ubuntu is a sudo user, and if the default password Vultr was using was exploited, then I'd have to be looking or processes run by anything. I'll migrate. Thanks again.

                      1 Reply Last reply
                      1
                      • girishG girish marked this topic as a question on
                      • girishG girish has marked this topic as solved on
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                        • Login

                        • Don't have an account? Register

                        • Login or register to search.
                        • First post
                          Last post
                        0
                        • Categories
                        • Recent
                        • Tags
                        • Popular
                        • Bookmarks
                        • Search