Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Just had an Abuse Report against my Cloudron - What to do?

Just had an Abuse Report against my Cloudron - What to do?

Scheduled Pinned Locked Moved Solved Support
12 Posts 4 Posters 1.5k Views 5 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • shanelord01S Offline
      shanelord01S Offline
      shanelord01
      wrote on last edited by
      #1

      Linode support have just contacted me reporting the following:

      We have received a report of Brute Force attempts originating from your Linode. This is most likely the result of a system compromise. If we have not heard from you in 24 hours, we may need to place network restrictions on your Linode to prevent further attacks.

      Abuse Report

      Extracted Details
      ip 194.195.127.xxx
      send_date 2023-07-17T04:57:51Z
      received_date 2023-07-17T04:58:28Z
      format fail2ban
      This report was generated by Abusix

      I booted into Rescue Mode and run ClamAV and found no compromises. Any other ideas?

      Thanks,
      Shane.

      1 Reply Last reply
      1
      • timconsidineT Offline
        timconsidineT Offline
        timconsidine
        App Dev
        wrote on last edited by
        #2

        I had something similar, and uninstalled 2 recently installed/restored apps.
        One was StirlingPDF (just because it was the last application installed : I do not believe this was the cause).
        The other was a Wordpress Developer instance. I think this was the cause. I deleted it it without investigation.
        It seemed to stop the problem.
        Check which applications are running. Maybe stop them (instead of uninstalling) and see if this resolves the error reports.
        My instance is on Hetzner and they provide a link to check the problem - don't know whether Linode do this.
        Then I filed a statement, and after checking, Hetzner closed the incident.

        shanelord01S 1 Reply Last reply
        0
        • timconsidineT timconsidine

          I had something similar, and uninstalled 2 recently installed/restored apps.
          One was StirlingPDF (just because it was the last application installed : I do not believe this was the cause).
          The other was a Wordpress Developer instance. I think this was the cause. I deleted it it without investigation.
          It seemed to stop the problem.
          Check which applications are running. Maybe stop them (instead of uninstalling) and see if this resolves the error reports.
          My instance is on Hetzner and they provide a link to check the problem - don't know whether Linode do this.
          Then I filed a statement, and after checking, Hetzner closed the incident.

          shanelord01S Offline
          shanelord01S Offline
          shanelord01
          wrote on last edited by
          #3

          @timconsidine Thanks. The only app I had actively running but I haven't used or paid attention to for a while was LibreTranslate. I've deleted that app for now and just running Mastodon. Will see if that placates the Linode security team.

          1 Reply Last reply
          1
          • timconsidineT Offline
            timconsidineT Offline
            timconsidine
            App Dev
            wrote on last edited by
            #4

            Out of interest, did you already have ClamAV installed or you installed it in response to this incident ?
            Does it need to run while in rescue mode, or can it be run while VPS is running normally ?

            shanelord01S 1 Reply Last reply
            0
            • girishG Offline
              girishG Offline
              girish
              Staff
              wrote on last edited by
              #5

              @shanelord01 Is there any other info on what kind of Brute Force is attempted?

              Also, have you been with this IP and domain for a long enough time? I have seen these reports come very late after 6 months even. What is send_date and received_data in this context? The date of the report or the abuse?

              shanelord01S 1 Reply Last reply
              0
              • timconsidineT timconsidine

                Out of interest, did you already have ClamAV installed or you installed it in response to this incident ?
                Does it need to run while in rescue mode, or can it be run while VPS is running normally ?

                shanelord01S Offline
                shanelord01S Offline
                shanelord01
                wrote on last edited by shanelord01
                #6

                @timconsidine They recommend using it in rescue mode. I had to install it (Linode provide an all-in-one script to update it and run the scan).

                Minor issue with the GPG keys stopping apt from running that I had to fix (thanks ChatGPT for the assist).

                Steps to fix
                Here are the steps to fix the GPG error on Finnix Linux:

                1. Open a terminal or SSH into your Finnix Linux system.

                2. Run the following command to retrieve the missing public keys:

                  gpg --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
                  gpg --keyserver keyserver.ubuntu.com --recv-keys 6ED0E7B82643E131
                  
                3. Once the keys are imported, run the following command to export the keys to a file:

                  gpg --export 0E98404D386FA1D9 > pubkey1.asc
                  gpg --export 6ED0E7B82643E131 > pubkey2.asc
                  
                4. Once the keys are imported, create a new file in the trusted.gpg.d directory using the touch command. For example:

                  touch /etc/apt/trusted.gpg.d/debian-keys.gpg
                  
                5. Now, move the exported key files to the trusted.gpg.d directory:

                  sudo mv pubkey1.asc /etc/apt/trusted.gpg.d/debian-keys.gpg
                  sudo mv pubkey2.asc /etc/apt/trusted.gpg.d/debian-keys.gpg
                  
                6. Update your package lists by running:

                  apt-get update
                  

                After following these modified steps, the missing GPG keys should be added to the trusted.gpg.d directory, and you should be able to update and install packages without encountering the GPG error.

                1 Reply Last reply
                1
                • girishG girish

                  @shanelord01 Is there any other info on what kind of Brute Force is attempted?

                  Also, have you been with this IP and domain for a long enough time? I have seen these reports come very late after 6 months even. What is send_date and received_data in this context? The date of the report or the abuse?

                  shanelord01S Offline
                  shanelord01S Offline
                  shanelord01
                  wrote on last edited by
                  #7

                  @girish I only have the info provided and the attached image.

                  Screenshot 2023-07-17 at 5.10.40 pm.jpg

                  1 Reply Last reply
                  1
                  • girishG Offline
                    girishG Offline
                    girish
                    Staff
                    wrote on last edited by
                    #8

                    That is indeed quite abstract with no information on what is being attacked... Are you able to ask them what login attack means here? via SSH or HTTP ?

                    shanelord01S 1 Reply Last reply
                    1
                    • girishG girish

                      That is indeed quite abstract with no information on what is being attacked... Are you able to ask them what login attack means here? via SSH or HTTP ?

                      shanelord01S Offline
                      shanelord01S Offline
                      shanelord01
                      wrote on last edited by
                      #9

                      @girish I've asked and they have no more information. My scans and checks were enough for them to consider the case closed and no mitigation from them required.

                      1 Reply Last reply
                      3
                      • girishG Offline
                        girishG Offline
                        girish
                        Staff
                        wrote on last edited by
                        #10

                        @shanelord01 BTW, in case you run AdGuard, please be aware of this security issue - https://docs.cloudron.io/apps/adguard-home/#securing-installation

                        1 Reply Last reply
                        1
                        • girishG girish marked this topic as a question on
                        • girishG girish has marked this topic as solved on
                        • R Offline
                          R Offline
                          rbin
                          wrote on last edited by
                          #11

                          Hi, I've just had a report from digital ocean my hosting provider for my cloudron instance. How could I investigate, because I have several apps on my cloudron instance ?

                          girishG 1 Reply Last reply
                          0
                          • R rbin

                            Hi, I've just had a report from digital ocean my hosting provider for my cloudron instance. How could I investigate, because I have several apps on my cloudron instance ?

                            girishG Offline
                            girishG Offline
                            girish
                            Staff
                            wrote on last edited by
                            #12

                            @rbin saw your ticket on support. I sent you a response there.

                            1 Reply Last reply
                            0
                            Reply
                            • Reply as topic
                            Log in to reply
                            • Oldest to Newest
                            • Newest to Oldest
                            • Most Votes


                              • Login

                              • Don't have an account? Register

                              • Login or register to search.
                              • First post
                                Last post
                              0
                              • Categories
                              • Recent
                              • Tags
                              • Popular
                              • Bookmarks
                              • Search