Just had an Abuse Report against my Cloudron - What to do?

timconsidine

I had something similar, and uninstalled 2 recently installed/restored apps.
One was StirlingPDF (just because it was the last application installed : I do not believe this was the cause).
The other was a Wordpress Developer instance. I think this was the cause. I deleted it it without investigation.
It seemed to stop the problem.
Check which applications are running. Maybe stop them (instead of uninstalling) and see if this resolves the error reports.
My instance is on Hetzner and they provide a link to check the problem - don't know whether Linode do this.
Then I filed a statement, and after checking, Hetzner closed the incident.

shanelord01

@timconsidine Thanks. The only app I had actively running but I haven't used or paid attention to for a while was LibreTranslate. I've deleted that app for now and just running Mastodon. Will see if that placates the Linode security team.

timconsidine

Out of interest, did you already have ClamAV installed or you installed it in response to this incident ?
Does it need to run while in rescue mode, or can it be run while VPS is running normally ?

girish

@shanelord01 Is there any other info on what kind of Brute Force is attempted?

Also, have you been with this IP and domain for a long enough time? I have seen these reports come very late after 6 months even. What is send_date and received_data in this context? The date of the report or the abuse?

shanelord01

@timconsidine They recommend using it in rescue mode. I had to install it (Linode provide an all-in-one script to update it and run the scan).

Minor issue with the GPG keys stopping apt from running that I had to fix (thanks ChatGPT for the assist).

Steps to fix
Here are the steps to fix the GPG error on Finnix Linux:

1. Open a terminal or SSH into your Finnix Linux system.

2. Run the following command to retrieve the missing public keys:

   gpg --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
   gpg --keyserver keyserver.ubuntu.com --recv-keys 6ED0E7B82643E131
   

3. Once the keys are imported, run the following command to export the keys to a file:

   gpg --export 0E98404D386FA1D9 > pubkey1.asc
   gpg --export 6ED0E7B82643E131 > pubkey2.asc
   

4. Once the keys are imported, create a new file in the trusted.gpg.d directory using the touch command. For example:

   touch /etc/apt/trusted.gpg.d/debian-keys.gpg
   

5. Now, move the exported key files to the trusted.gpg.d directory:

   sudo mv pubkey1.asc /etc/apt/trusted.gpg.d/debian-keys.gpg
   sudo mv pubkey2.asc /etc/apt/trusted.gpg.d/debian-keys.gpg
   

6. Update your package lists by running:

   apt-get update
   

After following these modified steps, the missing GPG keys should be added to the trusted.gpg.d directory, and you should be able to update and install packages without encountering the GPG error.

shanelord01

@girish I only have the info provided and the attached image.

girish

That is indeed quite abstract with no information on what is being attacked... Are you able to ask them what login attack means here? via SSH or HTTP ?

shanelord01

@girish I've asked and they have no more information. My scans and checks were enough for them to consider the case closed and no mitigation from them required.

girish

@shanelord01 BTW, in case you run AdGuard, please be aware of this security issue - https://docs.cloudron.io/apps/adguard-home/#securing-installation

rbin

Hi, I've just had a report from digital ocean my hosting provider for my cloudron instance. How could I investigate, because I have several apps on my cloudron instance ?

girish

@rbin saw your ticket on support. I sent you a response there.