New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I'll parrot what I said to you at wht: If you are on the job, the developers will end up quitting with severe depression.
Yeah, exactly, so as I said, the best control panel is no control panel. When the day comes that a bare linux install is enough to power my sites, that's what I'll use. The fewer moving parts, the better.
I took the effort of migrating over to ISPConfig. I have to admit, UI wise, VestaCP is far more superior to ISPConfig, but functionality wise, it's the other way around. ISPConfig is really flexible and Let's encrypt integration works flawlessly. And as I'm pretty much the only one using the panel anyway, it's all good.
Any news of VestaCP still being exploited after the patch?
ISPconfig all the way! For fast support subscribe to HowToForge for 25€/6months but you will be helped either way
It like ISP Config didn’t had its own issues.
Metasploit has at lest a couple exploits against ISP Config.
You mean Centminmod?
http://centminmod.com/
Now we just need a Debian or Ubuntu version :P
EasyEngine isn't too bad either, but limited on the config, and I'm not sure how well their mail stuff works.
It's really not about having issues, it's more about how a company / project / individual goes around fixing them.
Vesta didn't escape the password that was entered on the VestaCP page. They then published a hotfix, that "might" solve the exploit that was out in the wild. I understand they didn't have logging enabled, but that's a misser to begin with.
Webmin (Usermin / Virtualmin) if you absolutely must use a free panel.
I still think Plesk and cPanel have the best security simply because they pay top dollar to security researchers to find flaws, so there's a huge incentive to put a lot of time into finding them.
^ this man knows what's up. Thanks for sharing your wisdom with us, the plebs, @SecNinja
Not really defending VestaCP code, but regarding the fix, they did what they believed was the right thing. They changed the auth hash and enabled logging. Sure other things will follow. But, isn't "might solve", better than "we did nothing". They should obviously improve communication, and ask for help from security pro's willing to give the entire code a once over. (make suggestions if you can help).
Hopefully, the project will come out significantly better.
The UI is the best on the block for me. I can get done 95% of what I want to accomplish with great efficiency. Can't say that with other FOSS alternatives I've tried.
No doubt! The only thing that I can critique is their "It's bullet proof now!" statement after the patch was released. Kinda shows the naivety of their security practices.
But with rack911 on the case, any suggestions they throw their way should harden the code up quite a bit. That is, if they actually address the issues that are brought up by Patrick and Steven in a timely manner.
Lol. I hope to send off a report today. It's so bad.
I sure hope no one has untrusted users on their VestaCP boxes.
@SecNinja , are the security notices still being sent from hostingseclist? It's been a while since I receive those.
Is it because they are using (==) instead of (===) everywhere. I noticed that in the API.
I haven't even looked at the API, I'm still going over the common user functions. Some of the exploits are so funny. Once they are patched I'll share a couple just for lol sake.
Curious on the process, do you give them a set amount of time to release fixes and if they do nothing (or something inadequate) then make your report public?
We probably won't even publish anything official, it's not really worth my time.
As for disclosing a Proof of Concept for lol sake, I'll do it after I think people have had enough time to patch.
2 of my clients got suspended due of traffic limit , all with vesta installed. The traffic for the entirely month alocated was consumed in less than 3 days
Any IP blocks?
Just so we are clear, their fix only consists of API changes and does this:
Grab the salt for user "admin" from (/)etc(/)shadow, encrypt whatever arrived from the internet using this salt, save the resulting hash as a file in (/)tmp, pass resulting filepath to a shell script.
This shell script loads the hash from the (/)tmp file and authenticates using grep:
grep "^$user:$hash:" (/)etc(/)shadow
If a matching line is found, API access granted.
So PHP has passwordless sudo access and is able to directly read (/)etc(/)shadow.
(/) = / - Bypass for stupid CloudFlare protection
So you're saying that two of your clients were sending DoS attacks for three days straight before they were suspended? And they were suspended for using up all their bandwidth and not for network abuse?
Premium.
Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.
I'll send off more once they fix those.
What I'm reading here is that people using VestaCP for public access are boned. Those using it for personal use should just close off the ports and tunnel access to the panel via SSH or VPN. Additionally you could also turn it off when not in use, probably a good idea anyway as it saves resources.
Guys let me translate.
Don't use vestaCP.
Read what @SecNinja said. "Easy" "Root" "Compromise" "3ways"
This. What the hell it is?
Ménage a trois?
Usually have to pay extra for that kind of action.
Going to drop this thread from our announcements, as I think it's been up there for sufficient time for hosts and users to secure their VestaCP installs. @Harambe and others, feel free to continue discussions as updates are made on this issue.
So in the end, is it patched or not? I know about the 20 version, but I saw people are recommending to keep the Vesta's down for now. Are we sure the patch they released completely resolves the issue? More updates on this?
Short answer, we don't know and neither do their developers.