[deanhills]

@Monad of FreeVPS reported a serious security issue with VestaCP:
https://freevps.us/thread-22032-post-244426.html

I'm a very enthusiastic user of VestaCP so have been studying the VestaCP discussion thread about the issue.

In summary what happened was a wave of Servers were infected with /etc/cron.hourly/gcc.sh on 4th of April.  It was an automated hack.  The infection was platform independent meaning that all of the OSs were affected.  On April 7th the infected servers started to DDoS remote hosts using /usr/lib/libudev.so. The logical consequence was a large scale suspension of those VPSs.  All of it happened very fast. Those affected included smart users.  In other words geeks who were using all of the standard  precautions, security measures, keyless entries etc. So there is a theory that the issue could have originated with the VestaCP installation script.  That theory hasn't been proven yet.  However, until it does either way, those of us who are using VestaCP need to be careful with using it. 

In the meanwhile there is a patch available from VestaCP that users can use.  I'm on automatic updates with VestaCP and I always thought every one else was by default, so for those with automatic updates this patch should already have been loaded during 8th of April.  Here is a copy of the post about the patch:

https://forum.vestacp.com/viewtopic.php?p=68893#p68893

The fix has been released just now!

As usually there are 3 ways to update your server:

1. Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package

2. Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade

3. Via GitHub
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands

Code: (Select All)

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/

Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!

Please upgrade your servers as soon as possible.

[sagher]

As you written that you are a good user of VestaCP. can you please tell me why VestaCP is not shown exact B/W usage and CPU usage?

[deanhills]

As you written that you are a good user of VestaCP. can you please tell me why VestaCP is not shown exact B/W usage and CPU usage?

lol @sagher  I didn't say I was a good user - I said I was an enthusiastic user.  Big difference. 

Usually when I have a VPS it comes with a control panel from the VPS host, so I take my reading about CPU use from the VPS host.  I don't need a panel to duplicate those functions.

I use VestaCP along very minimalist lines. I don't use its e-mail or ftp system.  I only use the basic services like DNS, adding domains and databases mysql and phpmyadmin and fail2ban. For e-mail I use free Zoho.   VestaCP because of Nginx takes up minimal space and is very fast.  You can easily run it on 512MB RAM VPS. 

If CPU use is very important to you so that you want another panel to break it down for you then a Control Panel like WebMin or VirtualMin would be much better for you.  Most Admin Geeks swear by their Web or VirtualMin and frown on VestaCP.  But those panels use much more resources.  You'll need more than 512MB RAM to use them comfortably.  I tried WebMin once and it dragged on me with 512MB RAM.  So that's the reason I'm using VestaCP mostly because of how light it is.  And how little of it I have to use.  I only load the portions in the installation script that I need and use. The installation script of VestaCP is super - as you can generate the command from the VestaCP installation Web page and specify exactly what you want on your VPS and exlude that which you don't want.   I don't have anything unnecessary on my VestaCP.  However, a few weeks ago I spoilt myself.  I added paid Softaculous with VestaCP that has all of the Softaculous scripts.  I don't think anyone else needs that, but I find it easy and fun to try out those scripts.  So that's what I mean by enthusiastic user.  I'm not prescribing it to anyone else.  Every one needs to figure out what they need in a control panel and go for the one that best meets those needs.

---

Update about the Security Breach at VestaCP - looks as though the Admin and developers are happy they've sorted out the issues and have given the script their seal of approval. I'm still cautious however and may wait a while before I'll use the script for a new VPS. My current VPSs are OK though, I think probably because of not using the e-mail system. I think e-mail systems in most Control Panels are a huge risk factor. Like most hackers aim for those in order to use them to DDoS third party servers. I rather use a third party mail host like Zoho, where one can use one's domain for the e-mail address. Looks good, and if one only has 25 accounts one can have it free with Zoho too. There are of course many other e-mail hosts too, that could be better. I know Zoho though and am happy with them.

[Golden]

Don't use open-source panels. Hackers will try to find security flaws within the code. It's better not to use a panel.

[deanhills]

Don't use open-source panels. Hackers will try to find security flaws within the code. It's better not to use a panel.

Definitely good advice @Golden, but control panels are very convenient and there's always room for those.  I think one can minimize the potential of security flaws in free panels by making sure one's panel is on automatic updates, and by omitting FTP and e-mail systems from the security panel. I use SFTP and external e-mail hosts instead.  I don't use bind and I don't use FTP with my free control panels as over the years I've learned with cPanel that those are the two systems hackers target the most.  I know one is still vulnerable, but if one does away with those two it is already much safer.

[Golden]

Definitely good advice @Golden, but control panels are very convenient and there's always room for those.  I think one can minimize the potential of security flaws in free panels by making sure one's panel is on automatic updates, and by omitting FTP and e-mail systems from the security panel. I use SFTP and external e-mail hosts instead.  I don't use bind and I don't use FTP with my free control panels as over the years I've learned with cPanel that those are the two systems hackers target the most.  I know one is still vulnerable, but if one does away with those two it is already much safer.

VestaCP got hacked because of the developer's fault. It is opensource and hackers can easily look into the code to find flaws.

[deanhills]

VestaCP got hacked because of the developer's fault. It is opensource and hackers can easily look into the code to find flaws.

True.  That was the consensus of all of the geeks using it. They felt the developer failed to recreate how the hacking happened to their satisfaction.  The developer didn't want to take responsibility for it. 

One thing that was general however is that all of the instances reported that hadn't been hacked had not used the e-mail side of things or FTP.  Those two are of the most vulnerable parts to hack.

[humanpuff69]

Terminal is much secure than using a panel . my head just doesnt get it why still people use shitty low quality panel like vesta cp

[deanhills]

Terminal is much secure than using a panel . my head just doesnt get it why still people use shitty low quality panel like vesta cp

I don't think it is as low quality as that.  VestaCP is not the only script in the world that is vulnerable for hacking.  Microsoft Windows has problems too.  Like it's all over the world.  I think one has to accept how it is.  Make sure one minimizes one's risk when one uses a panel like VestaCP.  I only use it for the bare minimum tasks and find it very fast because of nginx and convenient to use.

[Vuluts]

@humanpuff69 It is because panel makes work more easier and convinient to others, though as you said using terminal is much more secure than installing control panel.