Hestia CP security

Today the HestiaCP log shows; image

I am the sole user of HestiaCP and no one else has assess to login. I use HestiaCP for my own site.

I tried to change password by using “forgotten password” but no email for password reset has been sent.

Why is this happening and is HestiaCP secure?
What should I do?.

Are you able to login via ssh? If so login via ssh and change your password via v-change-user-password admin yournewpassword

Other option would be via console / vnc viewer or any other method you vps provider / server provider provides.

Also please check

/var/log/hestia/auth.log
/var/log/hestia/system.log and
/var/log/hestia/error.log

It this an ftp account or user or database user account?

According the log message your ftp account has been changed:

08 Mar 2021 23:35:39 changed password for eris_kk on kk.nl

Eris, Thanks for your reply. Yes I have SSH access to Ubuntu 20.04LTS without any issue.

Thing that worries me is what’s showing in HestiaCP panel. See #2 in the image below.
And I changed my password again as a precaution. See #1 in the image below.

The image also show 9-March-2021 Disable then enabled SSL Support for Mail. I did not do anything to Exim or Dcot.

image

I also did the “cat” command for;
/var/log/hestia/auth.log
/var/log/hestia/system.log and
/var/log/hestia/error.log

However, for the dates: 8-March-2021 I could not find anything unusual. All events were showing form my IP address.

Do you people remote into all HestiaCP installations?

The other thing you’ll notice from the image is that HestiaCP tried to initiate LE-SSL renewal. And it failed. The only workaround I have found is to “Disable” HTTPS redirects and let it run for a full day. It usually fixes the issue… And afterwards, I re-enable it.

Last time months ago, I reported this LE-SSL issue. And version 1.3.2 was supposed to fix it. We now on HestiaCP version 1.3.3 and the LE-SSL issue still exists.

We are not able to login “remotely”

1.3.3 was an security fix due to an bug where an user could get access to the admin users account files by symbolic linking the conf files in /usr/local/hestia/data/users/user.conf. + 2 smaller issues security issues.

This needed to be patched an we decided to release an “security” patch as we have many changes that haven’t fully tested we didn’t want to release any bug fixes and potentially cause any issue on all the servers. See also the release notes:

For some reasons Vesta got again some attention from security guru’s / white hat hackers see

And we have received already few new security issues that have been patched on the development version see:

We try to keep HestiaCP safe as possible… But any security options should be reported.

For security reasons we always suggest to not use the admin user for hosting websites. Any unauthorised access. Uploading an file to the system could give the user accesss to /usr/local/hestia/bin/ and for example change the users password. This is not possible for any non “admin” user.

Just to expand with two things:

Yes it is! Otherwise we would have been already the troubles vesta had. Also we keep patching potential security issues as fast as possible.

And the second one: The security issues @eris wrote above always needs valid credentials, as far as I know in every case the admin one. That’s why we will ship them with 1.4.0 and arent planing a separated 1.3.4 patch.

If you’ve enabled lets encrypt for mail, this could have been during the renewal of your certificate.

We currently don’t provide any paid support. Still a member of the team is free to provide any services on its own - if he has enough time and you’re willing to pay mid european hourly rates :slight_smile:.

We still try to find the exact issue. I also got a LE400 twice, without doing anything it worked in the 3th night. We currently plan to implement to disable force ssl while renewing the cert and then reenable it afterwards.

Thanks Eris & ScIT for replying with all the explanation…

I use domain under Admin access, since I only host my own site on VPS. Right now I only with possibly another site later this year. At most I will have may be 2 domain. And I want to keep things simple under one umbrella…

Regarding Vesta. Those info about VestaCP security gaps is scary.

I hope HestiaCP version 1.4.0 comes quicker as it’s urgently needed.

If you host only simple HTML pages on your admin account you could be safe, but if you have a full fledged web app like cms/ecommerce that is executong server side code, then you are just inviting trouble :frowning: and you should move them to a unprivileged user ASAP

There is a reason we have added this alert message in Hestia :stuck_out_tongue:
image

3 Likes

I have WordPress. I did not see that alert message first time when I did setup on version 1.3.1

Does 2FA work?

I did not get the one-time password (OTP) to my email. And my email works fine.

What could be causing this 2FA issue?

For 2 FA you require to use an app.

or

Or any other app that uses this protocol there are multiple available.
I use https://authy.com for it as it supports both iOS and OSX app.

1 Like

I suggest you move the wordpress site to another user as quick as possible :smiley:

You have probably overlooked that notification as it was added in Hestia in 1.1.0 almost 2 years ago :wink:

1 Like

more important to note here again (because I feel like it got lost on the way): the log marked as #2 from 21:50:58 clearly show that there was something changed to the web-domain settings (disabled redirection and HSTS) and with that also the password for an additional FTP-user has been set or changed.

this got nothing to do with the admin password itself and you can identify this because of the underscore admin_xxxx in the log message.

so you might want to check your web-domain settings for that ftp user, probably you are just confusing things here a bit :wink:

Ok, I will double-check everything.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.