I had Nessus run a test on the admin interface and other services and it found some results that could incidents the security of the services.
Admin login page:
Preinstalled SSH server (with upgrading from Hestia apt sources):
and mail server (SMTP - plain password and low port 25), etc.
I suppose that could be enhanced.
Keep in mind that Ubuntu and Debian are patching the current versions so your current OpenSSH server 8.9p1 is not vulnerable to those issues (CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385).
You can check it with apt changelog openssh-server command:
Ubuntu 22.04
openssh (1:8.9p1-3ubuntu0.6) jammy-security; urgency=medium
* SECURITY UPDATE: incomplete PKCS#11 destination constraints
- debian/patches/CVE-2023-51384.patch: apply destination constraints to
all p11 keys in ssh-agent.c.
- CVE-2023-51384
* SECURITY UPDATE: command injection via shell metacharacters
- debian/patches/CVE-2023-51385.patch: ban user/hostnames with most
shell metacharacters in ssh.c.
- CVE-2023-51385
-- Marc Deslauriers <[email protected]> Tue, 02 Jan 2024 11:54:04 -0500
openssh (1:8.9p1-3ubuntu0.5) jammy-security; urgency=medium
* SECURITY UPDATE: Prefix truncation attack on BPP
- debian/patches/CVE-2023-48795.patch: implement "strict key exchange"
in PROTOCOL, kex.c, kex.h, packet.c, sshconnect2.c, sshd.c.
- CVE-2023-48795
* SECURITY UPDATE: smartcard constraints not added to agent
- debian/patches/CVE-2023-28531.patch: include destination constraints
for smartcard keys too in authfd.c.
- CVE-2023-28531
-- Marc Deslauriers <[email protected]> Mon, 18 Dec 2023 11:28:16 -0500
Debian 12
openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium
* Cherry-pick from upstream:
- [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
added in OpenSSH 8.9, a logic error prevented the constraints from
being communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and keys
without destination constraints are unaffected. This problem was
reported by Luci Stanescu (closes: #1033166).
- [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
a limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server would
not be able to detect that messages were deleted.
- [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys
while specifying destination constraints, if the PKCS#11 token
returned multiple keys then only the first key had the constraints
applied. Use of regular private keys, FIDO tokens and unconstrained
keys are unaffected.
- [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
shell metacharacters was passed to ssh(1), and a ProxyCommand,
LocalCommand directive or "match exec" predicate referenced the user
or hostname via %u, %h or similar expansion token, then an attacker
who could supply arbitrary user/hostnames to ssh(1) could potentially
perform command injection depending on what quoting was present in the
user-supplied ssh_config(5) directive. ssh(1) now bans most shell
metacharacters from user and hostnames supplied via the command-line.
-- Colin Watson <[email protected]> Tue, 19 Dec 2023 14:51:56 +0000
I don’t know what low port 25 means… (port 25 is one of the standard ports for mail servers).
Regarding plain password, since Hestia 1.8.6, AUTH is not advertised on ports 25, 465 or 587 if you are not using a TLS connection (STARTTLS on ports 25 and 587 or TLS on port 465) so the plain password is not important because the connection is already encrypted.
Feel free to disable it if you don’t need it how ever I don’t see any reason to disable to default…
