HOW-TO: Protect from recent SolusVM exploits.

[Aldryic C'boas]

We generate a random, uneditable password when any order is placed, correct. Primarily to force clients to set a new root password themselves afterward (unless they actually want to remember a random string <_&lt as a security precaution. That's not a module/etc setting though - just a simple edit to the cart's .tpl file:

<input type="text" readonly="readonly" name="rootpw" size="20" value="{php} echo substr(md5(mt_rand()),1,12);{/php}" />

 

[rds100]

@http://vpsboard.com/user/24-aldryic-cbo%C3%A4s/' title="">Aldryic C'bo

 

[SkylarM]

 

[Aldryic C'boas]

Care if I do this? <3

Nah, by all means go for it I wouldn't have posted it publicly if I didn't want folks to use it :3 General rule for my code is - if I post it publicly, anyone can use it as they see fit.

 

[SkylarM]

 

[George_Fusioned]

 

[Damian]

We implemented something like this over a year ago, and it drastically dropped incidents of users getting rooted. Mostly because they would sign up with a "temporary" password like 12345678, which hasn't been a good password since 1978, and then "forgetting" to change it.

Really, it should be the default. I'm now always wary when I sign up at a provider and they want me to specify "NS1" and "NS2" and a root pass for my VPS.

 

[George_Fusioned]

I'm now always wary when I sign up at a provider and they want me to specify "NS1" and "NS2" and a root pass for my VPS.

idd, failing to hide those ns1 & ns2 boxes makes a provider look really bad from my POV.

 

[Marc M.]

Here is another way to generate more customizable random root passwords and use them during the ordering process:

function phoenix_rand_root_pass($l=16, $s=6) {
    $v = 'aeuy';
    $c = 'bdghjmnpqrstvz';
        if ($s & 1) {
                $c.= 'BDGHJLMNPQRSTVWXZ';
        }
        if ($s & 2) {
                $v .= "AEUY";
        }
        if ($s & 4) {
                $c.= '23456789';
        }
        if ($s & 8) {
                $c .= '@#$%';
        }

        $randrp = '';
        $alt = time() % 2;
        for ($i = 0; $i < $l; $i++) {
                if ($alt == 1) {
                        $randrp .= $c[(mt_rand() % strlen($c))];
                        $alt = 0;
                } else {
                        $randrp .= $v[(mt_rand() % strlen($v))];
                        $alt = 1;
                }
        }
    return $randrp;
}

 

[Aldryic C'boas]

Never was a fan of replacing one line of code with... 28. All you're needing is a random alphanumeric, which PHP cannot easily provide (And then you have to screw with php blocks in smarty, never fun). Generating a random number, then md5/SHA'ing that to 'randomize' it further with alphanumerics is a much quicker, more efficient, and cleaner way to get the job done.

 

[willie]

marcm, don't use mt_rand for security purposes.  Read random bytes from /dev/urandom instead.

Aldyric, I've always been uncomfortable with the practice of emailing root passwords which can be passively intercepted.  I'd consider it better if you offered an option to let the person upload their ssh public key, so Stallion initialized the vps's ~root/.ssh/authorized_keys with it.

 

[Marc M.]

 

[Aldryic C'boas]

Aldyric, I've always been uncomfortable with the practice of emailing root passwords which can be passively intercepted. I'd consider it better if you offered an option to let the person upload their ssh public key, so Stallion initialized the vps's ~root/.ssh/authorized_keys with it.

I agree fully. And while I doubt we'll do the pubkey offload, what we're planning on doing with Stallion2 is setting a random root pass on the node, and not sending it via email/etc. The New VPS email will simply instruct the client to login, set a root pass for the VM, and then continue use as desired. We may even configure the panel so that when a client first accesses a new (and maybe even freshly installed VM), the first thing it does is ask them for a root pass to set (which won't be saved, merely piped to the node).

 

[Marc M.]

marcm, don't use mt_rand for security purposes. Read random bytes from /dev/urandom instead.

@willie from PHP -> http://php.net/manual/en/function.mt-rand.php

Many random number generators of older libcs have dubious or unknown characteristics and are slow. By default, PHP uses the libc random number generator with the rand() function. The mt_rand() function is a drop-in replacement for this. It uses a random number generator with known characteristics using the http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/emt.html'>

 

[Aldryic C'boas]

By the way, I wonder when this error will get fixed here: "The name can only contain these characters: a-zA-Z0-9_"

There's a reason I chose to use my full name here (and WHT) as opposed to just 'Aldryic'.

 

[Marc M.]

 

[kunnu]

Port 80 and SSL Port?

 

[Cloudrck]

Yeah it was an issue with the API and the dedicated IP not behaving properly.

Oh

 

[SkylarM]

Still want access to the admin side of things for the time being. At any rate I wasn't sure why the API wasn't connecting. Wasn't sure if it was the site move, the beta update to the module, or something else. Finishing up skinning the DNS module and then everything will be as if clients had solus access, just without solus access

 

[ShardHost]

Another way to achieve this is just through lighttpd directly.  Add this to the bottom of your lighttpd.conf

$HTTP["remoteip"] !~ "whmc.ip.addr|vpn.ip.addr" {
    $HTTP["url"] =~ "^/" {
      url.access-deny = ( "" )
    }
 }