HOW-TO: Protect from recent SolusVM exploits.

[KuJoe]

It looks like a lot of the recent exploits require access to your SolusVM Master either as a client or as a guest. So here's a quick and easy way to prevent access:

iptables -A INPUT -j ACCEPT -p tcp -s <WHMCS_IP> --destination-port 5353 -i venet0
iptables -A INPUT -j ACCEPT -p tcp -s <WHMCS_IP> --destination-port 5656 -i venet0
iptables -A INPUT -j ACCEPT -p tcp -s <ADMIN1_IP> --destination-port 5353 -i venet0
iptables -A INPUT -j ACCEPT -p tcp -s <ADMIN1_IP> --destination-port 5656 -i venet0
iptables -A INPUT -j ACCEPT -p tcp -s <ADMIN2_IP> --destination-port 5353 -i venet0
iptables -A INPUT -j ACCEPT -p tcp -s <ADMIN2_IP> --destination-port 5656 -i venet0
iptables -A INPUT -j DROP -p tcp --destination-port 5353 -i venet0
iptables -A INPUT -j DROP -p tcp --destination-port 5656 -i venet0Please note that I run my SolusVM Master on an OpenVZ VPS so your interface may be different.
This will allow your WHMCS installation and admins to access SolusVM but will block direct access. Automation will continue to work and clients can manage their VPSs via the SolusVM plugin, I know it's limited but it's better than nothing.

I had a lot more information typed up but IP.Board erased it all so if you have any questions feel free to ask.

 

[netnub]

Thats a neat way, I suggest all providers do that because I'll be sharing another round of exploits on SolusVM soon.

 

[MartinD]

"exploits" you've shared with SolusVM, I presume?

 

[vanarp]

Thats a neat way, I suggest all providers do that because I'll be sharing another round of exploits on SolusVM soon.

Lol:


Attention providers:


In roughly 12 hours I will be disclosing 3 zero day vulnerabilities on solusvm.


I suggest you take backups fast or else hackers will abuse this. I have tried contacting solusvm to fix it however I have been ignored.


They stated the vuln is

 

[concerto49]

http://lowendtalk.com/discussion/comment/285082/#Comment_285082 is what netnub/lol is on about.

 

[netnub]

http://lowendtalk.com/discussion/comment/285082/#Comment_285082 is what netnub/lol is on about.

All speculation, no verified information.

 

[KuJoe]

Please keep the drama/BS out of this thread so it can attempt to stay on-topic. Thanks.

 

[SkylarM]

Time to put the modulesgarden solusvm in production I guess. Good post.

 

[wlanboy]

Maybe time that someone is building a little GUI on top of the SolusVM API.

I knew before that I do not want to be a hoster.

 

[Damian]

Time to put the modulesgarden solusvm in production I guess. Good post.

Does it replace the Solus-provided module completely? Can I do everything I can do in the Solus panel inside WHMCS instead?

 

[SkylarM]

Does it replace the Solus-provided module completely? Can I do everything I can do in the Solus panel inside WHMCS instead?

I made a post on this forum showing some of the functionality. From a client perspective yes, admin side no. Need a dns manager plugin to manage DNS/rDNS if you did that in Solus though.

Gotta figure out why both the Solus plugin and the Modulesgarden Solus plugin aren't liking the iptables rules and aren't connecting to the server now hmmm

 

[Cloudrck]

Maybe time that someone is building a little GUI on top of the SolusVM API.

I knew before that I do not want to be a hoster.

Thus creating another layer to exploit. The problem is SolusVM poor coding techniques

I made a post on this forum showing some of the functionality. From a client perspective yes, admin side no. Need a dns manager plugin to manage DNS/rDNS if you did that in Solus though.

Gotta figure out why both the Solus plugin and the Modulesgarden Solus plugin aren't liking the iptables rules and aren't connecting to the server now hmmm

Are your IPtable policies being logged? What do they say? I don't use SolusVM so I can't help much.

 

[Aldryic C'boas]

Does the SolusVM WHMCS plugin allow changes to rootpass/hostname/etc? If so, you may want to try and disable that, just in case they're not sanitizing input <_<

 

[mnpeep]

Thanks! I'm using this to secure my setup, only my WHMCS and laptop physically located at the datacenter can access SolusVM now.

Let's just hope Teamviewer cooperates.

 

[SkylarM]

Thus creating another layer to exploit. The problem is SolusVM poor coding techniques

Are your IPtable policies being logged? What do they say? I don't use SolusVM so I can't help much.

Yeah it was an issue with the API and the dedicated IP not behaving properly.

 

[SkylarM]

 

[Aldryic C'boas]

Hah, nice. Looks like they've made some major improvements (as far as options, at least) on the module. Only reference I had was the module we worked with a couple years back that just threw this big nasty blob into the client area; no ability to enable/disable certain features.

 

[SkylarM]

 

[Aldryic C'boas]

If you leave root password on the module, it gives a client the option to either VIEW the password or CHANGE it. Noooot a huge fan of being able to view it like that.

Root passes are viewable? That is straight-up disastrous - they're either storing root passes in plaintext, or merely displaying the WHMCS 'password' field (also plaintext), which is absolutely useless after running `passwd` on the VM (like people should be doing).

 

[SkylarM]