![dropbear ssh vulnerability dropbear ssh vulnerability](https://image.slidesharecdn.com/6-asadoorian1-13-140202150010-phpapp01/95/tiptoe-through-the-network-practical-vulnerability-assessments-in-control-systems-environments-paul-asadoorian-of-tenable-network-security-15-638.jpg)
So to clarify you set a good root password when you created the container in Proxmox (i.e. But I am saying that you haven't yet convinced me! :) Ok so hopefully we've got that out of the way? So I'm not saying that there isn't any problems, and I'm not saying that TurnKey security is flawless. TBH I've actually had a server hacked myself because of a crappy password I used (a test server that I forgot to destroy when I was finished) so I well know that it can happen and how quickly especially in a hostile environment like AWS (where bots are constantly scanning the know IP addresses for exploitable servers). Especially considering that is the most common cause of hacked servers by far (and you didn't explicitly state that you used a really good one). an AWS IP address) then even with a crappy password that is pretty quick.Īs I have never had contact with you before I don't think it's unrealistic to guess that you may have used a crappy password. Unless it was a targeted attack at you or your IP is normally a target for hackers (e.g. Obviously you've done something a little different by providing Shellinabox via port 443 but it seems incredibly weird that all the thousands of other servers using Shellinabox would be fine, but your server (with only Webshell on 443 available to the internet) is hacked inside of an hour. Actually IIRC I think yours is the third in the last few years.
![dropbear ssh vulnerability dropbear ssh vulnerability](http://www.tripwire.com/state-of-security/wp-content/uploads/Screen-Shot-2015-06-26-at-6.40.56-AM.png)
Other than the odd Amazon server that gets brute forced (due to a crappy password) we don't get a lot of support requests for hacked servers. Additionally we have hidden Shellinabox behind stunnel to provide additional layer of security.įinally I would guess that there are at least one hundred thousand TurnKey servers running live on the internet all with Shellinabox (not to mention vanilla Debian servers with it installed). Whilst we package Shellinabox ourselves, we have been keeping an eye on the version included in the Debian repos (the version in Wheezy and Jessie is essentially the same as the one we package) and I just checked to make sure that there has not been a security bug recorded against it (there hasn't).
#Dropbear ssh vulnerability install#
Firstly, TurnKey is based on Debian which has a track record of taking security really seriously, we auto install Debian security updates nightly plus you said you installed them on firstboot too. There are a number of reasons why I find it unlikely to be directly TurnKey related. I sincerely appreciate the intent of the post so thank you for posting. Regardless it certainly wasn't intended to flame you. I don't think my response was overlay harsh although in retrospect perhaps came across as a little defensive. TBH without some further evidence my guess is still with a brute force attack. It needs to be reported upstream either to Debian (if installed from the repos) or to DropBear themselves (if installed direct from DropBear developers). But seeing as DropBear is not a default component of TurnKey then it's not really a TurnKey vulnerability. It sucks but it's not really a vulnerability more a configuration shortcoming.Ī vulnerability in DropBear would be a bad thing and certainly warrants some response.
Then someone hacked into your Core server and you think it's a vulnerability in TurnKey Core?Īssuming that the only way to connect to your server is via DropBear (SSH over port 443), why do you think it's a TurnKey vulnerability? I would guess that it's either a vulnerability in DropBear (which is not included in TurnKey by default) or a brute force attack (assuming that you are using password authentication).įWIW brute force SSH attack against a poor password is a really common cause of Linux servers being "hacked" and it's my "go to" guess when I hear of Linux server's being hacked. external internet) connections to 443 to be redirected to DropBear on your Core server (i.e. Then you configured your external firewall to forward incoming (i.e. You then installed DropBear SSH server into Core and configured it to listen on port 12321? FWIW port 12321 is TKL's default port for Webmin. You created a new v14.1 TurnKey Linux Core container from within the Proxmox UI (i.e.