Cyber Panel
After receiving an abuse report from my hosting provider on 28.10.2024, a few exciting days began. A security researcher discovered an RCE vulnerability (Remote Code Execution) in the software of my self-hosted web hosting panel CyberPanel (GitHub). Unfortunately, he also published an exploit in his blog post dated 27.10.2024. It didn’t take long before thousands of web hosting servers and even more websites were infected. Crypto-mining malware, ransomware that encrypted files as .psaux, .encryp, .locked, etc., or took over the server or rendered it unusable.
Image: Notification message from a server affected by ransomware.
The ransom demands were also paid in Bitcoin, by the way.
The need was great, and the precautions for my website proved to be rather inadequate. Who would have thought that a small private website would become the target of a major attack? Well, anyway, I was lucky. I had various backups and knew how to restore them because I had migrated from one hosting provider to another a few weeks earlier. Still, it took a while and cost a lot of nerves. I learned a lot in the process and realized that every Virtual Private Server must be secured to the maximum. In this article, I have loosely compiled a few points. Maybe they will help someone.
1. Set up and harden the VPS
Note: This tutorial uses an Ubuntu 22.04 LTS server. You can find a guide to setting up an Ubuntu VPS here, for example: 7.1 – General – Setting up a Virtual Private Server (VPS). The minimum requirement is 2 GB RAM.
Root Login:
ssh root@yourIPaddress
1.1 Basics
Update / Upgrade
apt update && apt upgrade -y
-> You may need to press Enter.
Note: The ufw (uncomplicated firewall) is not installed here because a firewall (firewalld) will come later with CyberPanel.
fail2ban
apt install fail2ban -y systemctl enable fail2ban systemctl start fail2ban systemctl status fail2ban
-> Confirm twice with Enter.
Note: Swapfile is not installed here because it will be set up automatically later with CyberPanel.
1.2 Create a dedicated user
For greater security, we create a new user who will be used for future logins. Although this user also has „root“ privileges, they must always identify themselves with their password. This provides more security, better traceability, and protection against human errors.
adduser cypherpunk
-> Set a password; the rest of the data input is optional.
usermod -aG sudo cypherpunk
-> Assign root privileges to the user.
Important: Edit the OpenSSH server configuration file.
sudo nano /etc/ssh/sshd_config
Add the following line:
AllowUsers cypherpunk
-> CTRL+X -> Y -> Enter
Note: If you still want to access the VPS with the „root“ user, you must also add the line AllowUsers root to the configuration file if it is not already present. Otherwise, when attempting to log in as the „root“ user, you will see the error message „Permission denied, please try again.“ After five failed attempts, access will be completely blocked for 10 minutes as Fail2ban blocks all connections.
Now shut down the VPS, optionally take a snapshot, and restart everything from scratch.
sudo systemctl poweroff
-> To create a backup of your Virtual Private Server as a snapshot, you will surely find a corresponding function on the website of your VPS hosting provider. This creates a complete image of your disk or VPS. You can restore this at any time to revert the server to a previous state. Then restart the server via the website and log in with the new user from now on.
ssh cypherpunk@yourIPaddress
2. Install and Configure Cyber Panel
2.1 Installing Cyber Panel
Note: To follow this tutorial, the hostname of the server should not match your domain name. So, do not use yourdomain.xyz. Instead, name the host something like „CyberPanel“.
sudo su - -c "sh <(curl https://cyberpanel.net/install.sh || wget -O - https://cyberpanel.net/install.sh)"
-> During the installation: 1+Enter, 1+Enter, 6x Enter
Attention: At the end of the installation, the CyberPanel access credentials will be displayed:
... CyberPanel Successfully Installed ... Visit: https://yourIPaddress:8090 Panel username: admin Panel password: bAJWFpasswordWEjV6 ...
-> After saving the data, confirm the message Would you like to restart your server now? [y/N]: with ENTER.
-> sudo systemctl poweroff and create a snapshot.
2.2 Setting up Cyber Panel
After logging into CyberPanel, you will see the „Set-up Wizard“ at the top. This helps you set up the first website. Ideally, the A and AAAA records already point to the IP address of the CyberPanel server. Log into CyberPanel and follow these steps.
1. If available, use the „Set-up Wizard“ displayed at the top. It simplifies setting up the first website.
2. If it is no longer displayed, you can manually set up the website under MAIN > Websites > New Website if not already done.
3. Create an FTP account on the new server under MAIN > FTP with username: yourusername => admin_yourusername. You know the IP address, the port is 21, and FileZilla can be used as the FTP client.
4. If you are setting up CyberPanel anew to migrate an existing version, after restarting CyberPanel, you can preconfigure the PHP version under MAIN > Websites > New Websites > Manage > Change PHP. You can find the version in the „Website Status Report“, see point 3.1 / guideline point 5.
3. Data Backup and Migration
Before we can restore or migrate data, we first need to back it up.
3.1 Data Backup
I recommend at least three methods of data backup:
A. Snapshots of the entire VPS: Manually in between, before updates, etc., and on a schedule.
B. Automatic, scheduled backups to external cloud drives using plugin software like UpdraftPlus.
C. Manually back up the data, the database, and a current website status report.
For points A and B, there is sufficient information available from hosting providers and plugin developers on the internet. For method C, I have put together a small guide here:
1. Create a folder on your local computer named YYMMDD.
2. In the CyberPanel web server under MAIN > Websites > List Websites > yourdomain.xyz > File Manager, compress the folder public_html with .tar.gz.
3. Download the file public_html.tar.gz and save it in the directory.
4. Export the MySQL database of the website using phpMyAdmin under MAIN > Database > PHPMYAdmin. Mark the database directory your_databasename on the left, export it (Quick and SQL). Save the download your_databasename.sql in the folder as well.
5. In WordPress under Tools > Site Health > Info, copy the „Website Status Report“ to the clipboard and create a text file in the backup folder where you paste and save the report. It contains important information such as the PHP version and plugins used.
Note: Clean up the database beforehand to avoid complications during the import. If the website is older and has undergone many updates/upgrades, it may contain unnecessary data, numerous revisions, and broken links that could cause conflicts during the import. Therefore, use a plugin like WP-Sweep, WP Optimize, or Advanced Database Cleaner on the WordPress admin page to clean the database beforehand. This also saves storage space. phpMyAdmin also offers a cleanup tool, but sometimes this alone is not sufficient.
Recommendation: If you want to externally back up up-to-date WordPress format and text data of a page, enable the Editor > Code Editor in the WordPress Block Editor in the top right. You can now select all the code of the page as text and copy it to the clipboard. Simply save the content in a text file on your computer.
3.2 Data Restoration / Data Migration
3.2.1 Transfer Data
Restoring a snapshot at the VPS hosting provider is straightforward. Restoring using UpdraftPlus is also well documented. Manually migrating the backup data and database, however, requires some steps you should be aware of. Here’s how to restore data from the backup folder following method C to a newly set up server.
1. Use FileZilla to upload the files public_html.tar.gz and your_databasename.sql to the directory.
2. In CyberPanel under Websites > List Websites > File Manager, extract the compressed folder public_html.tar.gz and move it to the folder public_html.
3.2.2 Migrate Data
1. Create an empty database with Database > Create Database:
Enter -> databasename, username and password databasename: your_databasename username: your_username password: …
2. Log into the server using the Command Line Interface (CLI) and import the database:mysql -u your_username -p your_databasename < /home/yourdomain.xyz/public_html/your_databasename.sql
Note: The password is for the new empty database that was created earlier, not the old database.
3.2.3 Configure Database Connection
1. In CyberPanel, open the file public_html/wp-config.php in the File Manager of the site.
2. Set the new values for DatabaseName, UserName, and Password, and ensure the host is set to localhost.
Check the PHP version used from the „Website Status Report“ in the backup and, if necessary, configure it under MAIN > Websites > New Websites > Manage > Change PHP.
3.2.4 Final Steps
1. Don’t forget: If you have a new server with a new IP, update the IP forwarding as well. At your domain provider, set the A and AAAA records to the new VPS IP with CyberPanel. Then check, for example, with: nslookup.io.
2. Restart the VPS once with systemctl reboot.
3. To test, you can create a text file named neu.txt in ./public_html/. You should be able to access the file in your browser with yourdomain.xyz/neu.txt.
4. If you still get TLS/SSL error messages, issue a certificate in CyberPanel under MAIN > SSL > Manage SSL > Issue SSL.
4. Options for Advanced Hardening
The following methods to further enhance security are relevant and effective. However, errors often occur, and you might lock yourself out. First, create a snapshot of your VPS so you can always revert back. Then proceed very slowly, step by step, testing the new access before disabling anything. Also, remember that CyberPanel includes its own firewall, which you can configure directly in CyberPanel. For example, you can allow or close individual ports for SSH access there.
4.1 Use SSH Key
Using SSH key pairs might seem complicated and confusing at first, but once you understand it, it’s quite straightforward. Let ChatGPT explain:
An SSH key pair is a type of security tool used for securely logging into a computer or server. Think of it as a lock and a matching key that work together to open a door—only here, it’s about digital security. Here are the two parts of the SSH key pair: 1. Private Key: This is like your personal, secret key. You should never share it with anyone. It always stays secure on your computer. 2. Public Key: This is like the lock you install on the server. It can be seen by others, as it doesn’t matter if it is public. The public key is copied to the server you want to log into. How does it work? 1. When you want to log into a server, the server checks your public key. 2. Your computer (with the private key) "communicates" with the server, and the server ensures that the private key matches the public key. 3. If they match, you are logged in. This method is secure because only the person with the matching private key can log in. Since the private key remains secret and is never sent, the likelihood of a hacking attack is much lower than with a password.
You can easily generate a key pair on your computer yourself. Open your terminal as if you were logging in, and then generate a key pair with the following command:
ssh-keygen
First, you will be asked where you want to save the key pair. If you simply press ENTER, the suggested path and file name in brackets will be used. Then you’ll be prompted to „Enter passphrase“. Here you can encrypt the key with an additional password. This passphrase is the password to decrypt the private key. When you log into the remote server, the private key must be decrypted with the passphrase. However, you will no longer need the user password to log in. The passphrase is optional but offers additional security. Make sure not to lose the key file or the passphrase. Below is an image showing how to generate an SSH key pair on a Windows 11 computer.
Image: Generating an SSH key pair
Ed25519 is a modern asymmetric encryption algorithm. The private key id_ed25519 and the public key id_ed25519.pub are stored on your computer in the path C:\User\User\.ssh. They are two files you can open and read with a simple text reader like Notepad. Alternatively, you can use the cat id_ed25519.pub command to display the key in the terminal. The know_hosts file is created by your computer to store private keys of other computers. It serves only to verify the authenticity of the other computer.
Quick Note: If you reinstall your server, it generates a new key pair, and you might see the following warning message.
Image: Warning message „man-in-the-middle attack“
In this case, you can stay calm because you now know why the message appears: the key changed with the reinstallation. To resolve this, you just need to remove the key from the know_hosts file. When you log in again, your computer will save the server’s new key in this file. The warning message also indicates where the file is located. In this case: C:\Users\axels\.ssh.
Let’s continue… Now you can read the contents of the public key id_ed25519.pub, copy it to your clipboard, and paste it into the authorized_keys file on your CyberPanel server:
mkdir ~/.ssh nano ~/.ssh/authorized_keys
-> CTRL+X -> Y -> ENTER.
Now you can test the key by logging out with exit and then logging back in. Either you’ll log in as if by magic, or, if you’ve set a passphrase for the key, you’ll be asked for it to decrypt the private key before being logged in.
Important: You need to save the keys for both the root and cypherpunk users. Log in to both accounts and save the keys.
Note: If you press ENTER at the SSH key login prompt, it will fall back to a password prompt. Try it out!
Note: You can now view the SSH keys you’ve added in CyberPanel under SERVER > Security > Secure SSH > SSH Keys.
4.2 Disable Password Login
If you have secure access using your SSH key, you can disable password login. Before doing so, set up a second device as a backup to access the server if needed. Alternatively, you can securely store the private key id_rsa (on Windows). The public key is not sensitive, but the private key is.
To disable password login:
sudo nano /etc/ssh/sshd_config
Set PasswordAuthentication to no:
PasswordAuthentication no
-> CTRL+X -> Y -> ENTER
Restart the SSH server:
sudo systemctl restart ssh
-> Log back in and skip the SSH key prompt by pressing ENTER. You should no longer see a password prompt. This applies to both users.
4.3 Disable Foreign SSH Keys
In the .ssh directory of the root user, there is a private and public key pair named cyberpanel. I couldn’t find a use for them, so I disabled them.
nano ~/.ssh/cyberpanel nano ~/.ssh/cyberpanel.pub
-> Add „NO_“ at the beginning of each key to invalidate them.
4.4 Disable Root User Login
The root user is a known target for attacks, so you can disable its login. You have two options: disable it through the CyberPanel firewall under SERVER > Security > Secure SSH > Basic > Permit Root Login, or directly via the console:
sudo nano /etc/ssh/sshd_config
PermitRootLogin no # AllowUsers root
-> CTRL+X -> Y -> ENTER
Note: With # AllowUsers root commented out, toggling the „Root User“ option in CyberPanel is also disabled. If you want to manage this through CyberPanel, remove the # in front of AllowUsers root. Then only the yes/no of PermitRootLogin applies.
Restart the SSH server:
sudo systemctl restart ssh
-> Try logging in as root. It should no longer work. Only the cypherpunk user should now work with the SSH key.
4.5 Customize Port Access (SSH Port 22 -> 1001)
You can freely choose the new SSH port for access, for example, port number 1001. Since CyberPanel manages the firewall and ports for you, you also need to enable the port there. Go to CyberPanel under SERVER > Security > Firewall and set the rule:
Rule Name = SSHnew / tcp / 0.0.0.0/0 / Port = 1001
-> You should now see the new port rule in the list.
Next, add the port to the sshd_config file:
sudo nano /etc/ssh/sshd_config
Add an additional line for the port:
Port 1001
-> CTRL+X -> Y -> ENTER
sudo systemctl restart ssh
Log out with exit and log back in using a slightly modified command:
ssh -p 1001 cypherpunk@yourIPaddress
-> Note the -p 1001. The port release for 1001 now applies to all users.
Now disable the default port 22 in the CyberPanel firewall. Go to SERVER > Security > Firewall and delete the entry for port 22.
Next, disable port 22 access in the SSH config:
sudo nano /etc/ssh/sshd_config
Comment out the line for port 22 by adding a #:
# Port 22
CTRL+X -> Y -> ENTER
Restart the service:
sudo systemctl restart ssh
Reboot the server, log out with exit, and log back in to check access, hoping you haven’t locked yourself out. 😉
This adds a significant layer of security to your server. 💪 You’ve left just one small hidden door open. Keep the access and knowledge about it secure.
4.6 Close Unused Ports
Depending on how you use CyberPanel, you may require various ports to remain open. However, if you don’t use certain features like email, you can close all related ports. Other ports are optional. Personally, I only use the basic functions, which include ports: 8090, 80, 443, 21, and 22 or 1001. All other ports are closed or removed from the firewall settings. To do this, go to SERVER > Security > Firewall and delete all unnecessary ports.
4.7 Disable CyberPanel
What isn’t running can’t be exploited. The websites themselves run without an active CyberPanel.
Here are some commands to stop, disable autostart, start, enable autostart, and check the status. You can disable CyberPanel anytime if it’s not needed. Here are some useful commands. „Stop“ only applies to the session; CyberPanel will be active again after a reboot. „Disable“ will permanently disable CyberPanel. „Enable“ will re-enable it. „Status“ shows the current status.
sudo systemctl stop lscpd sudo systemctl disable lscpd sudo systemctl start lscpd sudo systemctl enable lscpd sudo systemctl status lscpd
5. Appendix
5.1 Sources and Further Information
Website: https://www.cyberpanel.net
Forum: https://forums.cyberpanel.net or https://community.cyberpanel.net/
Wiki: https://docs.cyberpanel.net
Documentation: https://cyberpanel.net/docs/
GitHub: https://github.com/usmannasir/cyberpanel
5.2 View and Upgrade CyberPanel Version
Check CyberPanel version and commit:
cd /usr/local/CyberCP/ sudo git log -1
You can check for new versions and commits in the GitHub repository: https://github.com/usmannasir/cyberpanel
Upgrade CyberPanel:
sudo su - -c "sh <(curl https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh || wget -O - https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh)"
-> Now restart the entire server so the firewall is reactivated: sudo systemctl reboot
Note: If you encounter the following error during the upgrade:
TypeError: canonicalize_version() got an unexpected keyword argument 'strip_trailing_zero'
Perform a Pip package update:
sudo pip install packaging==22
The complete error message can be found at pastebin.com.
Option: Ubuntu System Update
sudo su - apt update && apt upgrade -y reboot
5.3 fail2ban Log Files
# Show simple log files
sudo cat /var/log/fail2ban.log
# Show sorted log files
sudo awk '($(NF-1) == "Ban"){print $NF}' /var/log/fail2ban.log \
| sort | uniq -c | sort -n
For more information, visit here.
5.4 Check CyberPanel Firewall
You can view the CyberPanel firewall status under SERVER > Security > Firewall. Check it directly and view logs via the command line:
sudo systemctl status firewalld sudo journalctl -u firewalld
The SSH port settings, root login, and stored SSH keys can be viewed or changed under SERVER > Security > Secure SSH.
Erstellt mit Liebe 🧡 Seit 858407 / 873802
– Lightning ⚡ (er)leben –
Value 4 Value
axelhamburch@ereignishorizont.xyz
