Default passwords should be changed

Hello, all.
I’ve recently installed qiime2 on virtual machine and exported it on public IP address, so my student was able to analyse his data on my server. I’ve performed basic security-related measures myself - changed passwords for qiime2 and root users to random ones, as I’ve seen that /home directory contained only qiime2 folder - my fault, I didn’t check /etc/passwd - otherwise I would notice ubuntu user.

Two days later, some kind of bot has figured out that this IP has ssh port open and found ssh password of ubuntu user. Some time later it started mining some cryptocurrency using this VM.

So, my gentle request to developers: please, specify in the documentation explicitly, that if one uses your published VMs on public IP address, he or she is responsible for altering passwords (or disabling remote logins for) users qiime2 AND ubuntu.
To do this, it’s enough to issue:
sudo passwd ubuntu
passwd qiime2

And consider tuning firewall to allow only authorized IP addresses to connect via ssh. (There is a good guide for simple firewall scenarios in official ubuntu documentation - )

1 Like

Hey there @mickvav!

Bummer! :robot: :dollar:

We can add a note about what user accounts are present (open issue), thanks for the suggestion!

I think this is going to be pretty specific to whoever is doing the work to host these machines as a service, and will reflect their internal architecture, so I am a bit wary to include that in the general user docs. If you wanted to share what you did in a Community Tutorial though, that would be pretty cool!

Thanks! :qiime2: :t_rex: