D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Server got hacked


What Rob says. Step 1 in any new server install I do is disable root access in ssh - it's a major attack vector. Running a honeypot for a while showed this was pretty much exclusively the username attempted.

Basics for ssh:

Turn off root access. login to a username and su or sudo -s if you want a root shell once in.
Turn off internet access to ssh, and if you want it, move the port off 22. None of the scripts I've seen attempt any other port.  And as suggested, turn off passwords and go keys only.

And stinga - don't assume it's a no-nothing kiddie; they knew enough to get past things you put in place to stop them. Standard advice once rooted is to wipe your system and start over - you cannot be sure what other ways in they've left behind; modified exes, hidden cronned scripts somewhere, obscure urls accessible... Etc, etc. Honestly, it's usually quicker and always more secure to chalk it up to experience and start over.

And of course, if you had any usernames, passwords, sessions/profiles account details on that box, assume they're now being spread around various hacker sites and change them - yesterday!
The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq