D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Server got hacked


On 25/11/13 15:57, Simon Avery wrote:
> What Rob says. Step 1 in any new server install I do is disable root access
> in ssh - it's a major attack vector. Running a honeypot for a while showed
> this was pretty much exclusively the username attempted.
> Basics for ssh:
> Turn off root access. login to a username and su or sudo -s if you want a
> root shell once in.
> Turn off internet access to ssh, and if you want it, move the port off 22.
> None of the scripts I've seen attempt any other port.  And as suggested,
> turn off passwords and go keys only.
> And stinga - don't assume it's a no-nothing kiddie; they knew enough to get
> past things you put in place to stop them. Standard advice once rooted is
> to wipe your system and start over - you cannot be sure what other ways in
> they've left behind; modified exes, hidden cronned scripts somewhere,
> obscure urls accessible... Etc, etc. Honestly, it's usually quicker and
> always more secure to chalk it up to experience and start over.
> And of course, if you had any usernames, passwords, sessions/profiles
> account details on that box, assume they're now being spread around various
> hacker sites and change them - yesterday!

Simon, you'd probably be interested in this, if you haven't seen it already:


Amongst other things, he points out that moving SSH ports is a waste of
time - if you can't lock down your SSH service properly in the first
place, a non-standard port isn't going to help!

I've personally seen countless attempts by botnets sniffing for SSH on
non-standard ports across my systems.

I'm totally with you on not trusting the box, and rebuilding immediately
though, and obviously your password advice is a must as well.

Let's hope for more details from Stinga when he's finished locking
everything down again. I love post-hack forensics!


The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq