[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 25/11/13 15:57, Simon Avery wrote: > What Rob says. Step 1 in any new server install I do is disable root access > in ssh - it's a major attack vector. Running a honeypot for a while showed > this was pretty much exclusively the username attempted. > > Basics for ssh: > > Turn off root access. login to a username and su or sudo -s if you want a > root shell once in. > Turn off internet access to ssh, and if you want it, move the port off 22. > None of the scripts I've seen attempt any other port. And as suggested, > turn off passwords and go keys only. > > And stinga - don't assume it's a no-nothing kiddie; they knew enough to get > past things you put in place to stop them. Standard advice once rooted is > to wipe your system and start over - you cannot be sure what other ways in > they've left behind; modified exes, hidden cronned scripts somewhere, > obscure urls accessible... Etc, etc. Honestly, it's usually quicker and > always more secure to chalk it up to experience and start over. > > And of course, if you had any usernames, passwords, sessions/profiles > account details on that box, assume they're now being spread around various > hacker sites and change them - yesterday! > > > Simon, you'd probably be interested in this, if you haven't seen it already: http://bsdly.blogspot.co.uk/2013/10/the-hail-mary-cloud-and-lessons-learned.html Amongst other things, he points out that moving SSH ports is a waste of time - if you can't lock down your SSH service properly in the first place, a non-standard port isn't going to help! I've personally seen countless attempts by botnets sniffing for SSH on non-standard ports across my systems. I'm totally with you on not trusting the box, and rebuilding immediately though, and obviously your password advice is a must as well. Let's hope for more details from Stinga when he's finished locking everything down again. I love post-hack forensics! Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq