D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Server got hacked


On Mon, 25 Nov 2013, bad apple wrote:
I'm totally with you on not trusting the box, and rebuilding immediately
though, and obviously your password advice is a must as well.

I agree that rebuilding the box is the most sensible thing to do, but depending on what the box is used for, it may not be the most practicle thing to do.

But the alternative doesn't have to be doing nothing. Some malware targeting web servers can be pretty stealthy. At the very least I would check the integrity of the web server binary. I would also try to figure out what kind of things they tried to do - that may point to some hidden processes or files they left behind. Also: keep checking the IP address against some DNS blacklists.

As for running SSH on a non-standard port: just as choosing a strong password, or a strong encryption key makes brute force attacks a little more difficult, so does running SSH on port 8967.

On an important server, I don't think it provides enough extra protection to justify doing it, as there is also the added inconvenience and the risk of feeling too safe against SSH brute force attacks.

On a run-of-the-mill web server that only you ever need SSH access to, I can see it making some sense.


The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq