[ILUG] Compromised by ssh...
rick at linuxmafia.com
Tue Oct 31 17:13:42 GMT 2006
Quoting Conor Daly (conor.daly_ilug at cod.homelinux.org):
> Due to a weak password on one of the kid's accounts and turning on
> password authentication in ssh (see the thread on nxserver), our home
> server got cracked. As far as I can tell, the only thing compromised was
> the particular account.
You unfortunately are (almost certainly) in no position to know that.
Backdoor mechanisms to permit the intruder re-entry are typically
concealed in a number of places, redundantly. People often find this
out the hard way, by "expelling" the intruder multiple times, each time
being puzzled to find him/her returning.
> I'm rebuilding the server but I'm just wondering if I'll need to clean out
> all the user accounts too.
Er, you should sit down and consider what files can no longer be
trusted, and which are merely data. All executables and
libraries (including those in ~/bin directories and such) , all system
configuration files, and all user dotfiles are suspect and should be
quarantined: Use the present contents of /etc only for reference during
your rebuild, and don't let users recycle their former dotfiles. Change
all shell passwords, enable libpam_cracklib to force use of meaningfully
difficult passwords only, and don't let the users back in until they've
been read the riot act about SSHing in from untrustworthy locations and
using the same authentication tokens on multiple systems.
More at: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Read 'tips' articles like
http://www.debian-administration.org/articles/455 attentively (they have
some arguably good ideas) but sceptically, since security writings by
most Unix geeks often gravitate towards gadgetry and excessive
mechanism, without bothering to be clear on threat models. Mix with
writings by Marcus J. Ranum and Bruce Schneier, season to taste.
Cheers, The genius of you Americans is that you never make
Rick Moen clear-cut stupid moves, only complicated stupid moves
rick at linuxmafia.com that make us wonder at the possibility that there may be
something to them that we are missing. --Gamel Abdel Nasser
More information about the ILUG