[ILUG] Compromised by ssh...

Rory Browne rory.browne at gmail.com
Tue Oct 31 19:48:36 GMT 2006 

Probably the easiest thing to do, is re-install the OS, and with a new copy
of everything outside of /home. Then mount /home with a few security
enhancing options, including  no exec + no-various-other-things-you-see-fit
as required.

It might also be a good idea to mount it under /oldhome ( or something
similar ) , and create a new /home, and selectively copy stuff from /oldhome
as required.

On 10/31/06, Rick Moen <rick at linuxmafia.com> wrote:
>
> Quoting Conor Daly (conor.daly_ilug at cod.homelinux.org):
>
> > Grr.
> >
> > Due to a weak password on one of the kid's accounts and turning on
> > password authentication in ssh (see the thread on nxserver), our home
> > server got cracked.  As far as I can tell, the only thing compromised
> was
> > the particular account.
>
> You unfortunately are (almost certainly) in no position to know that.
> Backdoor mechanisms to permit the intruder re-entry are typically
> concealed in a number of places, redundantly.  People often find this
> out the hard way, by "expelling" the intruder multiple times, each time
> being puzzled to find him/her returning.
>
> > I'm rebuilding the server but I'm just wondering if I'll need to clean
> out
> > all the user accounts too.
>
> Er, you should sit down and consider what files can no longer be
> trusted, and which are merely data.  All executables and
> libraries (including those in ~/bin directories and such) , all system
> configuration files, and all user dotfiles are suspect and should be
> quarantined:  Use the present contents of /etc only for reference during
> your rebuild, and don't let users recycle their former dotfiles.  Change
> all shell passwords, enable libpam_cracklib to force use of meaningfully
> difficult passwords only, and don't let the users back in until they've
> been read the riot act about SSHing in from untrustworthy locations and
> using the same authentication tokens on multiple systems.
>
> More at:  http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
>
> Read 'tips' articles like
> http://www.debian-administration.org/articles/455 attentively (they have
> some arguably good ideas) but sceptically, since security writings by
> most Unix geeks often gravitate towards gadgetry and excessive
> mechanism, without bothering to be clear on threat models.  Mix with
> writings by Marcus J. Ranum and Bruce Schneier, season to taste.
>
> --
> Cheers,             The genius of you Americans is that you never make
> Rick Moen           clear-cut stupid moves, only complicated stupid moves
> rick at linuxmafia.com that make us wonder at the possibility that there may
> be
>                     something to them that we are missing. --Gamel Abdel
> Nasser
> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug
> Who we are : http://www.linux.ie/
> Where we are : http://www.linux.ie/map/
>

More information about the ILUG mailing list