LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Compromised by ssh...

[ILUG] Compromised by ssh...

Rick Moen rick at linuxmafia.com
Tue Oct 31 17:13:42 GMT 2006 

Quoting Conor Daly (conor.daly_ilug at cod.homelinux.org):

> Grr.
> 
> Due to a weak password on one of the kid's accounts and turning on
> password authentication in ssh (see the thread on nxserver), our home
> server got cracked.  As far as I can tell, the only thing compromised was
> the particular account. 

You unfortunately are (almost certainly) in no position to know that.
Backdoor mechanisms to permit the intruder re-entry are typically
concealed in a number of places, redundantly.  People often find this
out the hard way, by "expelling" the intruder multiple times, each time
being puzzled to find him/her returning.

> I'm rebuilding the server but I'm just wondering if I'll need to clean out
> all the user accounts too.  

Er, you should sit down and consider what files can no longer be
trusted, and which are merely data.  All executables and
libraries (including those in ~/bin directories and such) , all system
configuration files, and all user dotfiles are suspect and should be
quarantined:  Use the present contents of /etc only for reference during
your rebuild, and don't let users recycle their former dotfiles.  Change
all shell passwords, enable libpam_cracklib to force use of meaningfully
difficult passwords only, and don't let the users back in until they've 
been read the riot act about SSHing in from untrustworthy locations and 
using the same authentication tokens on multiple systems.

More at:  http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Read 'tips' articles like
http://www.debian-administration.org/articles/455 attentively (they have
some arguably good ideas) but sceptically, since security writings by
most Unix geeks often gravitate towards gadgetry and excessive
mechanism, without bothering to be clear on threat models.  Mix with
writings by Marcus J. Ranum and Bruce Schneier, season to taste.

-- 
Cheers,             The genius of you Americans is that you never make 
Rick Moen           clear-cut stupid moves, only complicated stupid moves 
rick at linuxmafia.com that make us wonder at the possibility that there may be 
                    something to them that we are missing. --Gamel Abdel Nasser

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell