[BlueOnyx:19973] Re: Hacker - what to do next

Michael Stauber mstauber at blueonyx.it
Mon Aug 15 22:48:08 -05 2016 

Hi Mitchell,

> If I see this - what should my first (second, third and fourth) move be -
> it's a hacker with the IP listed as China.

Blow it away. Then start fresh and cmuImport. You might perhaps get some
ideas or advice about how to "clean" the box. But it appears the
intruder has at least unprivileged shell access - if not even privileged
shell access. That means: All bets about the integrity of the box are
off. The only safe and reasonable approach is to restore from the backups.

As for locking a box down and preventing this: Never administer the box
through insecure means. So no Telnet or non-HTTPS GUI access. Any user
who has a shell must never connect to any service on the box in a
fashion that transmits the login details in the clear. Ideally: Only you
should have shell access to begin with. Even users who don't have a
shell should not connect to any service without using TLS or SSL.

My recommendation is to only allow GUI access via HTTPS, which can be
configured via the GUI itself.

SSH: Even if you don't have APF installed you can use the GUI to
reasonably secure it:

- Generate a SSH key and PEM certificate via the GUI. I recommend a
minimum key length of 4096 bit.

- Turn off password authentication for SSH

- Only login via SSH key or PEM certificate.

If APF is installed: The SSH GUI management page then gets extended by
an APF module and you can lock down SSH access via GeoIP, so that logins
only work from certain countries. Additionally you could add APF rules
to only allow logins from certain IP addresses. Use this to make SSH
inaccessible to everyone but your own static IP addresses that you use
to administer the box.

FTP, POP3, IMAP: Turn off all non SSL services and only use the SSL/TLS
enabled services.

Sendmail: Leave both SMTP and SMTPS on. You could make do with just
SMTPS enabled, but in the longer run this will cause some issues with
receiving emails from stupidly configured other servers that you might
want to receive email from.

If a site uses Webmail or login forms that take account information
(username + password), it should have SSL enabled. If it doesn't warrant
buying a real SSL certificate, then throw a "Let's Encrypt" certificate
at it.

Dfix2: I recommend using at least Dfix2 in combination with APF. It
detects and blocks a lot of brute force, probing, prodding or prying
attempts.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list