[BlueOnyx:19990] Re: Hacker - what to do next

Wed Aug 17 13:49:26 -05 2016

For SSH access, I think it's a good idea to only allow admin and root users:

echo "AllowUsers admin root" >> /etc/ssh/sshd_config
echo "DenyUsers test httpd apache" >> /etc/ssh/sshd_config

And for crons, only root

echo "apache" >> /etc/cron.deny
echo "root" >>  /etc/cron.allow

A little redundant since one or the other would do it.

On Mon, Aug 15, 2016 at 8:48 PM, Michael Stauber <mstauber at blueonyx.it>
wrote:

> Hi Mitchell,
>
> > If I see this - what should my first (second, third and fourth) move be -
> > it's a hacker with the IP listed as China.
>
> Blow it away. Then start fresh and cmuImport. You might perhaps get some
> ideas or advice about how to "clean" the box. But it appears the
> intruder has at least unprivileged shell access - if not even privileged
> shell access. That means: All bets about the integrity of the box are
> off. The only safe and reasonable approach is to restore from the backups.
>
> As for locking a box down and preventing this: Never administer the box
> through insecure means. So no Telnet or non-HTTPS GUI access. Any user
> who has a shell must never connect to any service on the box in a
> fashion that transmits the login details in the clear. Ideally: Only you
> should have shell access to begin with. Even users who don't have a
> shell should not connect to any service without using TLS or SSL.
>
> My recommendation is to only allow GUI access via HTTPS, which can be
> configured via the GUI itself.
>
> SSH: Even if you don't have APF installed you can use the GUI to
> reasonably secure it:
>
> - Generate a SSH key and PEM certificate via the GUI. I recommend a
> minimum key length of 4096 bit.
>
> - Turn off password authentication for SSH
>
> - Only login via SSH key or PEM certificate.
>
> If APF is installed: The SSH GUI management page then gets extended by
> an APF module and you can lock down SSH access via GeoIP, so that logins
> only work from certain countries. Additionally you could add APF rules
> to only allow logins from certain IP addresses. Use this to make SSH
> inaccessible to everyone but your own static IP addresses that you use
> to administer the box.
>
> FTP, POP3, IMAP: Turn off all non SSL services and only use the SSL/TLS
> enabled services.
>
> Sendmail: Leave both SMTP and SMTPS on. You could make do with just
> SMTPS enabled, but in the longer run this will cause some issues with
> receiving emails from stupidly configured other servers that you might
> want to receive email from.
>
> If a site uses Webmail or login forms that take account information
> (username + password), it should have SSL enabled. If it doesn't warrant
> buying a real SSL certificate, then throw a "Let's Encrypt" certificate
> at it.
>
> Dfix2: I recommend using at least Dfix2 in combination with APF. It
> detects and blocks a lot of brute force, probing, prodding or prying
> attempts.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20160817/6c60e8e8/attachment.html>