[Wolves] Wolves Digest, Vol 269, Issue 8

chris procter chris-procter at talk21.com
Sat Dec 6 16:01:01 UTC 2008

> > > 6 hours to get in, thats fast if the box wasnt being

> > watched...do you think the box was random attacked? did the
> > attacker brute force in, or did he have a key?
> > No, like a dimwit , I'd also set up a user to catch
> > email for a one off 
> > event, let call him 'dave' and since I'm the
> > only
> > one in the building, and don't use ssh , I'd set
> > the password as 'dave' - doh. 
> No, never ever do that. If someone wants to get into a machine they will try 
> common (user)names like root, admin, test, apache, mysql, dave, david, bob, 
> andy, matt, robert and so on, firstly with no password, then with the password 
> the same as the username and common passwords like 'password', 'test' and so on. 
> Always disable root SSH logins. That's the first account anyone would go for.

in /etc/ssh/sshd_config
add the line

PermitRootLogin No

which will (unsurprisingly) prevent root logging in

We also create a group called sshuser and add
AllowGroups sshuser

to /etc/ssh/sshd_config which prevents logins from users who are not members of the sshuser group.  Then add just those users you want logging in via ssh to the group. It means you dont have to worry when you create new acounts because you have to explicitly add them to the sshuser group before they can get remote access.

As an added benefit it also means anyone who logs in as oracle or root have to login as a named user first then su which leaves a nice entry in the logs so we know who to kick if they mess anything up.

[much snipage]
> The fact that this attacker didn't remove their bash history and logs of their 
> login attempts is a good sign that they didn't do a lot and didn't tidy up after 
> themselves, which means that they either weren't there long enough, panicked and 
> left quickly when they saw you login or wasn't bright enough to cover their 
> tracks. On the flip side, maybe they hid the serious stuff that they got up to.

Yes they could quite easily leave you some easy stuff to find so you could feel good about having found it and not look any further for the real payload which could be pretty much anything. Paranoia is good, rebuild the box.



More information about the Wolves mailing list