You are correct, sir! But there are niche cases too. I've got a box behind a router that is configured to only allow connections from my laptop and phone. It's firewall blocks everything else. Do I really need key based authentication in this case? Isn't even the password frivolous, because as such the firewall won't allow connections from any other system on the LAN, and I am assuming the router will additionally block all incoming connections from outside in any case (as I have set it to do). Or am I overlooking something here? Does the firewall make it impenetrable?

Of course there's IP spoofing, but the router is configured to give out static IPs based on MAC addresses. Of course MACs can be spoofed, but the router only allows whitelisted WLAN devices to connect to it in the first place, and dhcp on the router is disabled. Even if someone cracks the WPA password, he would have to have the MAC to one of my devices, to get which he has to be on the network in the first place. Catch 22? Pretty safe, don't you think?

The only port that is visible to the outside world (I think) is 51413, which is used by the transmission torrent client. It's always connected, and even though I don't use any port forwarding on the router and UPnP is disabled on it, transmission still works. But obviously the peers I connect to can connect to that port. Can this port be exploited? I'm thinking some sort of buffer overflow or something, but that is really not in my control, is it? The best I can do is keep it updated.

I've got ftp and a web server on it too, but those too are protected by the firewall, or are they? Basically I run vsftp and lighttpd with directory listing to get easy access to my stuff from my laptop and my phone. I use mpd too, and use it's streaming engine to stream music to my phone. Are configuring the firewall to allow specific IPs, and binding the IPs to MACs safe enough? I've locked down the router, but I don't trust it as much. It allows me to ftp and telnet (!) into it using the credentials admin and the password which I've changed, but I can find no settings to disable these, and I have no clue if these are accessible from the outside. It's a belkin N150, and the telnet and router thing aren't in the documentation. I telneted my way into a university router once, with the delightful "password" and I was even "welcomed", but that was from within. I don't know if these things work from the WAN.


It was an honest compliment. I was implying that you were an expert in computer security, and are doing your bit to make others safe, when you could easily be on the other side 3

I can't help but wonder, there must be literally thousands, if not hundred of thousands, or more systems out there, running ssh with weak passwords and root access enabled. Since I've read this thread I've been reading about passwords, but in the end I concluded that strong passwords are merely those which take time to be cracked. All passwords can be cracked. All of them. I can only imagine how safe my Gmail and Facebook accounts are. But on my systems connected to the web, relying on passwords alone for security doesn't really cut it.

Forget password entropy and salting. One could take a list of thousand or so common passwords from the net and patch ssh to run through them on a host, and pass on to the next if it isn't a match. What are the chances that they might actually be able to get into at least one machine? Is it really impossible? Forget root kits. What if someone with root access just runs fsck on all connected drives? Or changes some setting that might damage the hardware? Here's a twist: there are websites and there are websites. there are web hosts and there are web hosts. There are sysadmins and there are sysadmins. Some are unspawn. Some are like OP. I mean, theoretically, one could make a list of servers that could be potential targets for the "attack" mentioned above, and try doing just that. I've met several "future" sysadmins who are computer "engineers" and who insist that the cause of the slowness of their Nokia is that it must have gotten a virus. I kid you not. I mean, there must be literally thousands of them, working on as many servers, just being thankful that they got it working, and simply oblivious that their engineering minds cannot comprehend that they are safe just because no one bothered to hit them up. Think about it. the possibilities are endless.

the internet is not a safe place

Indeed there are but until people get it "right" I'm focusing on the basics.


Thanks.


We have to do what we can to make it safer, more reliable, better.

The OP never gave me those files nor has s/he returned to confirm or ask questions, luckily I got hold of the files anyway:
http://rkhunter.cvs.sourceforge.net/...1.511&r2=1.512
http://rkhunter.cvs.sourceforge.net/....1&view=markup

1 members found this post helpful.

unspawn I've been following this thread & you have proven to be very dedicated.

1 members found this post helpful.

Thanks guys, especially unSpawn !

The problem with me is that I wasn't managing the server. It was hosted somewhere in Germany, by my provider people. Currently, they switched off the port and not allowing me to login due to security concerns.

They are highly unethical and unprofessional towards customers. Once they give server, they surrender saying that the server is yours and you take care of it. After charging a hefty amount, they wash off their hands and blame the customer for everything happens to the server. In a remote environment, we know that it's really hard to even reboot/restore a system and it takes a long time to perform any kind of SysAdmin activity. The root password initially given by my provider folks were really weak. and they delivered the server putting it on a public ip, so that remote customer can access. Due to timezone constraint before I start working on the server, it was already open and exposed to the internet. I immediately changed the root password and my root password was strong enough to break. I doubt they have world's worst security measures in their data center. They don't have any auditing mechanism for their servers. And also I doubt they hired few hackers and gave them the public IPs of the customer systems to play around it. BE AWARE before opting any services from them !

I'm terribly repenting my choice over my provider as I lost a million dollar contract, all my effort & time because of their callous attitude. They didn't even intimate customer before shutting down the port. I was midway through the demo and in a flash lost everything.

Anyway everything happens for a reason, and this reason indeed taught me a lesson that "my provider - A WOLF IN SHEEP'S CLOTHING".

Thanks for following but this is what I do. And next to me there's a load of members, including you, that dedicate time and effort. That's just LQ for ya...

try to scan with chkrootkit,, may help, also stop using password based, use key based instead SSH login without password

1 members found this post helpful.

First of all there will be no mud slinging on LQ no matter what so I've asked this forums moderators to remove the companies name.


Maybe I'm reading this wrong but it seems like you'ce contradicting yourself here: you either manage or don't manage the server. As it's a dedicated one (you specifically said "Dedicated Root Server") you indeed manage it and that means it's your responsibility and your responsibility alone.


Unless you don't have the skill, the required privileges or your clients approval I disagree.


I agree weak passwords are bad. I don't know what you mean with "public IP" but if you meant they should have provided KVM, DRAC, IPMI, VPN-only access to the machine or gateway access to your private vlan then that's something you should have specified beforehand IMHO. And unless they don't provide a specific date and time for delivery of your server then I don't see what the problem is with "timezone constraints". It's not uncommon for IT personnel to run a 24/7 shift and handoffs do happen outside ones TZ so basically I'd say you choose the job so suck it up and deal with it.


You should have implemented auditing. (Remember you didn't even specify RHEL or CentOS but just "any Linux".) The rest are just fabrications and insinuations trying to blame others for your own mistakes.


With all respect but no you didn't. The first of your requirements was "cost" (not security or performance, the latter which came second) and your short list included all the top-of-the-list cheap providers one would avoid when choosing a quality host for a quality project.


Since you're solely blaming others I strongly doubt that.
However it's not too late to change:
- either gain the knowledge yourself or pay somebody to properly admin servers,
- don't choose crap hosts for quality projects: you get what you pay for,
- don't go for "easy money": do what you're good at.

??? These two statements directly conflict each other.

If YOU are the one who had the authority and indeed changed the root password, I would say that indicates YOU are the one managing the server. Any security problems would point directly at you. Did you hire these folks to build and harden a server to your specifications, or just install Linux and turn it over to you for administration? It sounds like the latter from your description, but please clarify.
Well, if you were expecting them to do this, but you changed the root password on them, I can see how that might be the case.

It sucks to have your system hacked. But it appears you are trying to point the finger at someone other than yourself, and it is not clear that they were the party at fault here.

disclaimer - linux newb

I also got hit by this on a personal server I run centos 6.5 on. What can I do to resolve? Rebuild my only option?

Is the vulnerability patched?

I'm sorry to hear that.


Yes, because the files were dropped there by somebody with root privileges. Because you don't know the infection vector a restore from backup would not be advisable either.


You would have to investigate how the perp got in. That takes time but if you're up for it let me know and I'll try and guide you along.
If you don't want to investigate then nuke the disk, install your OS from scratch, do replace login and other pass phrases and any SSH and GnuPG keys and do properly harden the machine before exposing it to the 'net again.

Well, from seeing the other posts, I assume its because I was running sshd and temporarily (2hrs) opened up port forwarding so my wife can grab some files while she was at the library. Unfortunately, this was a new server and wasn't finished setting it up and root pw was too easy.

If theres anything you want me to run and post the output to help prevent for others, just LMK. Its closed off now.

I edited the rc.local file to comment out all the entries that were added while vulnerable. I also restricted outbound connections for that server via the firewall/router.

Before you open up the server to the net , put the following things in and harden it for more security :--

Don't use default passwords like redhat , use some alphanumeric combination longer than 8 characters .
---------------------------------
cat /etc/hosts.deny
SSHD: ALL
---------------------------------
cat /etc/hosts.allow
SSHD: ip1 ip2 ip3
---------------------------------
ip* is where you want to access your server from , same for ftp services if you want it .

----------------------------------------
Configure firewall something like this
----------------------------------------
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:C-INPUT - [0:0]
-A INPUT -j C-INPUT
-A C-INPUT -s sourceip1 -d yourserverip -i eth0 -p tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A C-INPUT -j LOG --log-prefix "Matched firewall: " --log-level 7

If you're so inclined you could run Rootkit Hunter from CVS (or if you happen to have ClamAV installed (if you don't already have it don't install it) 'rkhunter/files/signatures; clamscan --database=RKH_iptablex.ldb -ir /boot /etc /usr /tmp') or else these three: (changed files) 'rpm -Vva 2>&1|grep -v '^\.\{8\}';' and (not packaged files) 'find /boot /etc /usr -maxdepth 5 -type f -print0|xargs -0 -iX rpm -qf 'X' 2>&1|awk '/not owned/ {print $2}';' and (files in root, /tmp and /var) 'find / -maxdepth 1 -type f -printf "%p %U %G %m %T+\n"; find /tmp /var -maxdepth 5 -type f -printf "%p %U %G %m %T+\n";'.

*Please note wrt the advice given above that hardening is so much more than just that.

That's not enough.

But, IP spoofing is child's play!

Again, see above.