The preferred approach to (perceived) compromises of security in this forum is to deal with facts, analyze them and give advice based on that. A structured approach to handling incidents serves both "victim" and incident handler as guideline ensuring all aspects are addressed efficiently and in order.
Provided facts:
Quote:
Originally Posted by alistair_sunde
- We don't have a dedicated firewall on a seperate computer
- We are not using IDS
- The compromised server runs (..) iptables
- the ssh daemon is the only service we provide to the outside,
- the firewall only allows 2 login attempts every 3 minutes
- I created users with the same usernames and passwords forgetting to reconfigure sshd_config allowusers settings
- our server at school was compromised through a ssh dictionary attack
- The users created did not have sudo rights
|
- The fact that a dictionary attack yielded access means:
0) pubkey auth was not used: review your knowledge of and adherence to security best practices,
1) that either syslogged warnings were ignored or no reporting is in place: see for example Logwatch and
2) that no mitigating measures were in place: see fail2ban.
- Using a production server to test functionality is not a best practice: use a staging server (VM?) as testbed instead.
Mitigation:
Quote:
Originally Posted by alistair_sunde
- I have strengthened the firewall by only allowing login attempts from a designated ip and designated user.
- The daemon has been removed,ssh and the firewall repaired/strenghtened, the compromised user account deleted and the files removed
|
- Missing here is:
0) alerting everyone with an account on the machine to change their passwords regardless,
1) changing critical accounts passwords,
2) implementing security best practices as mentioned above,
3) the option to restore from a
known secure and safe backup.
Assumptions / analysis:
Quote:
Originally Posted by alistair_sunde
- The server now appears stable.
- The server does not contain any sensitive information or files that are vital.
- an irc daemon installed.
- as far as I can see, the the root account has not been compromised.
- the visible scripts found are of a generic nature
- I was hacked and got programs installed by a computer.
- There is no evidence suggesting that the computer continued trying to get the root password once inside the system
- I don't know that the root account has not been compromised,
- everything suspicious has been run under the compromised user's account according to logfiles, tcpdump and wireshark.
|
- Deleting "evidence" without listing details and making backups first is a reflex that unfortunately new as well as seasoned admins succumb to. This does not help analyze the situation much, especially since Linux installations generally speaking do not come with much of a (comprehensive) audit trail out-of-the-box anyway. Without "evidence" a knowledgeable handler can, to some extent, rely on theoretical knowledge of the field and practical experience with prior intrusions.
Even then, but this goes especially for those who are not well-versed in analysis, the danger of pitfalls like hypothesizing and speculation remains.
- The common MO of most of these crews is to only and efficiently hunt for low-hanging fruit. Often those machines are used to scan for other systems. That they are limited in their interests and time spent per system however should not be mistaken as "proof" the system is safe. Only proper analysis can confirm that it is.
- What is missing here is:
0) a time line indicating when brute forcing accounts started, when it yielded access and when you started mitigation,
1) how accounts, shell history, files, auth records and daemon / syslog entries involved in the compromise were analyzed,
2) a complete integrity check of the machine
plus any adjacent ones.
Questions:
Quote:
Originally Posted by alistair_sunde
My question is whether I should undertake a time-comsuming reinstall
|
- Be aware that the questions you posed are not guided solely with security practices in mind but are, understandably though, colored by ulterior motives. Having minimal time to spend is not a reason to exclude any measures.
Instead it means any investment of time must be efficient and effective: yield the largest possible ROI.
While I sympathize with your time and other constraints my advice would be to restore from a backup. Having one that is known to predate the intrusion and is known to be untainted gives you a valid reason to forego proper analysis on. Should you not have one then an installation from scratch ensures security and trustworthiness. After all running GNU/Linux is about performance, protecting assets and providing services in a continuous, stable and secure way.