perfsonar-user - [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
Subject: perfSONAR User Q&A and Other Discussion
List archive
[perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
Chronological Thread
- From: Jason Zurawski <>
- To: Amit <>
- Cc: ,
- Subject: [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
- Date: Fri, 11 Oct 2013 09:28:01 -0400
Hi Amit/All;
There are many tools that exist in this space, and the project has started
evaluating some of them. I would suggest you read about some of them here:
http://code.google.com/p/perfsonar-ps/wiki/pSPT_Host_Security
Future releases could include these as a default, after we evaluate the long
term benefits, maintenance issues, and positive impacts they provide.
Thanks;
-jason
On Oct 10, 2013, at 9:14 PM, Amit
<>
wrote:
> Thanks Shawn,
>
> I think having enabling without passing password is good idea.
>
> --
> Thanks & Regards
>
> Amit Kumar
> Scientific Officer
> Operation and Routing Group
> M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
> Ph. +911122900332, NKN VoIP:5032
>
>
>
> From:
>
>
> [mailto:]
> On Behalf Of Shawn McKee
> Sent: Friday, October 11, 2013 4:44 AM
> To: Jim Warner
> Cc: Brian Tierney; Amit; Aaron Brown;
> <>;
>
> <>
> Subject: Re: [perf-node-users] Perfsonar Server got hacked (non root user)
>
> I think we should make sure the services that are used to make network
> measurements and provide diagnostic capability remain open.
>
> If the /etc/hosts.allow is configured not to mess with those services I
> think it could be helpful to secure the nodes.
>
> Perhaps adding some iptables limitations on ssh would be in order. We use
> something like this on certain servers to limit the frequency someone can
> try to login via ssh:
>
> # Drop repeated ssh connection attempts within 20 seconds interval
> # ssh throttling
> -A INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j DROP
> --rcheck --seconds 20 --name THROTTLE --rsource
> -A INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j ACCEPT
> --set --name THROTTLE --rsource
>
> If you don't allow passwords via ssh you don't even need this (but make
> sure you protect your keys if that is what you do allow).
>
> Shawn
>
>
>
>
> On Thu, Oct 10, 2013 at 6:51 PM, Jim Warner
> <>
> wrote:
> It seems to me that encouraging addition of an /etc/hosts.allow file to
> perfsonar installations would be a good idea. Even if you don't leave ssh
> enabled most of the time, it's nice to have the restriction there if you
> turn it on. And, for CD-ROM users, it appears that the file is remembered
> are restored across reboots.
>
> -jim
>
>
>
> On Thu, Oct 10, 2013 at 9:58 AM, Brian Tierney
> <>
> wrote:
>
> Maybe just a brute force password attack that succeeded? Did you have a
> good password on that system?
>
>
> On Oct 10, 2013, at 9:21 AM, Amit
> <>
> wrote:
>
> > Hi,
> >
> > No sudo ability to this user. Also no other user account hacked. Not even
> > any service got disrupted or misused.
> >
> > Thanks
> > Amit
> >
> >
> > Sent from my HTC
> >
> > ----- Reply message -----
> > From: "Aaron Brown"
> > <>
> > To: "Amit"
> > <>
> > Cc:
> > "<>"
> >
> > <>,
> >
> > "<>"
> >
> > <>
> > Subject: [perf-node-users] Perfsonar Server got hacked (non root user)
> > Date: Thu, Oct 10, 2013 8:22 pm
> >
> >
> > Hey Amit,
> >
> > So this user broke into your 'admin' account, and not root, bwctl,
> > perfsonar, other user accounts? Did this account have sudo ability?
> >
> > Cheers,
> > Aaron
> >
> > On Oct 10, 2013, at 10:47 AM, Amit
> > <<mailto:>>
> > wrote:
> >
> > Hi,
> >
> > Today I could not ssh to my perfsonar servers (two) using a user account.
> > When I login to server I identified that my linux user got compromised
> > somehow from internet.
> >
> > I could see the ssh connection from an internet IP to my server. Also
> > crontab entry for that user got changed. Please find below detail
> >
> > 4344 ? Ss 0:10 ps HOSTNAME=Perf-Delhi TERM=xterm
> > SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=201.231.245.195 4158 22
> > SSH_TTY=/dev/pts/0 USER=admin
> > LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
> > MAIL=/var/spool/mail/admin PATH=. PWD=/home/admin/.?/.? LANG=en_US.UTF-8
> > HISTCONTROL=ignoredups SHLVL=3 HOME=/home/admin LOGNAME=admin
> > SSH_CONNECTION=201.231.245.195 4158 14.139.5.202 22
> > LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=./ps
> >
> > Also the hacker installed some script in my user home directly and was
> > trying to connect to IRC port 6667 and was also listening some tcp and
> > udp port.
> >
> > Iptables is already running on my server, I could not identify the root
> > cause for this. I have deleted all the data from home directly and also
> > crontab entry.
> >
> > Please help me out.
> >
> > --
> > Thanks & Regards
> >
> > Amit Kumar
> > Scientific Officer
> > Operation and Routing Group
> > M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
> > Ph. +911122900332, NKN VoIP:5032
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Aaron Brown, 10/10/2013
- <Possible follow-up(s)>
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Brian Tierney, 10/10/2013
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Jim Warner, 10/10/2013
- Message not available
- Message not available
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Jason Zurawski, 10/11/2013
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Soichi Hayashi, 10/11/2013
- [perfsonar-user] Help with inconsistent bwctl measurements, Roderick Mooi, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Brian Tierney, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Jason Zurawski, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Wefel, Paul, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Alan Whinery, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Eli Dart, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Roderick Mooi, 10/17/2013
- Message not available
- Re: [perf-node-users] Re: [perfsonar-user] Help with inconsistent bwctl measurements, Jason Zurawski, 10/17/2013
- Re: [perf-node-users] Re: [perfsonar-user] Help with inconsistent bwctl measurements, Roderick Mooi, 10/17/2013
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Jason Zurawski, 10/11/2013
- Message not available
- Message not available
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Jim Warner, 10/10/2013
Archive powered by MHonArc 2.6.16.