perfSONAR User Q&A and Other Discussion

[Jason Zurawski <>]

Hi Amit/All;

There are many tools that exist in this space, and the project has started 
evaluating some of them.  I would suggest you read about some of them here:

http://code.google.com/p/perfsonar-ps/wiki/pSPT_Host_Security

Future releases could include these as a default, after we evaluate the long 
term benefits, maintenance issues, and positive impacts they provide.  

Thanks;

-jason

On Oct 10, 2013, at 9:14 PM, Amit 
<>
 wrote:

> Thanks Shawn,
>  
> I think having enabling without passing password is good idea.
>  
> --
> Thanks & Regards
>  
> Amit Kumar
> Scientific Officer
> Operation and Routing Group
> M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
> Ph. +911122900332, NKN VoIP:5032
>  
>  
>  
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Shawn McKee
> Sent: Friday, October 11, 2013 4:44 AM
> To: Jim Warner
> Cc: Brian Tierney; Amit; Aaron Brown; 
> <>;
>  
> <>
> Subject: Re: [perf-node-users] Perfsonar Server got hacked (non root user)
>  
> I think we should make sure the services that are used to make network 
> measurements and provide diagnostic capability remain open. 
>  
> If the /etc/hosts.allow is configured not to mess with those services I 
> think it could be helpful to secure the nodes.
>  
> Perhaps adding some iptables limitations on ssh would be in order.  We use 
> something like this on certain servers to limit the frequency someone can 
> try to login via ssh:
>  
> # Drop repeated ssh connection attempts within 20 seconds interval
> # ssh throttling
> -A INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j DROP 
> --rcheck --seconds 20 --name THROTTLE --rsource
> -A INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j ACCEPT 
>  --set --name THROTTLE --rsource
>  
> If you don't allow passwords via ssh you don't even need this (but make 
> sure you protect your keys if that is what you do allow).
>  
> Shawn
>  
>  
>  
> 
> On Thu, Oct 10, 2013 at 6:51 PM, Jim Warner 
> <>
>  wrote:
> It seems to me that encouraging addition of an /etc/hosts.allow file to 
> perfsonar installations would be a good idea. Even if you don't leave ssh 
> enabled most of the time, it's nice to have the restriction there if you 
> turn it on. And, for CD-ROM users, it appears that the file is remembered 
> are restored across reboots.
>  
> -jim
>  
>  
> 
> On Thu, Oct 10, 2013 at 9:58 AM, Brian Tierney 
> <>
>  wrote:
> 
> Maybe just a brute force password attack that succeeded? Did you have a 
> good password on that system?
> 
> 
> On Oct 10, 2013, at 9:21 AM, Amit 
> <>
>  wrote:
> 
> > Hi,
> >
> > No sudo ability to this user. Also no other user account hacked. Not even 
> > any service got disrupted or misused.
> >
> > Thanks
> > Amit
> >
> >
> > Sent from my HTC
> >
> > ----- Reply message -----
> > From: "Aaron Brown" 
> > <>
> > To: "Amit" 
> > <>
> > Cc: 
> > "<>"
> >  
> > <>,
> >  
> > "<>"
> >  
> > <>
> > Subject: [perf-node-users] Perfsonar Server got hacked (non root user)
> > Date: Thu, Oct 10, 2013 8:22 pm
> >
> >
> > Hey Amit,
> >
> > So this user broke into your 'admin' account, and not root, bwctl, 
> > perfsonar, other user accounts? Did this account have sudo ability?
> >
> > Cheers,
> > Aaron
> >
> > On Oct 10, 2013, at 10:47 AM, Amit 
> > <<mailto:>>
> >  wrote:
> >
> > Hi,
> >
> > Today I could not ssh to my perfsonar servers (two) using a user account. 
> > When I login to server I identified that my linux user got compromised 
> > somehow from internet.
> >
> > I could see the ssh connection from an internet IP to my server. Also 
> > crontab entry for that user got changed. Please find below detail
> >
> > 4344 ?        Ss     0:10 ps HOSTNAME=Perf-Delhi TERM=xterm 
> > SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=201.231.245.195 4158 22 
> > SSH_TTY=/dev/pts/0 USER=admin 
> > LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
> >  MAIL=/var/spool/mail/admin PATH=. PWD=/home/admin/.?/.? LANG=en_US.UTF-8 
> > HISTCONTROL=ignoredups SHLVL=3 HOME=/home/admin LOGNAME=admin 
> > SSH_CONNECTION=201.231.245.195 4158 14.139.5.202 22 
> > LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=./ps
> >
> > Also the hacker installed some script in my user home directly and was 
> > trying to connect to IRC port 6667 and was also listening some tcp and 
> > udp port.
> >
> > Iptables is already running on my server, I could not identify the root 
> > cause for this. I have deleted all the data from home directly and also 
> > crontab entry.
> >
> > Please help me out.
> >
> > --
> > Thanks & Regards
> >
> > Amit Kumar
> > Scientific Officer
> > Operation and Routing Group
> > M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
> > Ph. +911122900332, NKN VoIP:5032