Skip to Content.
Sympa Menu

perfsonar-user - [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)

Subject: perfSONAR User Q&A and Other Discussion

List archive

[perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)


Chronological Thread 
  • From: Soichi Hayashi <>
  • To: Performance Node Users <>, "" <>
  • Cc: Amit <>
  • Subject: [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
  • Date: Fri, 11 Oct 2013 11:40:21 -0400

Jason, others,

I've being installing perfsonar toolkit using "RPM installation method" (http://psps.perfsonar.net/psb/install.html) on top of our own site specific OS image (customized RHEL5/6 image) that our sysadmin maintains. Our base OS image does not allow password ssh login, and our sysadmin applies various security patches / OS updates across all services to keep our servivces secure and stable.

Now, due to some lingering perfsonar installation issue, I am contemplating switching to ISO installation which seems to be more popular and fully supported by perfsonar community. However, our group is concerned about hosting ISO installation due to various security / maintainability issues. 

I think I've asked this before, but following are my current "wish-list" for perfsonar toollkit.

1) Make "RPM method" the default installation method that can be used on standard CentOS / RHEL5/6 instance. My experience is that RPM method *should work* already, but it's mainly do-it-with-your-own-risk.
2) Stop doing "yum update & reboot" to get components *installed*. Instead, use RPM meta package instead and allow sysadmin to pick and choose which components are installed. This allows sysadmin to know what is installed and their dependencies. 
3) Leave ssh, or user account, etc.. alone. We have locked-down version of sshd and user accounts are maintained via LDAP/sssd. Also, perfsonar GUI should maintain its own list of user / auth mechanism apart from OS accounts.
4) Reduce number of firewall ports that needs to be opened - or create utility to help sysadmin to decide which ports need to be opened based on services installed.

In my opinion, ISO installation should only be provided to people who are trying to evaluate or test perfsonar installation before doing more permanent *production* RPM-based installation.

Thanks!
Soichi



On Fri, Oct 11, 2013 at 9:28 AM, Jason Zurawski <> wrote:
Hi Amit/All;

There are many tools that exist in this space, and the project has started evaluating some of them.  I would suggest you read about some of them here:

http://code.google.com/p/perfsonar-ps/wiki/pSPT_Host_Security

Future releases could include these as a default, after we evaluate the long term benefits, maintenance issues, and positive impacts they provide.

Thanks;

-jason

On Oct 10, 2013, at 9:14 PM, Amit <> wrote:

> Thanks Shawn,
>
> I think having enabling without passing password is good idea.
>
> --
> Thanks & Regards
>
> Amit Kumar
> Scientific Officer
> Operation and Routing Group
> M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
> Ph. +911122900332, NKN VoIP:5032
>
>
>
> From: [mailto:] On Behalf Of Shawn McKee
> Sent: Friday, October 11, 2013 4:44 AM
> To: Jim Warner
> Cc: Brian Tierney; Amit; Aaron Brown; <>; <>
> Subject: Re: [perf-node-users] Perfsonar Server got hacked (non root user)
>
> I think we should make sure the services that are used to make network measurements and provide diagnostic capability remain open.
>
> If the /etc/hosts.allow is configured not to mess with those services I think it could be helpful to secure the nodes.
>
> Perhaps adding some iptables limitations on ssh would be in order.  We use something like this on certain servers to limit the frequency someone can try to login via ssh:
>
> # Drop repeated ssh connection attempts within 20 seconds interval
> # ssh throttling
> -A INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource
> -A INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j ACCEPT  --set --name THROTTLE --rsource
>
> If you don't allow passwords via ssh you don't even need this (but make sure you protect your keys if that is what you do allow).
>
> Shawn
>
>
>
>
> On Thu, Oct 10, 2013 at 6:51 PM, Jim Warner <> wrote:
> It seems to me that encouraging addition of an /etc/hosts.allow file to perfsonar installations would be a good idea. Even if you don't leave ssh enabled most of the time, it's nice to have the restriction there if you turn it on. And, for CD-ROM users, it appears that the file is remembered are restored across reboots.
>
> -jim
>
>
>
> On Thu, Oct 10, 2013 at 9:58 AM, Brian Tierney <> wrote:
>
> Maybe just a brute force password attack that succeeded? Did you have a good password on that system?
>
>
> On Oct 10, 2013, at 9:21 AM, Amit <> wrote:
>
> > Hi,
> >
> > No sudo ability to this user. Also no other user account hacked. Not even any service got disrupted or misused.
> >
> > Thanks
> > Amit
> >
> >
> > Sent from my HTC
> >
> > ----- Reply message -----
> > From: "Aaron Brown" <>
> > To: "Amit" <>
> > Cc: "<>" <>, "<>" <>
> > Subject: [perf-node-users] Perfsonar Server got hacked (non root user)
> > Date: Thu, Oct 10, 2013 8:22 pm
> >
> >
> > Hey Amit,
> >
> > So this user broke into your 'admin' account, and not root, bwctl, perfsonar, other user accounts? Did this account have sudo ability?
> >
> > Cheers,
> > Aaron
> >
> > On Oct 10, 2013, at 10:47 AM, Amit <<mailto:>> wrote:
> >
> > Hi,
> >
> > Today I could not ssh to my perfsonar servers (two) using a user account. When I login to server I identified that my linux user got compromised somehow from internet.
> >
> > I could see the ssh connection from an internet IP to my server. Also crontab entry for that user got changed. Please find below detail
> >
> > 4344 ?        Ss     0:10 ps HOSTNAME=Perf-Delhi TERM=xterm SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=201.231.245.195 4158 22 SSH_TTY=/dev/pts/0 USER=admin LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36: MAIL=/var/spool/mail/admin PATH=. PWD=/home/admin/.?/.? LANG=en_US.UTF-8 HISTCONTROL=ignoredups SHLVL=3 HOME=/home/admin LOGNAME=admin SSH_CONNECTION=201.231.245.195 4158 14.139.5.202 22 LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=./ps
> >
> > Also the hacker installed some script in my user home directly and was trying to connect to IRC port 6667 and was also listening some tcp and udp port.
> >
> > Iptables is already running on my server, I could not identify the root cause for this. I have deleted all the data from home directly and also crontab entry.
> >
> > Please help me out.
> >
> > --
> > Thanks & Regards
> >
> > Amit Kumar
> > Scientific Officer
> > Operation and Routing Group
> > M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
> > Ph. +911122900332, NKN VoIP:5032




Archive powered by MHonArc 2.6.16.

Top of Page