perfsonar-user - [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
Subject: perfSONAR User Q&A and Other Discussion
List archive
[perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
Chronological Thread
- From: "Roderick Mooi" <>
- To: "Amit" <>
- Cc: "<>" <>, "<>" <>
- Subject: [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
- Date: Wed, 16 Oct 2013 11:41:08 +0200
Hi Amit
I have installed "denyhosts" on my servers to prevent/deter brute force
attacks. "fail2ban" is another option....
Best regards,
Roderick
>>> On 2013-10-11 at 01:14, Shawn McKee
>>> <>
>>> wrote:
> I think we should make sure the services that are used to make network
> measurements and provide diagnostic capability remain open.
>
> If the /etc/hosts.allow is configured not to mess with those services I
> think it could be helpful to secure the nodes.
>
> Perhaps adding some iptables limitations on ssh would be in order. We use
> something like this on certain servers to limit the frequency someone can
> try to login via ssh:
>
> # Drop repeated ssh connection attempts within 20 seconds interval
> # ssh throttling
> -A INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j DROP
> --rcheck --seconds 20 --name THROTTLE --rsource
> -A INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j ACCEPT
> --set --name THROTTLE --rsource
>
> If you don't allow passwords via ssh you don't even need this (but make
> sure you protect your keys if that is what you do allow).
>
> Shawn
>
>
>
>
> On Thu, Oct 10, 2013 at 6:51 PM, Jim Warner
> <>
> wrote:
>
>> It seems to me that encouraging addition of an /etc/hosts.allow file to
>> perfsonar installations would be a good idea. Even if you don't leave ssh
>> enabled most of the time, it's nice to have the restriction there if you
>> turn it on. And, for CD-ROM users, it appears that the file is remembered
>> are restored across reboots.
>>
>> -jim
>>
>>
>>
>> On Thu, Oct 10, 2013 at 9:58 AM, Brian Tierney
>> <>
>> wrote:
>>
>>>
>>> Maybe just a brute force password attack that succeeded? Did you have a
>>> good password on that system?
>>>
>>>
>>> On Oct 10, 2013, at 9:21 AM, Amit
>>> <>
>>> wrote:
>>>
>>> > Hi,
>>> >
>>> > No sudo ability to this user. Also no other user account hacked. Not
>>> even any service got disrupted or misused.
>>> >
>>> > Thanks
>>> > Amit
>>> >
>>> >
>>> > Sent from my HTC
>>> >
>>> > ----- Reply message -----
>>> > From: "Aaron Brown"
>>> > <>
>>> > To: "Amit"
>>> > <>
>>> > Cc:
>>> > "<>"
>>> > <
>>> >,
>>>
>>> "<>"
>>> <
>>> >
>>> > Subject: [perf-node-users] Perfsonar Server got hacked (non root user)
>>> > Date: Thu, Oct 10, 2013 8:22 pm
>>> >
>>> >
>>> > Hey Amit,
>>> >
>>> > So this user broke into your 'admin' account, and not root, bwctl,
>>> perfsonar, other user accounts? Did this account have sudo ability?
>>> >
>>> > Cheers,
>>> > Aaron
>>> >
>>> > On Oct 10, 2013, at 10:47 AM, Amit
>>> > <<mailto:
>>> >>
>>> wrote:
>>> >
>>> > Hi,
>>> >
>>> > Today I could not ssh to my perfsonar servers (two) using a user
>>> account. When I login to server I identified that my linux user got
>>> compromised somehow from internet.
>>> >
>>> > I could see the ssh connection from an internet IP to my server. Also
>>> crontab entry for that user got changed. Please find below detail
>>> >
>>> > 4344 ? Ss 0:10 ps HOSTNAME=Perf-Delhi TERM=xterm
>>> SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=201.231.245.195 4158 22
>>> SSH_TTY=/dev/pts/0 USER=admin
>>>
> LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01
> :cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:o
> w=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.l
> zh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31
> :*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=0
> 1;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.
> ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=0
> 1;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:
> *.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.sv
> gz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=0
> 1;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35
> :*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc
> =01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:
> *.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv
> =01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;
> 36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.a
> xa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
>>> MAIL=/var/spool/mail/admin PATH=. PWD=/home/admin/.?/.? LANG=en_US.UTF-8
>>> HISTCONTROL=ignoredups SHLVL=3 HOME=/home/admin LOGNAME=admin
>>> SSH_CONNECTION=201.231.245.195 4158 14.139.5.202 22
>>> LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=./ps
>>> >
>>> > Also the hacker installed some script in my user home directly and was
>>> trying to connect to IRC port 6667 and was also listening some tcp and udp
>>> port.
>>> >
>>> > Iptables is already running on my server, I could not identify the root
>>> cause for this. I have deleted all the data from home directly and also
>>> crontab entry.
>>> >
>>> > Please help me out.
>>> >
>>> > --
>>> > Thanks & Regards
>>> >
>>> > Amit Kumar
>>> > Scientific Officer
>>> > Operation and Routing Group
>>> > M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
>>> > Ph. +911122900332, NKN VoIP:5032
>>> >
>>> >
>>>
>>>
>>
>
> --
> This message is subject to the CSIR's copyright terms and conditions,
> legal notice, and implemented Open Document Format (ODF) standard.
> The full disclaimer details can be found at
> http://www.csir.co.za/disclaimer.html.
>
> This message has been scanned for viruses and dangerous content by
> MailScanner,
> and is believed to be clean.
>
> Please consider the environment before printing this email.
--
This message is subject to the CSIR's copyright terms and conditions, e-mail
legal notice, and implemented Open Document Format (ODF) standard.
The full disclaimer details can be found at
http://www.csir.co.za/disclaimer.html.
This message has been scanned for viruses and dangerous content by
MailScanner,
and is believed to be clean.
Please consider the environment before printing this email.
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, (continued)
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Jason Zurawski, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Wefel, Paul, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Alan Whinery, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Eli Dart, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Roderick Mooi, 10/17/2013
- Message not available
- Re: [perf-node-users] Re: [perfsonar-user] Help with inconsistent bwctl measurements, Jason Zurawski, 10/17/2013
- Re: [perf-node-users] Re: [perfsonar-user] Help with inconsistent bwctl measurements, Roderick Mooi, 10/17/2013
- Re: [perf-node-users] Re: [perfsonar-user] Help with inconsistent bwctl measurements, Jason Zurawski, 10/17/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Eli Dart, 10/17/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Roderick Mooi, 10/17/2013
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Roderick Mooi, 10/16/2013
- RE: [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Garnizov, Ivan, 10/16/2013
Archive powered by MHonArc 2.6.16.