We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.
So does this mean I need to remove sshd? Doubtful. More likely the initial vector is social engineering or weak passwords (social stupidity). That makes this whole infection uninteresting... it's just an app from the web server perspective. OK, so it can break into your browser with a zero-day. Fix the browser.
SSHD brute force attacks would, in fact, be successful if the compromised accounts had weak passwords. Thank you for putting two and two together for the rest of us.
And if not fail2ban, a good first step is updating the firewall rules to have a rate limiter on sshd. Mine allows only 2 attempts to connect a minute.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
And they still don't know the initial vector (Score:4, Insightful)
We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.
So does this mean I need to remove sshd? Doubtful. More likely the initial vector is social engineering or weak passwords (social stupidity). That makes this whole infection uninteresting ... it's just an app from the web server perspective. OK, so it can break into your browser with a zero-day. Fix the browser.
Re: (Score:-1)
SSHD brute force attacks would, in fact, be successful if the compromised accounts had weak passwords. Thank you for putting two and two together for the rest of us.
Re:And they still don't know the initial vector (Score:2)
...and the server wasn't using any of the various forms of brute force attack countermeasures.
These come prepackaged now but you could easily craft one yourself out of basic Unix tools. Did that very thing before discovering fail-to-ban.
A little paranoia goes a long way.
Re:And they still don't know the initial vector (Score:4, Informative)
And if not fail2ban, a good first step is updating the firewall rules to have a rate limiter on sshd. Mine allows only 2 attempts to connect a minute.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
Re: (Score:2, Informative)
Also don't use user/password ssh logins. RSA authentication only.
Re: (Score:2)
Has this never resulted in denial of service?