[ubuntu-uk] Preventing a hack attempt

Sat Aug 28 09:05:35 BST 2010

Quoting Daniel Case <danielcase10 at googlemail.com>:

> Hi there,
>
> One of my servers has recently been attacked, it has one remote SSH user
> which cannot run 'sudo', i made it like that so that if it was comprimized,
> no-one would be able to do much.

Switch to using keys instead of passwords, that way you can lock down  
which commands are run to each key, adding a greater level of security.

> However, someone managed to gain the password to that account on the server
> then used "vi /etc/passwd" to gain a list of users, then launched a
> bruteforce using su against my admin account.
> (that's what I can gather from the logs)

That makes sense, all users need to be able to read /etc/passwd to  
authenticate locally although there are no passwords stored in that  
file, so an attacker can't retrieve the encrypted password hashes.

My concern here would be how did the attacker gain access to the  
compromised account?  If they "guessed", then I would respectfully  
suggest that your password policy is not strong enough.  If they  
brute-forced it and it is greater than 8 characters with mixed case,  
numbers and special characters then give them the respect they deserve  
for sheer bloody mindedness (it must have taken them months!) and then  
change the password to something stronger!

As a rule, I tend to take a phrase from a TV show or a song or similar  
and then convert that into a passphrase as follows:

1) Decide on the phrase "every little thing she does is magic"
2) Perform character subsitution -> "3v3ry l1ttl3 th1ng 5h3 d035 15 m4g1c"
3) Perform case translations -> "3v3rY l1Ttl3 Th1Ng 5h3 d035 15 m4G1c"
4) Remember it!

OK, so that's a bit of an extreme case to illustrate my point, but you  
get the idea! :)

> This did not get very far before I saw and kicked the user off and changed
> all of the passwords, but I would like to know how to prevent this sort of
> thing happening again.

> I need to know mainly how to stop the SSH user running su in the first place
> and how to stop the user seeing files like /etc/passwd

* Install OSSEC (google for it, it's not in APT!) for monitoring of  
system logs and file integrity
* Change from password-based to key-based authetication
* Check that /sbin, /usr/sbin and /usr/local/sbin are not in the  
default users path (edit bashrc and bash_profile in /etc/skle to make  
this constant for any new users)
* If the version of Bash is new enough, enable auditing to a log file  
that is not editable by "normal" users
* Install Fail2Ban (this _is_ in APT) and configure for all relevant  
services and setup alerts

That should get you started! :)

If you want a really good book, the "Hardening Linux" published by  
APress is well worth a read!

Hope that's of some use,

Kind regards,

Matt
-- 
Matthew Macdonald-Wallace
matthew at truthisfreedom.org.uk
http://www.truthisfreedom.org.uk/