[ubuntu-uk] Preventing a hack attempt

Glen Mehn glen.mehn at oba.co.uk
Sat Aug 28 13:45:46 BST 2010 

  You can't hide /etc/passwd because that's how the system translates 
userids into usernames (and thus how the system understands whether a 
user has access to a specific file or not)

What you might consider is using non-password authenticated SSH 
sessions-- you can do this in /etc/sshd/sshd_config (turn 
passwordAuthentication off) and put public keys in 
$HOME/.ssh/authorized_keys

This isn't 100% secure, but it's often good for end-users who require 
shell access but perhaps can't be trusted to not use good passwords. 
Also, the password can't be given out. It may require a bit of fuddling 
on your end to make sure they're set up (you may need putty and pagent, 
for instance, if it's a windows client). They keys are still steal-able, 
but if you put a passphrase on the key it's a bit cleaner.

Of course, if the attacker has physical access to the compromised 
machine (or a keystroke logger or something) then you're perhaps a bit 
horked anyway.

On the upside, it's important to recognise that what you have *is 
working*-- you detected the attack before it became a problem.

I would echo Sean's advice about using nonstandard ports as well. Makes 
it a bit trickier to find & deal with, though not 100% sure. What you 
want to do is layer loads of 99% solutions up until you get a reasnable 
assurance.

You might also consider using a chroot() environment for your user if 
that'll work for you.

Best,

Glen

On 28/08/10 01:22, Daniel Case wrote:
> Hi there,
>
> One of my servers has recently been attacked, it has one remote SSH 
> user which cannot run 'sudo', i made it like that so that if it was 
> comprimized, no-one would be able to do much.
>
> However, someone managed to gain the password to that account on the 
> server then used "vi /etc/passwd" to gain a list of users, then 
> launched a bruteforce using su against my admin account.
> (that's what I can gather from the logs)
>
> This did not get very far before I saw and kicked the user off and 
> changed all of the passwords, but I would like to know how to prevent 
> this sort of thing happening again.
>
> I need to know mainly how to stop the SSH user running su in the first 
> place and how to stop the user seeing files like /etc/passwd
>
> Anyone have any suggestions? 

-- 
Glen Mehn
glen.mehn at oba.co.uk
skype: glenmehn | blog: http://glen.mehn.net/mba
UK: +44(0)7942 675 755 | US: +1 415 704 4737

More information about the ubuntu-uk mailing list