[lug] Hacked Debian server - was Problematic Debian server

Zan Lynx zlynx at acm.org
Thu Jul 15 13:58:47 MDT 2010


On 7/15/10 1:41 PM, Gordon Golding wrote:

> I used to use the CIS procedures as a guide for hardening Fedora, before
> they fell behind the rapid releases. What's a good resource for Debian
> hardening?
>
> Specific question:
> This machine is accessed by users in Germany. The hacked machine was
> trying to talk back to Germany.
> This machine used keys for easy user access.
> I've heard the argument that:
> "Their machine gets hacked, now they are on your machine. Always make a
> user sign in with a strong password."

I would never recommend using passwords over SSH keys. I'd disable 
password access and require keys only. Disable root access via SSH 
entirely. Require admin users to use sudo to get root. You might even 
make the root password impossible or locked so that su is never used.

Automate the update process so the system always has the latest packages.

For a machine that is already hacked I would reinstall it fresh and 
restore from backup. Restore data only! No programs and no scripts from 
backup unless they are carefully verified. You don't know how long it 
has been hacked so you don't know if the backups have root kits and 
backdoors written into them.

One cracking method that sometimes gets overlooked is the IP KVM and/or 
remote console if you have one. If a cracker gets the password to that 
he can remote reboot the machine and specify single user modes at LILO 
or GRUB unless those are passworded. Then if the BIOS isn't passworded 
the cracker may even be able to remote boot the machine via TFTP in 
order to mount the local drives.
-- 
Zan Lynx
zlynx at acm.org

"Knowledge is Power.  Power Corrupts.  Study Hard.  Be Evil."



More information about the LUG mailing list