Process was running as an unpriviledged user. I'm guessing SELinux might have helped but in as we discussed before I make it habit to shut that off because 99% of the time it's just in my way. Many, many times the only solution to a daemon not launching is "setenforce 0" or some other "let's shut off selinux" type of answer, to the point that disabling it is one of the first things I do. I can't have security getting in the way of usability all the time like that.
If something is a high value target (for instance if I had kept bitcoins on that server) I might have considered leaving it on and trying to make them play nice. Fact is I was using it as a feeder node for a pool. The worst possible thing that could have happened in that case is that someone could turn it into a spam relay (which they did). The daemon was bitcoind or actually a variant, but the important bits are all bitcoind. Fortunately I'm not dumb enough to leave money sitting on a box on the internet :) On Thu, Feb 6, 2014 at 11:09 AM, Michael Torrie <torr...@gmail.com> wrote: > On 02/06/2014 09:30 AM, S. Dale Morrey wrote: > > Well oddly enough today I had a server hacked. There was a priviledge > > escalation flaw in the only exposed daemon (probably a 0 day of somesort > > I've reported it to the devs). > > Indeed we are only as secure as the weakest link in the chain. What > daemon was hacked? > > > Someone managed to get root, remove the cert, set a password and login > via > > ssh and then set the box up as a spam relay of all things. > > I think from now on, I'm going to see if there is a way to just > completely > > remove the root user. (Box is fully patched and auto-updates and applies > > patches daily). > > Think you're barking up the wrong tree. Disabling root as a login user > would not help you not get hacked in this instance. In your case the > problem is that the service either was running as root (which your > disabling of root login will not change), or had a privilege escalation > path available to it. So you need to a) not run the service as root and > b) make sure selinux or similar system is locking down the process. to > restrict what it can do, even if it does get hacked. > > > > I would like to setup a central auth server (probably LDAP) that auths me > > as an individual to these servers. Then remove root completely. Is that > > even possible? > > I guess in reality it would be no different than just renaming root to a > > different name, but frankly cleaning up the damage from this script kiddy > > is annoying me. > > Again, it wouldn't have helped you. > > > > > Having an auth server be authoritative for a box, and then have > permissions > > and groups set by the box seems like a decent solution, but then I ask > > myself, what happens when the authbox gets cracked? > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
