Re: [systemd-devel] Block systemd from adding new services
This is admittedly slight off-topic but as you seem to be maintaining servers available on the public internet, this really affects us all. What you are asking for is the equivalent of "which brand of band-aid should I use for whenever I get hit by a bus". Human or bot doesnt' matter - if your machines keep getting rooted, *please* address *that*. Regards, Peter ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Block systemd from adding new services
The attacker is a robot trying to copy a *.service to /etc/systemd/services. This single measure may keep me in business. Thanks for the information. On Sun, Jun 13, 2021 at 11:45 AM Silvio Knizek wrote: > Am Sonntag, dem 13.06.2021 um 10:49 -0400 schrieb Saint Michael: > > This is not a human attacker, but a robot. My question is: if I apply > > chattr +i to $(pkg-config --variable=systemdsystemconfdir systemd), > > will the OS continue to work fine or this is nonsense? > > Philip > Systemd will work totally fine (except »systemctl edit« probably). But > the point stays: if your attacker has root rights, nothing prevents > them for setting »chattr -i« on the confdir. So IMHO your approach is > futile. > > BR > Silvio > > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Block systemd from adding new services
Am Sonntag, dem 13.06.2021 um 10:49 -0400 schrieb Saint Michael: > This is not a human attacker, but a robot. My question is: if I apply > chattr +i to $(pkg-config --variable=systemdsystemconfdir systemd), > will the OS continue to work fine or this is nonsense? > Philip Systemd will work totally fine (except »systemctl edit« probably). But the point stays: if your attacker has root rights, nothing prevents them for setting »chattr -i« on the confdir. So IMHO your approach is futile. BR Silvio ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Block systemd from adding new services
This is not a human attacker, but a robot. My question is: if I apply chattr +i to $(pkg-config --variable=systemdsystemconfdir systemd), will the OS continue to work fine or this is nonsense? Philip On Sun, Jun 13, 2021 at 9:54 AM Silvio Knizek wrote: > Am Sonntag, dem 13.06.2021 um 09:32 -0400 schrieb Saint Michael: > > One of the most dramatic hacks to 50+ servers of mine is a bitcoin > > miner, xmrig. It installs a service file at /etc/systemd/system, > > enables it and kills the machine. > > Nobody knows how it propagates. I think that SSHD has been broken in > > a foreign land or they just brute-force any machine where > > passwordautorization=yes. > > The point is, for this list, how can I prevent systemd from adding > > ANY new service at all. I am thinking to add chattr +i to > > /etc/systemd/system, but want to know if this makes any sense or if > > there is a better way to do this. > > Philip > Hi Philip, > > if someone can add files into > $(pkg-config --variable=systemdsystemconfdir systemd) > then the attacker has already root rights, so any suggestion here would > only be a nuisance for an attacker. Be happy that the payload wasn't > written in the boot loader. > > A general approach would be a stateless system with man:systemd.preset > and a /etc as tmpfs, so after a reboot the system would be fresh again. > Disabling root login via ssh is always a good idea and only using > polkit/sudo for elevating rights. This could be combined with some two- > factor authentication via PAM, so a cracked/guessed password isn't the > end. > > But in the end this are all generic approaches to system security, > nothing systemd specific. > > HTH > Silvio > > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Block systemd from adding new services
Am Sonntag, dem 13.06.2021 um 09:32 -0400 schrieb Saint Michael: > One of the most dramatic hacks to 50+ servers of mine is a bitcoin > miner, xmrig. It installs a service file at /etc/systemd/system, > enables it and kills the machine. > Nobody knows how it propagates. I think that SSHD has been broken in > a foreign land or they just brute-force any machine where > passwordautorization=yes. > The point is, for this list, how can I prevent systemd from adding > ANY new service at all. I am thinking to add chattr +i to > /etc/systemd/system, but want to know if this makes any sense or if > there is a better way to do this. > Philip Hi Philip, if someone can add files into $(pkg-config --variable=systemdsystemconfdir systemd) then the attacker has already root rights, so any suggestion here would only be a nuisance for an attacker. Be happy that the payload wasn't written in the boot loader. A general approach would be a stateless system with man:systemd.preset and a /etc as tmpfs, so after a reboot the system would be fresh again. Disabling root login via ssh is always a good idea and only using polkit/sudo for elevating rights. This could be combined with some two- factor authentication via PAM, so a cracked/guessed password isn't the end. But in the end this are all generic approaches to system security, nothing systemd specific. HTH Silvio ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Block systemd from adding new services
One of the most dramatic hacks to 50+ servers of mine is a bitcoin miner, xmrig. It installs a service file at /etc/systemd/system, enables it and kills the machine. Nobody knows how it propagates. I think that SSHD has been broken in a foreign land or they just brute-force any machine where passwordautorization=yes. The point is, for this list, how can I prevent systemd from adding ANY new service at all. I am thinking to add chattr +i to /etc/systemd/system, but want to know if this makes any sense or if there is a better way to do this. Philip ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel