[CentOS] an actual hacked machine, in a preserved state

Lamar Owen lowen at pari.edu
Thu Jan 5 18:56:44 UTC 2012


On Wednesday, January 04, 2012 08:47:47 PM Bennett Haselton wrote:
> Well yes, on average, password-authentication is going to be worse 
> because it includes people in the sample who are using passwords like 
> "Patricia".  Did they compare the break-in rate for systems with 12-char 
> passwords vs. systems with keys?

And this is where the rubber meets the road.  Keys are uniformly secure (as long as physical access to the private key isn't available to the attacker), passwords are not.

It is a best practice to not run password auth on a public facing server running ssh on port 22.  Simple as that.  Since this is such a basic best practice, it will get mentioned anytime anyone mentions using a password to log in remotely over ssh as root; the other concerns and possible exploits are more advanced than this. 

Addressing that portion of this thread, it's been my experience that once an attacker gains root on your server you have a very difficult job on your hands determining how they got in; specialized forensics tools that analyze more than just logs can be required to adequately find this; that is, this is a job for a forensics specialist.  

Now, anyone (yes, anyone) can become a forensics specialist, and I encourage every admin to at least know enough about forensics to at least be able to take a forensics-quality image of a disk and do some simple forensics-quality read-only analysis (simply mounting, even as read-only, an ext3/4 filesystem breaks full forensics, for instance).  But when it comes to analyzing today's advanced persistent threats and breakins related to them, you should at least read after experts in this field like Mandiant's Kevin Mandia (there's a slashdot story about him and exactly this sort of thing; see http://it.slashdot.org/story/12/01/04/0630203/cleaning-up-the-mess-after-a-major-hack-attack for details).  He's a nice guy, too.

I would suspect that no one on this list would be able or willing to provide a full analysis on-list, perhaps privately, though, and/or for a fee.

In conclusion, as I am done with this branch of this thread, I'd recommend you read http://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers




More information about the CentOS mailing list