[CentOS] an actual hacked machine, in a preserved state

Ljubomir Ljubojevic office at plnet.rs
Thu Jan 5 19:25:50 UTC 2012

On 01/05/2012 07:56 PM, Lamar Owen wrote:
> On Wednesday, January 04, 2012 08:47:47 PM Bennett Haselton wrote:
>> Well yes, on average, password-authentication is going to be worse
>> because it includes people in the sample who are using passwords like
>> "Patricia".  Did they compare the break-in rate for systems with 12-char
>> passwords vs. systems with keys?
> And this is where the rubber meets the road.  Keys are uniformly secure (as long as physical access to the private key isn't available to the attacker), passwords are not.
> It is a best practice to not run password auth on a public facing server running ssh on port 22.  Simple as that.  Since this is such a basic best practice, it will get mentioned anytime anyone mentions using a password to log in remotely over ssh as root; the other concerns and possible exploits are more advanced than this.
> Addressing that portion of this thread, it's been my experience that once an attacker gains root on your server you have a very difficult job on your hands determining how they got in; specialized forensics tools that analyze more than just logs can be required to adequately find this; that is, this is a job for a forensics specialist.
> Now, anyone (yes, anyone) can become a forensics specialist, and I encourage every admin to at least know enough about forensics to at least be able to take a forensics-quality image of a disk and do some simple forensics-quality read-only analysis (simply mounting, even as read-only, an ext3/4 filesystem breaks full forensics, for instance).  But when it comes to analyzing today's advanced persistent threats and breakins related to them, you should at least read after experts in this field like Mandiant's Kevin Mandia (there's a slashdot story about him and exactly this sort of thing; see http://it.slashdot.org/story/12/01/04/0630203/cleaning-up-the-mess-after-a-major-hack-attack for details).  He's a nice guy, too.
> I would suspect that no one on this list would be able or willing to provide a full analysis on-list, perhaps privately, though, and/or for a fee.
> In conclusion, as I am done with this branch of this thread, I'd recommend you read http://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

What is sentiment about having dedicated box with only ssh, and then use 
that one to raise ssh tunnels to inside systems? So there is no exploits 
to be used, denyhosts in affect?


Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant

More information about the CentOS mailing list