You are here
I am wondering what steps are needed to immediately secure a new appliance.?
I recently setup a test appliance via the Turnkey Hub and AWS and played around with it for a few hours. Pretty damn cool how easy it was to get something up and running! I got back into the server via PuTTY after the weekend and just happened to scroll back through my commands and noticed a bunch of commands that I had not entered in my testing.
The gist of them was to download a file called "courier-authlibauttvd" from a nefarious looking website at this address http:// 121 dot 12 dot 168 dot 62:6789/ and run it. I immediately destroyed the server instance.
I did use an admin password when setting up the appliance (although a very basic one) and thought I had setup SSH authentication. I was also assuming that the appliances had already been configured to implement best security practices.
What did I miss?
If the commands were in commandline history
Then they must have logged in via SSH. To do that that either your private SSH key has been compromised (assuming you used key authentication) or they cracked your root password (probably brute forced it...?!).
TBH I would have thought that it would have been highly unlikely that this sort of attack would occur out of the blue within such a small window of time...
Actually I just did a quick google and according to this guy this particular malware (i.e. courier-authlibauttvd is installed following a brute force SSH attack. That would suggest that your root password wasn't so great... Would that be right?
As you're possibly aware, security is always a compromise against user-friendliness/convenience. The best way to avoid brute force SSH attacks like this is to disable password login (make sure that you have your keys set up properly first!).
Edit /etc/ssh/sshd_config and ensure that the following are uncommented (i.e. don't have a '#' at the start of the line):
Then restart SHH
PS I edited your post to remove the direct malware link
Bruteforce attacks against SSH are a very real threat
My Bad Then
It was a very insecure password, since I was just experimenting/testing. Kinda scary though how fast the system was found and compromised! Good to know that AWS is a target and requires extra precaution.
Thanks for the heads up!
You can scan the entire Internet in 45 minutes
Back when I was mapping the Internet for vulnerable machines it wasn't as trivial as it is today. These days you can scan the entire Internet in 45 minutes from a single well connected machine:
https://zmap.io/
Something to keep in mind. On the Internet, there are no good neighborhoods and bad neighborhoods. The distance between any two IPs is effectively 0. Servers have a direct interface with the seediest people in the network.
Need to have a better password setup
I just setup some appliances locally at some clients, after check this conversations ,I will make shure the passwords are more complex, this 45min scan is so scary..
Davel Sanchez
Add new comment