[kwlug-disc] server compromised

Insurance Squared Inc. gcooke at insurancesquared.com
Wed May 13 20:07:53 EDT 2009


Interesting.  I did.not.know.that :).  I actually didn't - I figured FTP 
was insecure and having shell only was better.  Works OK I guess if it's 
just me and our programmer accessing the machine.  I'm not set up for 
this darn user stuff.

In any event, this prompted me to find out how to deny shell access for 
that user - which is OK since they only ftp on.  Here's the article I 
found useful:
http://blog.taragana.com/index.php/archive/how-to-create-modify-an-account-to-have-only-ftp-access/

And what it boils down to is that the command:
usermod -s /sbin/nologin userid

turns off shell access for the user and restricts them to ftp only.  
Maybe that's not perfect, but for me it seems like one more step in the 
right direction.

Thanks all,
g.


Chris Frey wrote:
> That's up to you... but ssh == shell in most cases, and opens you up
> to much more tricky attacks than just an ftp server, if that account
> gets compromised.
>
> It would be nice if he used different passwords for all his accounts
> regardless whether it is ssh or ftp.
>
> - Chris
>
>
> On Wed, May 13, 2009 at 07:36:40PM -0400, Insurance Squared Inc. wrote:
>   
>> So no firm answer is possible, but it sounds like I'm 'probably' safe.  
>> This was an automated attack, not an individual actively logging on.  I 
>> guess I'll leave it for now, and work on doing a complete server wipe 
>> which is long overdue.
>>
>> Going forward, the only person who ftp's on to my server is this user.  
>> Everyone else - which consists of myself and my developer - do any 
>> server stuff from command line linux.  Is there any benefit from my 
>> forcing my friend to use ssh to access the server instead of ftp?  He's 
>> on a windows box so he'd have to find some software.  I installed an ftp 
>> daemon for his benefit and didn't like it at the time.
>>
>> g.
>>
>>
>> zixiekat at gmail.com wrote:
>>     
>>> You may want to restrict ftp users by chrooting them. I have done it 
>>> before with login shells, but it has been a while. 
>>> It won't help with knowing if your system is still at risk, but it could 
>>> help in the future. ------Original Message------
>>> From: Chris Frey
>>> Sender: kwlug-disc-bounces at kwlug.org
>>> To: KWLUG discussion
>>> ReplyTo: KWLUG discussion
>>> Subject: Re: [kwlug-disc] server compromised
>>> Sent: May 13, 2009 7:21 PM
>>>
>>> On Wed, May 13, 2009 at 07:07:29PM -0400, Kyle Spaans wrote:
>>>  
>>>       
>>>> I'm no expert, but I've read some discussions on matters like these and
>>>> whenever you even _suspect_ that hackers got access to your
>>>> system, it's safest to nuke the system from orbit.
>>>>    
>>>>         
>>> I usually agree with that level of paranoia, but if only FTP access was
>>> possible for this user, then it's down to the security of your FTP server
>>> software and likely only a data access breech.
>>>
>>> If the ftp account was a normal unix user, then (at least according
>>> to a quick test on my system) that user could download anything on the
>>> system with world readable rights, but won't be able to change anything.
>>>
>>> If shell access was possible, then yes, the number of vulnerabilities
>>> to check gets a little out of hand: setuid, kernel, etc.  You might
>>> want to keep a close eye on the server logs and schedule a reinstall
>>> a little earlier than normal. :-)
>>>
>>> - Chris
>>>
>>>
>>> _______________________________________________
>>> kwlug-disc_kwlug.org mailing list
>>> kwlug-disc_kwlug.org at kwlug.org
>>> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>
>>> Sent from my BlackBerry device on the Rogers Wireless Network
>>> _______________________________________________
>>> kwlug-disc_kwlug.org mailing list
>>> kwlug-disc_kwlug.org at kwlug.org
>>> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>  
>>>       
>> -- 
>> Glenn Cooke
>> Insurance Squared Inc.
>> www.insurancesquared.com
>> 1-866-779-1499
>>
>> Agent discussion forum: http://www.americaninsurancebroker.com
>> Free US broker directory: http://directory.americaninsurancebroker.com
>> Free Canadian broker directory: http://www.canadianinsurancebroker.com
>>
>>
>> _______________________________________________
>> kwlug-disc_kwlug.org mailing list
>> kwlug-disc_kwlug.org at kwlug.org
>> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>>     
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
>   

-- 
Glenn Cooke
Insurance Squared Inc.
www.insurancesquared.com
1-866-779-1499

Agent discussion forum: http://www.americaninsurancebroker.com
Free US broker directory: http://directory.americaninsurancebroker.com
Free Canadian broker directory: http://www.canadianinsurancebroker.com




More information about the kwlug-disc_kwlug.org mailing list