[App_rpt-users] What is the "debian" user in the DIAL distro?

Jeremy Utley jerutley at gmail.com
Tue Jun 6 02:50:25 UTC 2017 

To be honest, I scoured the system and couldn’t find any indication of how they got into it.  However, my logs stopped somewhere around June 2 due to the log2ram partition filling up, so I didn’t have a LOT to go on.  The only way I even found out was the machine was probing SSH ports on hosts out on the internet, and got caught by a fail2ban script and reported to my employer (who just happens to host the server the VM was running on).  That “Debian” user is a prime candidate – but I couldn’t see any evidence that was where it came from.  At any rate, I have wiped the VM and am in the process of reinstalling now.  I’m going to be doing some serious hardening of the system (to rival what we do at work in our PCI-compliant cluster), and will document what steps I take onto my Wordpress blog – including firewalling the box, limiting SSH connections, and a whole host of other stuff.

 

Jeremy

 

From: App_rpt-users [mailto:app_rpt-users-bounces at lists.allstarlink.org] On Behalf Of Pierre Martel
Sent: Monday, June 5, 2017 9:29 PM
To: Users of Asterisk app_rpt <app_rpt-users at lists.allstarlink.org>
Subject: Re: [App_rpt-users] What is the "debian" user in the DIAL distro?

 

Hi Jeremy,

 

Can you tell us what they did to enter in the system? this would be the first thing to change on any dial system.

 

Thanks for letting us know that there is a way to compomise a node, that way we can prepare our nodes for a futur attack

 

Pierre

VE2PF

 

 

Le lun. 5 juin 2017 à 17:05, Jeremy Utley <jerutley at gmail.com <mailto:jerutley at gmail.com> > a écrit :

Hello all!

Forgive me for thread necromancy on this one!  I just today had my hub
node compromised - luckily all they did was try to attack SSH on
another host (at least that's all I've been able to determine so far).
So, I'm going to be rebuilding that Hub node tonite.  The reason I
post is, I am actually a Linux sys-admin in my day job - would there
be any benefit in me doing a write-up on what all steps I take in
securing DIAL?  At least a high-level overview of what I end up doing
that others can build from?

Also, I just want to make sure - doing the standard apt-get update /
upgrade on DIAL will not break anything, right?

Jeremy, NQ0M

On Thu, May 11, 2017 at 11:42 AM, Steve Zingman <szingman at msgstor.com <mailto:szingman at msgstor.com> > wrote:
> Thor,
> I agree that things need to be tightened up. Now that the mandate has
> changed, those things are changing. I would welcome someone taking on the
> guidance in system administration piece of the puzzle.
>
> 73, Steve N4IRS
>
>
> On 5/11/2017 12:35 PM, Thor Wiegman wrote:
>>
>> You're not the first person I'm aware of to have this type of problem.
>> AllStarLink nodes are an easy target to become bitcoin miners and members of
>> botnets.  Most people installing these nodes don't know the basics of Linux
>> system administration and the defaults aren't even remotely secure.
>>
>> Not only should that "debian" user be deleted, the appropriate changes to
>> SSH need to be made to prevent the superuser "root" from logging in
>> remotely.  That is one of the first things that everyone needs to be change
>> after installation of a DIAL system, not sure why it's even allowed by
>> default.
>>
>> I've noticed that a lot of node ops tend to login as root and execute
>> commands as the root user.  Crazy!  It's an extremely dangerous and insecure
>> thing to do, but people new to Linux don't know any better.
>>
>> It would be nice if the default installation were setup in such a way that
>> prevented or discouraged login by the superuser.  It's odd that sudo doesn't
>> appear to be installed by default.  Would be very nice if the installation
>> script prompted for the creation of a user account with proper permissions
>> in much the same way as standard distros do.  Not perfect, but it's a start.
>>
>> Most of these systems are being run by people who are new to Linux.  They
>> don't know about Linux/Unix system administration and nobody is "elmering"
>> them in it.  The result is people taking dangerous shortcuts and developing
>> bad habits.  The community would benefit from some guidance in system
>> administration as well as from some improved defaults in the distro.
>>
>>
>>
>> On 05/10/2017 12:38 PM, app_rpt-users-request at lists.allstarlink.org <mailto:app_rpt-users-request at lists.allstarlink.org>  wrote:
>>>
>>> What is the "debian" user in the DIAL distro?
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at lists.allstarlink.org <mailto:App_rpt-users at lists.allstarlink.org> 
>> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visit
>> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and
>> scroll down to the bottom of the page. Enter your email address and press
>> the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email
>> confirmation. If you have trouble unsubscribing, please send a message to
>> the list detailing the problem.
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at lists.allstarlink.org <mailto:App_rpt-users at lists.allstarlink.org> 
> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit
> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and
> scroll down to the bottom of the page. Enter your email address and press
> the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
_______________________________________________
App_rpt-users mailing list
App_rpt-users at lists.allstarlink.org <mailto:App_rpt-users at lists.allstarlink.org> 
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20170605/e3bf064b/attachment.html>

More information about the App_rpt-users mailing list