[App_rpt-users] What is the "debian" user in the DIAL distro?

Loren Tedford lorentedford at gmail.com
Tue Jun 6 03:14:17 UTC 2017 

This is the wiki i use to use when i was hosting my dial on linode..
https://www.linode.com/docs/security/securing-your-server

Loren Tedford (KC9ZHV)
Phone:
Fax:
Email: lorentedford at gmail.com
Email: KC9ZHV at KC9ZHV.com
http://www.lorentedford.com
http://www.kc9zhv.com
http://forum.kc9zhv.com
http://hub.kc9zhv.com
http://Ltcraft.net <http://ltcraft.net/>
http://voipham.com

On Mon, Jun 5, 2017 at 9:50 PM, Jeremy Utley <jerutley at gmail.com> wrote:

> To be honest, I scoured the system and couldn’t find any indication of how
> they got into it.  However, my logs stopped somewhere around June 2 due to
> the log2ram partition filling up, so I didn’t have a LOT to go on.  The
> only way I even found out was the machine was probing SSH ports on hosts
> out on the internet, and got caught by a fail2ban script and reported to my
> employer (who just happens to host the server the VM was running on).  That
> “Debian” user is a prime candidate – but I couldn’t see any evidence that
> was where it came from.  At any rate, I have wiped the VM and am in the
> process of reinstalling now.  I’m going to be doing some serious hardening
> of the system (to rival what we do at work in our PCI-compliant cluster),
> and will document what steps I take onto my Wordpress blog – including
> firewalling the box, limiting SSH connections, and a whole host of other
> stuff.
>
>
>
> Jeremy
>
>
>
> *From:* App_rpt-users [mailto:app_rpt-users-bounces at lists.allstarlink.org]
> *On Behalf Of *Pierre Martel
> *Sent:* Monday, June 5, 2017 9:29 PM
> *To:* Users of Asterisk app_rpt <app_rpt-users at lists.allstarlink.org>
> *Subject:* Re: [App_rpt-users] What is the "debian" user in the DIAL
> distro?
>
>
>
> Hi Jeremy,
>
>
>
> Can you tell us what they did to enter in the system? this would be the
> first thing to change on any dial system.
>
>
>
> Thanks for letting us know that there is a way to compomise a node, that
> way we can prepare our nodes for a futur attack
>
>
>
> Pierre
>
> VE2PF
>
>
>
>
>
> Le lun. 5 juin 2017 à 17:05, Jeremy Utley <jerutley at gmail.com> a écrit :
>
> Hello all!
>
> Forgive me for thread necromancy on this one!  I just today had my hub
> node compromised - luckily all they did was try to attack SSH on
> another host (at least that's all I've been able to determine so far).
> So, I'm going to be rebuilding that Hub node tonite.  The reason I
> post is, I am actually a Linux sys-admin in my day job - would there
> be any benefit in me doing a write-up on what all steps I take in
> securing DIAL?  At least a high-level overview of what I end up doing
> that others can build from?
>
> Also, I just want to make sure - doing the standard apt-get update /
> upgrade on DIAL will not break anything, right?
>
> Jeremy, NQ0M
>
> On Thu, May 11, 2017 at 11:42 AM, Steve Zingman <szingman at msgstor.com>
> wrote:
> > Thor,
> > I agree that things need to be tightened up. Now that the mandate has
> > changed, those things are changing. I would welcome someone taking on the
> > guidance in system administration piece of the puzzle.
> >
> > 73, Steve N4IRS
> >
> >
> > On 5/11/2017 12:35 PM, Thor Wiegman wrote:
> >>
> >> You're not the first person I'm aware of to have this type of problem.
> >> AllStarLink nodes are an easy target to become bitcoin miners and
> members of
> >> botnets.  Most people installing these nodes don't know the basics of
> Linux
> >> system administration and the defaults aren't even remotely secure.
> >>
> >> Not only should that "debian" user be deleted, the appropriate changes
> to
> >> SSH need to be made to prevent the superuser "root" from logging in
> >> remotely.  That is one of the first things that everyone needs to be
> change
> >> after installation of a DIAL system, not sure why it's even allowed by
> >> default.
> >>
> >> I've noticed that a lot of node ops tend to login as root and execute
> >> commands as the root user.  Crazy!  It's an extremely dangerous and
> insecure
> >> thing to do, but people new to Linux don't know any better.
> >>
> >> It would be nice if the default installation were setup in such a way
> that
> >> prevented or discouraged login by the superuser.  It's odd that sudo
> doesn't
> >> appear to be installed by default.  Would be very nice if the
> installation
> >> script prompted for the creation of a user account with proper
> permissions
> >> in much the same way as standard distros do.  Not perfect, but it's a
> start.
> >>
> >> Most of these systems are being run by people who are new to Linux.
> They
> >> don't know about Linux/Unix system administration and nobody is
> "elmering"
> >> them in it.  The result is people taking dangerous shortcuts and
> developing
> >> bad habits.  The community would benefit from some guidance in system
> >> administration as well as from some improved defaults in the distro.
> >>
> >>
> >>
> >> On 05/10/2017 12:38 PM, app_rpt-users-request at lists.allstarlink.org
> wrote:
> >>>
> >>> What is the "debian" user in the DIAL distro?
> >>
> >>
> >> _______________________________________________
> >> App_rpt-users mailing list
> >> App_rpt-users at lists.allstarlink.org
> >> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
> >>
> >> To unsubscribe from this list please visit
> >> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and
> >> scroll down to the bottom of the page. Enter your email address and
> press
> >> the "Unsubscribe or edit options button"
> >> You do not need a password to unsubscribe, you can do it via email
> >> confirmation. If you have trouble unsubscribing, please send a message
> to
> >> the list detailing the problem.
> >
> >
> > _______________________________________________
> > App_rpt-users mailing list
> > App_rpt-users at lists.allstarlink.org
> > http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
> >
> > To unsubscribe from this list please visit
> > http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and
> > scroll down to the bottom of the page. Enter your email address and press
> > the "Unsubscribe or edit options button"
> > You do not need a password to unsubscribe, you can do it via email
> > confirmation. If you have trouble unsubscribing, please send a message to
> > the list detailing the problem.
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at lists.allstarlink.org
> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://lists.allstarlink.org/
> cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of
> the page. Enter your email address and press the "Unsubscribe or edit
> options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at lists.allstarlink.org
> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://lists.allstarlink.org/
> cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of
> the page. Enter your email address and press the "Unsubscribe or edit
> options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20170605/8674d6fe/attachment.html>

More information about the App_rpt-users mailing list