<div dir="ltr">This is the wiki i use to use when i was hosting my dial on linode.. <a href="https://www.linode.com/docs/security/securing-your-server">https://www.linode.com/docs/security/securing-your-server</a><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="font-size:small;font-family:arial">Loren Tedford (KC9ZHV) </div><div style="font-size:small;font-family:arial">Phone:</div><div style="font-size:small"><font face="arial">Fax: </font><br><font face="arial">Email: </font><a href="mailto:lorentedford@gmail.com" style="color:rgb(17,85,204);font-family:arial" target="_blank">lorentedford@gmail.com</a></div><div style="font-size:small">Email: <a href="mailto:KC9ZHV@KC9ZHV.com" style="color:rgb(17,85,204)" target="_blank">KC9ZHV@KC9ZHV.com</a></div><div style="font-size:small;font-family:arial"><a href="http://www.lorentedford.com/" style="color:rgb(17,85,204)" target="_blank">http://www.lorentedford.com</a></div><div style="font-size:small;font-family:arial"><a href="http://www.kc9zhv.com/" style="color:rgb(17,85,204)" target="_blank">http://www.kc9zhv.com</a></div><div style="font-size:small;font-family:arial"><a href="http://forum.kc9zhv.com/" style="color:rgb(17,85,204)" target="_blank">http://forum.kc9zhv.com</a></div><div style="font-size:small;font-family:arial"><a href="http://hub.kc9zhv.com/" style="color:rgb(17,85,204)" target="_blank">http://hub.kc9zhv.com</a></div><div style="font-size:small"><a href="http://ltcraft.net/" style="color:rgb(17,85,204)" target="_blank">http://Ltcraft.net<span></span><span></span></a></div><div style="font-size:small"><a href="http://voipham.com" target="_blank">http://voipham.com</a></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Jun 5, 2017 at 9:50 PM, Jeremy Utley <span dir="ltr"><<a href="mailto:jerutley@gmail.com" target="_blank">jerutley@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_-4675139622683529374WordSection1"><p class="MsoNormal">To be honest, I scoured the system and couldn’t find any indication of how they got into it. However, my logs stopped somewhere around June 2 due to the log2ram partition filling up, so I didn’t have a LOT to go on. The only way I even found out was the machine was probing SSH ports on hosts out on the internet, and got caught by a fail2ban script and reported to my employer (who just happens to host the server the VM was running on). That “Debian” user is a prime candidate – but I couldn’t see any evidence that was where it came from. At any rate, I have wiped the VM and am in the process of reinstalling now. I’m going to be doing some serious hardening of the system (to rival what we do at work in our PCI-compliant cluster), and will document what steps I take onto my Wordpress blog – including firewalling the box, limiting SSH connections, and a whole host of other stuff.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Jeremy<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><b>From:</b> App_rpt-users [mailto:<a href="mailto:app_rpt-users-bounces@lists.allstarlink.org" target="_blank">app_rpt-users-bounces@<wbr>lists.allstarlink.org</a>] <b>On Behalf Of </b>Pierre Martel<br><b>Sent:</b> Monday, June 5, 2017 9:29 PM<br><b>To:</b> Users of Asterisk app_rpt <<a href="mailto:app_rpt-users@lists.allstarlink.org" target="_blank">app_rpt-users@lists.<wbr>allstarlink.org</a>><br><b>Subject:</b> Re: [App_rpt-users] What is the "debian" user in the DIAL distro?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Hi Jeremy,<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Can you tell us what they did to enter in the system? this would be the first thing to change on any dial system.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Thanks for letting us know that there is a way to compomise a node, that way we can prepare our nodes for a futur attack<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Pierre<u></u><u></u></p></div><div><p class="MsoNormal">VE2PF<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">Le lun. 5 juin 2017 à 17:05, Jeremy Utley <<a href="mailto:jerutley@gmail.com" target="_blank">jerutley@gmail.com</a>> a écrit :<u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><p class="MsoNormal">Hello all!<br><br>Forgive me for thread necromancy on this one! I just today had my hub<br>node compromised - luckily all they did was try to attack SSH on<br>another host (at least that's all I've been able to determine so far).<br>So, I'm going to be rebuilding that Hub node tonite. The reason I<br>post is, I am actually a Linux sys-admin in my day job - would there<br>be any benefit in me doing a write-up on what all steps I take in<br>securing DIAL? At least a high-level overview of what I end up doing<br>that others can build from?<br><br>Also, I just want to make sure - doing the standard apt-get update /<br>upgrade on DIAL will not break anything, right?<br><br>Jeremy, NQ0M<br><br>On Thu, May 11, 2017 at 11:42 AM, Steve Zingman <<a href="mailto:szingman@msgstor.com" target="_blank">szingman@msgstor.com</a>> wrote:<br>> Thor,<br>> I agree that things need to be tightened up. Now that the mandate has<br>> changed, those things are changing. I would welcome someone taking on the<br>> guidance in system administration piece of the puzzle.<br>><br>> 73, Steve N4IRS<br>><br>><br>> On 5/11/2017 12:35 PM, Thor Wiegman wrote:<br>>><br>>> You're not the first person I'm aware of to have this type of problem.<br>>> AllStarLink nodes are an easy target to become bitcoin miners and members of<br>>> botnets. Most people installing these nodes don't know the basics of Linux<br>>> system administration and the defaults aren't even remotely secure.<br>>><br>>> Not only should that "debian" user be deleted, the appropriate changes to<br>>> SSH need to be made to prevent the superuser "root" from logging in<br>>> remotely. That is one of the first things that everyone needs to be change<br>>> after installation of a DIAL system, not sure why it's even allowed by<br>>> default.<br>>><br>>> I've noticed that a lot of node ops tend to login as root and execute<br>>> commands as the root user. Crazy! It's an extremely dangerous and insecure<br>>> thing to do, but people new to Linux don't know any better.<br>>><br>>> It would be nice if the default installation were setup in such a way that<br>>> prevented or discouraged login by the superuser. It's odd that sudo doesn't<br>>> appear to be installed by default. Would be very nice if the installation<br>>> script prompted for the creation of a user account with proper permissions<br>>> in much the same way as standard distros do. Not perfect, but it's a start.<br>>><br>>> Most of these systems are being run by people who are new to Linux. They<br>>> don't know about Linux/Unix system administration and nobody is "elmering"<br>>> them in it. The result is people taking dangerous shortcuts and developing<br>>> bad habits. The community would benefit from some guidance in system<br>>> administration as well as from some improved defaults in the distro.<br>>><br>>><br>>><br>>> On 05/10/2017 12:38 PM, <a href="mailto:app_rpt-users-request@lists.allstarlink.org" target="_blank">app_rpt-users-request@lists.<wbr>allstarlink.org</a> wrote:<br>>>><br>>>> What is the "debian" user in the DIAL distro?<br>>><br>>><br>>> ______________________________<wbr>_________________<br>>> App_rpt-users mailing list<br>>> <a href="mailto:App_rpt-users@lists.allstarlink.org" target="_blank">App_rpt-users@lists.<wbr>allstarlink.org</a><br>>> <a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://lists.allstarlink.org/<wbr>cgi-bin/mailman/listinfo/app_<wbr>rpt-users</a><br>>><br>>> To unsubscribe from this list please visit<br>>> <a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://lists.allstarlink.org/<wbr>cgi-bin/mailman/listinfo/app_<wbr>rpt-users</a> and<br>>> scroll down to the bottom of the page. Enter your email address and press<br>>> the "Unsubscribe or edit options button"<br>>> You do not need a password to unsubscribe, you can do it via email<br>>> confirmation. If you have trouble unsubscribing, please send a message to<br>>> the list detailing the problem.<br>><br>><br>> ______________________________<wbr>_________________<br>> App_rpt-users mailing list<br>> <a href="mailto:App_rpt-users@lists.allstarlink.org" target="_blank">App_rpt-users@lists.<wbr>allstarlink.org</a><br>> <a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://lists.allstarlink.org/<wbr>cgi-bin/mailman/listinfo/app_<wbr>rpt-users</a><br>><br>> To unsubscribe from this list please visit<br>> <a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://lists.allstarlink.org/<wbr>cgi-bin/mailman/listinfo/app_<wbr>rpt-users</a> and<br>> scroll down to the bottom of the page. Enter your email address and press<br>> the "Unsubscribe or edit options button"<br>> You do not need a password to unsubscribe, you can do it via email<br>> confirmation. If you have trouble unsubscribing, please send a message to<br>> the list detailing the problem.<br>______________________________<wbr>_________________<br>App_rpt-users mailing list<br><a href="mailto:App_rpt-users@lists.allstarlink.org" target="_blank">App_rpt-users@lists.<wbr>allstarlink.org</a><br><a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://lists.allstarlink.org/<wbr>cgi-bin/mailman/listinfo/app_<wbr>rpt-users</a><br><br>To unsubscribe from this list please visit <a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://lists.allstarlink.org/<wbr>cgi-bin/mailman/listinfo/app_<wbr>rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"<br>You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. <u></u><u></u></p></blockquote></div></div></div></div><br>______________________________<wbr>_________________<br>
App_rpt-users mailing list<br>
<a href="mailto:App_rpt-users@lists.allstarlink.org">App_rpt-users@lists.<wbr>allstarlink.org</a><br>
<a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" rel="noreferrer" target="_blank">http://lists.allstarlink.org/<wbr>cgi-bin/mailman/listinfo/app_<wbr>rpt-users</a><br>
<br>
To unsubscribe from this list please visit <a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" rel="noreferrer" target="_blank">http://lists.allstarlink.org/<wbr>cgi-bin/mailman/listinfo/app_<wbr>rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"<br>
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. <br></blockquote></div><br></div></div>