I [...]]]> I realize very few people that are my friends will need this information, but there are a few that may benefit from it. To that end, I wanted to write about an ongoing problem I’ve had with a break-in that happened to me. One of my development systems on the Internet was compromised recently.

I had just opened an account and was trying the system out, and one morning I woke up to find abuse emails pouring into my mailbox. When I logged in and looked at the system, I found several new usernames created, and hacking scripts. Since then, my machine has been re-imaged to prevent the possibility that a rootkit had been installed. The abuse reports are still pouring in from machines who were attacked from mine. It is a big paperwork mess and not fun at all.

To prevent this in the future, or at least reduce the risk by a large amount:

1. Disable PermitRootLogin. I didn’t think to do this, because most of my Internet systems are FreeBSD, and this option is set to “yes” by default. Most Linux distros (at least CentOS and Debian) set this to “yes”. This is not a good option, as “root” is an easy username to guess, and after that, it is only a matter of brute-force cracking.

2. Move SSH to a different port if you can. This will keep most “script kiddies” out, as they probably aren’t going to do a complete port scan of the machine.

3. If possible, write some firewall rules that are very strict to only allow the IP addresses and ports that are really needed. In other words, grant only as many privileges per IP address and port to provide the services you are advertising. Anything more can create extra vulnerabilities.

Again, my production systems have been locked down in this manner. I didn’t think to do it on a development system, since it was only a week old and I was trying to get Xen virtualization working on it first. I’ve learned my lesson: secure the machine first. I was surprised how many attacks happen every day with crackers connecting via SSH.

Please do at least secure your systems with these ideas, and you will have less chance of a machine being compromised by malicious attacks. There are scripts available that will email you if they see any failed login attempts. If you have any additional ideas, please feel free to post them! I hope this has been helpful to someone, and a reminder that computer security is an important item we need to be vigilant about. I dropped my guard for a week and I was taken advantage of.