Site BLOG PAGE🔎   UP ONE LEVEL
 OJB's Web Site. V 2.1.entry300 blog owen2 
Blog

Add a Comment   Up to OJB's Blog List

Not a Good Week

Entry 300, on 2006-03-17 at 17:10:59 (Rating 1, Computers)

This has not been one of my better weeks at work. Things have gone from bad to worse in relation to the security problems on my servers. It now turns out that two of my machines have been compromised. But at least there hasn't been a repeat of the DoS attack of the beginning of the week.

After doing some research on the Internet and on the affected computer, it turns out that the machine was initially compromised by a brute force attack on SSH. In other words, the group attacking the computer just hit it with passwords until they got the right one. They had a program to send the passwords of course, not just a bunch of continuously typing hackers!

It seems that there was no specific weakness in Mac OS X Server. Any service relying on passwords for authentication is potentially open to this sort of attack, I just didn't use secure enough passwords. Most likely it was not my administration accounts which were used, but accounts of users on the servers. Unfortunately the system allocates new users SSH access automatically when they are added. I know I should have disabled that for all users who didn't need it. Many things are obvious with hindsight!

Well, at least I think I understand the mechanism of the attack. A brute force attack looks for passwords on servers running SSH - it would also work for standard Mac OS X with SSH (Remote Login) on with international access through the firewall, or any other OS with a remote login system. Then an IRC server is installed using the compromised account. While IRC is used the machine would continue to work normally. Finally, sometimes a disagreement on an IRC channel running on the server results in the launch of a DoS attack to disable the machine.

I now use passwords so obscure even I don't know what they are! I'll have a few hours rebuilding the servers next week. Overall, the whole thing is just a really annoying waste of time, but a lesson about taking security seriously - even on a Mac!


There are no comments for this entry.


You can leave comments about this using this form.

Enter your name (optional):


Enter your email address (optional):


Enter the number shown here:
number

Enter the comment:

Enter name, email (optional), enter number, comment, click Add.
You can leave the name blank if you want to remain anonymous.
Enter your email address to receive notifications of replies.
Comment should appear immediately (authorisation is inactive).

My latest podcast: OJB's Podcast 2024-12-04 Avoid Microsoft.
 ©2024 by OJBRSS FeedMacs are BestMac Made
T: 12. H: 58,614,230
Features: RSS Feeds Feedback LogMod: 04 Nov 2024