Up To 25,000 Unix/Linux Web Servers Infected By Ebury SSH Rootkit

I read up on this yesterday.

It spreads by stealing credentials by replacing ssh with a malware infected versions. It actually gets them when:

1) someone logs into a compromised machine over ssh. Stealing credentials to a server on which the bad buys already have root access seems pointless, unless they are exploiting people's tendency to use the same password everywhere.

2) they log into another server from the compromised one. If it is a root login (or, presumably one with sudo) it them installs bad stuff on the previously clean server.

The second appears to be the more common problem. Now tell me, what kind of idiot logs into a server as root (or an account with sudo privileges) from another server? If you need to login from one server to another it should be with as few privileges as possible just in case on server is compromised.

PBCK

I always deny root access via ssh because that is what all the hackers/crackers try first. Also disable version 1.

WDR

Yes, preventing general SSH access as root makes a lot of sense. It's easy to be blissfully unaware of the 10's of thousands of attempts a day to brute force a password.

fail2ban is a popular piece of software... personally I whitelist a couple of IPs for SSH access (that are other dedicated servers I use), and those ones are RSA key login only, no password. My regular net connection has a floating IP so it suits me this way.

Brute force attempts are like the common cold, there's a lot of it about. Education and awareness would seem to be the cure.

Agreed, root access via ssh should always be off to make brute force attacks harder

I do not know if it helps with this particular attack. Incidentally, this can steal keys as well as passwords.

What else can we do? Fail2ban, port knocking, using a non-standard port....?

I think it's just covering the basic ground graeme

- Long password for anyone who can login with password
- Try making it key-login only
- Preferably whitelist some IPs for SSH access, block everything else to SSH port via SSH config or iptables. iptables maybe better for avoiding those rare SSH vulnerabilities.
- Non-standard SSH port increases obscurity and may help a wee bit, but any port above 1024 can have issues
- Install something like fail2ban if not using the whitelisted IP approach
- Remove any outwarding facing service you aren't using

I'd heard about port knocking but never really looked into it...

>do not know if it helps with this particular attack

Yeah I didn't see any specific vectors after reading "Operation Windigo", any idea? It seemed like either sshd or apache with the vulnerabilty. It seems to do a great job of unblocking all that it needs unblocked once it's in there.

One of my clients accused me of being overly anxious about security (I won't open the Exchange server to port 25 from anything other than a mail forwarder). So I showed her the secure logs from the openvpn server that connects all their offices (and that I have to get into remotely via ssh). Page after page after page.

And that's on a box with the ssh port shifted.

Put any windows server in that position and it would be owned in an hour.

WDR

No, it wouldn't. Only if the adminstrator was really stupid. Find out more about Windows, especially the current versions, before making such groundless statements.

No, it wouldn't. Only if the adminstrator was really stupid. Find out more about Windows, especially the current versions, before making such groundless statements.

There is little difference between the server versions of Windows and the desktop versions. Or, for that matter, today's versions and NT. Windows servers are subject to exactly the same exploits and that's why the latest versions have a web browser (Internet Explorer) that are explicitly prohibited from actually browsing (the admin has to unlock that).

Would you allow an SBS server with file sharing and business information to have a static IP address and open port to everyone on port 25 with Exchange running?

Or IIS on port 80 open to the world?

Or ssh?

I certainly wouldn't. And I am far from the only system admin who wouldn't. And that explains why there are so few Windows servers running web sites and email in comparison to *nix. Sure we run Exchange... but we also have an SMTP server in front of it; usually *nix (or a service running SMTP on *nix which is the same thing). But not many of us have the courage to run IIS unless we have a back end somewhere that can take the heat.

WDR

Do we have to have a Windows vs Linux security debate in every thread?

I have started a separate thread on the topic. can I suggest we debate it there and not derail other threads?

As for most servers, there are some headers that server dishes out as a response, would changing/or removing all together helps as well?

say from:

Server:Apache/2.0.63
X-Powered-By:BestBBS v5.10

to:

Server:Microsoft-IIS/6.0
X-Powered-By:ASP.NET

or backwords...

@WDR, it's here: [webmasterworld.com...]

Unless I have missed something. it would not help in this case as the attack targeted openSSH together with really sloppy login practices. By the time it attacked the web server it already had root access and would not need to look at headers.