No Frills, Big Impact: How Outlaw Malware Quietly Hijacks Linux Servers

[-]

FryBoyter@reddit

Step 1: Initial Access via SSH Brute-Forcing
The malware gains entry through high-volume brute-force attacks using its built-in module, blitz. 
It pulls target IPs from its command-and-control servers and attempts to log in using common or 
default credentials. Once access is gained, the malware installs itself and initiates the infection 
cycle.

So no danger for people who keep their servers reasonably secure.

[-]

fellipec@reddit

Ah nice, so now I know at least what some of those hundreds of IPs blocked in fail2ban are trying to do.

[-]

FryBoyter@reddit

Such attempts are basically quite normal as soon as you make a service accessible via the Internet. The usual background noise, so to speak.

[-]

fellipec@reddit

Yes, hundreds per day. Also WordPress exploits and others

[-]

PossibilityOrganic@reddit

per day? its per hour in a lot of vps or cloud subnets

[-]

fellipec@reddit

I believe, my operation is insignificant, others sure get more

[-]

really_not_unreal@reddit

WordPress exploits make up about 30% of traffic to my site if I disregard the requests from my uptime monitoring

[-]

LigPaten@reddit

if I disregard the requests from my uptime monitoring

Reminds me of the time I used up my terabyte of internet accidentally running speed tests every minute because I fucked up my cron.

[-]

muffinChicken@reddit

Haha same here, I get quite suspicious when I get traffic that isn't brute force exploit searching

[-]

VanillaWaffle_@reddit

so 30% uptime monitoring and the rest is you accessing admin page?

[-]

Beautiful_Crab6670@reddit

...or use a dedicated sbc (that is not exposed on the internet) for their daily needs.

[-]

gloriousPurpose33@reddit

uuidgen and not allowing password authentication in the first place. Seems trivial for a serious admin.

[-]

gloriousPurpose33@reddit

It's simple and the combined character set plus length cannot be cracked in any Millenia soon. There's a reason they're used so often in web frontend and backend design millions of times per day.

[-]

FryBoyter@reddit

Thank you for your answer. But to be honest, I don't really understand it. If ssh only allows access via keyfile and prohibits access via password, why do you need a random character sequence?

[-]

gloriousPurpose33@reddit

If you're doing both then the password isn't for ssh

[-]

edparadox@reddit

As per usual, just keep your SSH accounts secure.

[-]

neo-raver@reddit

Out of curiosity, is there any security benefit to SSH’ing to a port that isn’t 22?

[-]

ScrotsMcGee@reddit

Security through obscurity.

It can help with a lot of automated type scans, but if an individual is attacking your system, they'll likely find that port at some point (depending on how determined they are).

Security through layers is the best approach.

[-]

Realistically key authentication is enough in most cases. Non-default ports can help reduce spam attempts but I wouldn't consider it a security measure imo. Just don't expose ssh to the public internet or at the least whitelist to trusted IPs in your firewall.

[-]

just_some_onlooker@reddit

... meh