back to article Linux-powered botnet lets rip on victims with 180Gbps network floods

Cybercrooks have built a network of compromised Linux servers capable of blowing websites and other systems off the internet with at least 150Gbps of junk traffic. The XOR Distributed Denial of Service (DDoS) botnet is launching 20 attacks a day from compromised machines, according to Akamai. 90 per cent of the attacks from …

  1. AdamWill

    Don't allow ssh access with a password

    "Initially, attackers gain root access by brute-forcing a machine's SSH service – disabling root login from SSH, or using a very strong password, will defeat this."

    As will disabling ssh access with a password at all. There's rarely a good reason to allow this; set up key-based access instead. (And of course, use a strong passphrase for your keys).

    1. Greg J Preece

      Re: Don't allow ssh access with a password

      +1 for key access only.

      Also, who the fook allows hammering on their SSH port? Logwatch and an automatic firewall rule will take care of that BS.

      (I do still need to add that last one to my VPS, now I think about it. A project for this evening!)

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't allow ssh access with a password

        So what if the account gets logged in from millions of different IPs instead, each only trying once or twice at a time? Attempting to block the account by sheer number of attempts can result in an unintentional DoS which can be inconvenient for legitimate logins.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don't allow ssh access with a password

          It's not different users. It's ssh root. If there's a lot of attempts in a short space of time, something is up. At that point they can go to a whitelist, if they're not already using one..

    2. Anonymous Coward
      Anonymous Coward

      Re: Don't allow ssh access with a password

      I found that my logfiles got a LOT less noisy when I moved SSH from its default port 22. The people that do this go for volume, so they usually don't spend the time running nmap against a host to find where SSH has moved to.

      Other than that, definitely agree with disallowing root, working by preference with cert based logins and banning hosts generating failed logins for a while (not permanently, that's a DoS in itself).

      1. John Brown (no body) Silver badge

        Re: Don't allow ssh access with a password

        "definitely agree with disallowing root,"

        Is that not default anyway? I'm not as au fait with the many Linux distros being a FreeBSD user, but if I want root access I have to either enable SSH root login (no, I don't do that) or log in as a user with enough privilege to su to root after a login.

    3. Anonymous Coward
      Anonymous Coward

      Re: Don't allow ssh access with a password

      There is also a new idea floating around - I have had various hits from places that seek to flood my logs with sometimes up to 32000 entries of the same attack. As far as I can tell, it's to hide the stuff that actually matters somewhere in that flood, you do have to do a bit of filtering to strip out that garbage.

      It could, of course, also quite simply be a bunch of incompetent idiots - most of the *hackers* out there are anything but script kiddies. It's the ones that write the scripts that you have to watch out for...

    4. Destroy All Monsters Silver badge

      Re: Don't allow ssh access with a password

      Of course, a "key" is just a particular password itself...

      1. A13C

        Re: Don't allow ssh access with a password

        Good luck trying to brute force this;

        -----BEGIN RSA PRIVATE KEY-----

        MIIEogIBAAKCAQEApUtE4L96QJOdlJZVhxNBZaP9bazNVf4mAvGW2SUVU3vdMjom

        10YD7k3p7+nUnC9WOC774HcLC1yuZh0pMsMTEInt4Kr8hcvgVHiIgrEZcdt9a11P

        XsDdp/RWQ9xqUKP2aLQgjy9rDO3BDdUpfbI2KVCsu1SAe3Cdp8ZbYDfTFkORiVXM

        Sd2c/wR6hRC5gR7Xkh5osnfoz34y62IzzdbNo4zkGcBsePqwXs75x9ss/Amp0q81

        L22LZvHjgi20NcRRIH0xyy8RIWJTwzakmlqEAQNZ81hnohIiMNoilXqlE8lnEgRe

        etBme9hDDYHFH+C7dan5IFVnMayPIAbXiSbxoQIDAQABAoIBABMZqILj/Wd650ml

        OYrbQcJR+dXzkuKt9IyAiDLdYyJ7fKryJ0zW7VtbK34qogPOQINLgpWEjAUrF4f7

        NKiF/Cz8Ez3T5Ew9q9V2/CdF+a+7cjm21ZYYaUSgKlu7G5nn6HBe6ChDjXY3/wfv

        KtU4g6Owi9U1xYb+E2mwtRxgNwcqZhtK06b3yAjzl+a/cPjVJuRKtgC7Qu/uuMGY

        RphCipvYAxvIGdSpfDRC422YltWsj88n+A6ruIPe9cZjM2SFH/JICCsMjrGVdCwv

        BqynyxtQQRLIJpgzumqQ2MvE5anfT1GUpI3Ge8rZ3CtxwD5tvbguYKltEDClKoDU

        uXEe0aUCgYEAzqTsN93895YaJEkJYwaw7AWpmtqtyofq+mm0CzHwnGY9RwdRqv68

        u1aZm7Kov8wXvZ1sp/mFtBWat0BjzauS8qkaj/XNLsY3vqqeHDfqJI5A/RxRjD07

        e/vn0D6TZir0N7x9Fv9bhAizgQDA5mRJ6XBLWYdKK9kZ4zo92Ryiv+MCgYEAzMYG

        TGQwdT9qj8IEcKrVPEIiT8WPYKoo81UOuyqVIlGbPENxGfOOE/ARrkAPbKvbsmmH

        Z1ynIiP1hjLQbqU4Az+kiQ1fHvZkBi8JASTu4Gh4dA/yFqQTTpwkaEqb4Z4O+9qV

        Xv70PXCNalnlwtaQw7DJuISrTuUNNQIJr6GdN6sCgYBwV27obHHzdBIgOei1glS6

        69UqD8q9uajAnKi6EVta26ZisBLxIG4gdtMptzZQlzcs6aHBrEDJB5nGGGZp0OYh

        sFd1fk8fJ7n0mTM96hQL7Z5dPIEE+eEV5XxAVVSzDZUZnApxb0Akhsp3zp4QYuNf

        2qHMOWXUcsHFK8ul9hBwuwKBgAcdVjivPnPEaUpnXkof1VrLnW+SGKIuJ1AVA3cD

        Sr0vgqo8WaCiMqyEqciZFzAaZH61Zev0byYjg7NO7qj5epG6U1gjq8timiUQ20o7

        40TOvGij6TBaMQWJLUamWPYkzLZ5aLktOIUt9OveBbqYQ91YthmAGoeaM7RExttg

        TRsTAoGAFrcwvuR38C3FpN3EXHQcRlMbEgFeO3GOmpuKF877yrOkkdRu+V0NFz+U

        oeigDPfdDGeWEBo+ubzgNon9GmugBsKiQcVxvM7WJjC9H3HjATWCAB8pp/w4ZYXe

        6EyCEUPOjDHwlUnzu/oe5eoP4PY7NYJxtUt7Og6K/8qd6fuk2j0=

        -----END RSA PRIVATE KEY-----

        1. Doctor_Wibble

          Re: Don't allow ssh access with a password

          Fair point about a key just so long as the machine where it is stored or used from doesn't e.g. have a browser on it. It's easy to make the assumption that one thing is secure and forget something less obvious. Obviously there's a degree of +/- value of target though that depends on whether you or one of your systems is actually the target or simply a stepping-stone.

          1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: Don't allow ssh access with a password

          Good luck trying to brute force this;

          -----BEGIN RSA PRIVATE KEY-----

          -----END RSA PRIVATE KEY-----

          Hello world?

          :)

      2. Anonymous Coward
        Anonymous Coward

        Re: Don't allow ssh access with a password

        But trying to crack a 4096-bit key is considered infeasible even with future tech unless someone out there's broken the underlying algorithm, which I doubt could be kept secret for long. Even the TLAs are going to have trouble squelching moles.

        1. Indolent Wretch

          Re: Don't allow ssh access with a password

          But.... presumably the brute force is working through password guessing not through hash collision.

          Pretty sure I read linux is using SHA512 to generate it's password hashes so a hash collision is bewilderingly unlikely.

          So a properly randomized 32 character password should be just as uncrackable to any realistic degree as using the key malarky.

          Furthermore it's much easier to get the less gifted to implement and use so will probably result in a more concrete improvement. Here's one from KeePass for free:

          #QOZyr"D\3l?Uq5$htQ3rsJ8`T*IV89$

          It would also be nice if linux distros defaulted SSH to only allowing 1 root logon attempt a second. I can imagine some technical environments where particular processes may want much more than that but I'd rather a techie thought about it and turned it off than some poor schmo had it set by default.

          1. Vic

            Re: Don't allow ssh access with a password

            So a properly randomized 32 character password should be just as uncrackable to any realistic degree as using the key malarky.

            No.

            A truly random 32-char password has a fair bit of entropy in it, but nothing like as much as a 4096-bit key. 32 * 8 bits = 256 bits, of which many will be unavailable (can't use every character in a password). 4096 bits is substantially stronger than that...

            It would also be nice if linux distros defaulted SSH to only allowing 1 root logon attempt a second.

            This should be the case for more than just root logins - even an unprivileged account is the start of a beachhead. And so there are standard rate-limiting rules that get installed.

            Vic.

  2. Gene Cash Silver badge

    Also install Fail2Ban

    I have it set to ban for a month after one password try, since I similarly have passwords disabled.

    Not related: I just saw my first HTML5 video ad, and the little motherfucker was autoplay with sound at full volume. And people wonder why I have Adblock on "full pessimism". The site was even smart enough to serve the ad from its own domain.

    I was like "what's playing?? how? I don't even have flash installed! wait?!"

    1. Anonymous Coward
      Anonymous Coward

      Re: Also install Fail2Ban

      Name and shame the site, or at the very least, forward the info to El Reg so they can write something funny about the tech.

    2. Indolent Wretch

      Re: Also install Fail2Ban

      Don't be silly I remember reading from a great many people that the death of flash was an end to intrusive ads and that HTML5 was a holy land filled only with niceness. They really did think that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Also install Fail2Ban

        HTML5 was a holy land filled only with niceness

        Upvote for dripping sarcasm :)

  3. Camilla Smythe Silver badge

    Erm....

    If I do not port forward from my MODEM/ROUTER on 22 to the LAN am I safe or is it possible that my ISP has borked that one for their own 'nefarious' purposes...

    ssh: connect to host MyIpAddress port 22: Connection refused

    Wuh??

    1. Destroy All Monsters Silver badge

      Re: Erm....

      You are probably safe. Probably. Unless ....

    2. gerdesj Silver badge

      Re: Erm....

      "If I do not port forward from my MODEM/ROUTER on 22 to the LAN am I safe"

      Yes, provided your router doesn't have a ssh service itself.

      If you don't need to control your router remotely then disable all external access to it. Port scan it from a mate's connection to make sure nothing is left open by accident. Download Zenmap (nmap with a GUI and a Windows version for the timid - make sure you **only** download it from the official nmap site) and point it at your home IP address. Don't run it too often though otherwise the ISP might get upset.

      1. Camilla Smythe Silver badge

        Re: Erm....

        Thanks to both...

        "ssh: connect to host MyIpAddress port 22: Connection refused"

        Suggests that it has a service?? I did have a bit of bother port forwarding other stuff Modem/Router was broken so I got a new one. In trying to figure out what was wrong with the old one I used some Linux command to see what was going on... Long since forgotten, netstat? with some parameters. IIRC 21 and/or 22 did crop up and I assumed it was something to do with the Modem/Router.

        Being Chicken Little if these miscreants decide to expand their activities then what is the possibility that they will race about the place and take over everything?

        1. schafdog

          Re: Erm....

          Says that it doesn't have a service, but replies "nicely" back. It would be even better to have the modem/router to use a firewall DROP package rule. Then anybody attempting to use this would hang for a while wasting CPU time/connections.

          1. g e

            Re: Erm....

            iptables' -j DROP is your friend

            As is the repeat connection timeout thingy which I don't remember the syntax for off the top of my head... something to do iptables marking new connections I think

  4. moiety

    How come this is possible at all? I'd have thought that something as crucial as SSH would have attempt-limiting out of the box?

    As a linux n00b, there's a lot of important stuff that you seemingly have to find out the hard way. I tried KDE-flavoured Mint; discovered that some crap called akonadi had the unmitigated gall to run a server without asking me; deleted it and found out that it also controls the login, apparently.

    Any surprises like that in Cinnamon Mint?

    1. Destroy All Monsters Silver badge

      There was a little bug a big back:

      http://arstechnica.com/security/2015/07/bug-in-widely-used-openssh-opens-servers-to-password-cracking/

      "akonadi" is the search server as I know. No need to panic.

      1. moiety

        I didn't panic...I just formatted it. I don't want servers running unless I have explicitly put them there. Akonadi is the "PIM storage server":

        https://community.kde.org/KDE_PIM/Akonadi

        ...and, yes, probably requires a server if you're going to be synching stuff between machines. If you are a paranoid old bastard like myself, however, "personal information" and "server" are things that should never appear in the same sentence.

        1. AdamWill

          I think you're operating with an excessively simplified definition of 'server'. Several things in Linux use the 'client/server' paradigm entirely within a single system. You can't just run around turning off everything with the word 'server' in its name or definition, please at least try and understand what it's for first. Just because something's a 'server' doesn't mean it's binding to a remotely-accessible port.

    2. gerdesj Silver badge
      Linux

      " discovered that some crap called akonadi had the unmitigated gall to run a server without asking me"

      Go into system-setting and disable desktop search if you don't want it. It does not control the login.

      Good luck with your exploration of penguin land. It can be pretty rewarding but please dig out the browser and do a quick search or post on a forum or two (Gentoo forums are pretty good and generally distro agnostic) before deleting things. Having said that, I like your approach but it would be better if you finished up with fixing it 8)

      1. moiety

        please dig out the browser and do a quick search or post on a forum or two

        I'm doing that too; but -and here is the inherent problem- you need to know what the magic words age before you can search for them. This Akonadi stuff seems to be becoming more crucial to the KDE system as time goes on, according to the various info sources I dug up. Do not want, anyway.

        I think you're operating with an excessively simplified definition of 'server'.

        I found it in the first place by seeing what open listening ports the computer was showing the internet. Server...red flag. Personal Information...Oh hell no. Fucked up the machine when I turned it off...format time. Remember I am walking away from years and fuck knows how much money invested into Windows for the specific reason that I do not want some bastard siphoning data from me; so if my position appears a little uncompromising; that's why.

        You can't just run around turning off everything with the word 'server' in its name or definition, please at least try and understand what it's for first

        There was some research before formatting. But it's my machine and I can turn off whatever I feel like killing. In my book locking me out of the system because I turned off a PIM is grounds for deletion on it's own...you may argue that accounts and passwords are personal information; but that is precisely the sort of thing that I don't want anywhere near an internet facing server.

        Just because something's a 'server' doesn't mean it's binding to a remotely-accessible port.

        Noted. Thank you.

        I like your approach but it would be better if you finished up with fixing it

        I could have; but -even if there is no naughtiness going on and everything's above board- it's certainly an opening for abuse in the future. The way the world's going, the whole concept was too ambiguous to want to spend too much time on.

        1. swampdog

          linux in 60 seconds

          First off make sure you create a non-root user account for yourself. I'm not familiar with any recent Mint versions but I'd be surprised if the installer didn't prompt you to do that.

          Don't be phased by linux listening on a myriad of ports (eg: netstat -an) because most of those are what's known as domain sockets. 'netstat -ant' shows the "internet" sockets and its the foreign address column you need to look at. "netstat -ant | grep LISTEN" narrows that down to the ones which are listening: "netstat -ant | grep LIS" shows both listening and connected sockets (because LIS also occurs in ESTABLISHED). Look at the local address column and the number after the colon is the port number. The file /etc/services lists commonly used ports and services. eg: "grep 2049 /etc/services" reveals "nfs" on one particular system here because it has an NFS server running.

          You stop ssh from allowing root connections by changing "PermitRootLogin yes" to "PermitRootLogin no" and disable password prompting via "PasswordAuthentication no" - the latter won't allow a login unless an acceptable key has been generated (hint: ssh-keygen). The file is typically "/etc/ssh/sshd_config" but as some stuff varies between systems you might care to run 'updatedb' which builds a small database of the filesystems (hint: locate -i sshd_config).

          You might also care to edit /etc/sudoers. Where it says "root ALL=(ALL) ALL" shove "foo ALL=(ALL) ALL" below it where foo is your normal login username. You can now become root using your own password (hint: 'sudo su -').

          A useful command line editor is 'nano'. "nano -w /path/to/somefile" because 'vi' is enough to put anyone off linux.

          Now you can look at your firewall. 'sudo -i iptables -L -n' (omit "sudo -i" if you're already root) shows you what is currently in effect and you can post that output onto a suitable Mint forum for advice. If there's bugger all in that output then it may be the firewall isn't enabled. Fix that as 1st priority.

          Desktop systems tend to be configured so their firewall allows all outbound connections (and replies back from those outbound connections) and likely nothing but 'sshd' will be allowed to connect from the outside world. Trust me. You don't want to be turning 'sshd' off. It is far too useful. Just ask how to change the firewall rule so that nothing external can connect to it.

          Assuming your firewall is working..

          $foo sudo -i iptables -L -n | grep NEW

          ..will reveal what the outside world can connect to. You'll see this for 'sshd'..

          ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED

          ..if it can accept external connections. Note that even though the above can accept outside connections it will reject all of them because of the sshd_config changes above.

          Here's hoping Mint has iptables. Been years since I tried it!

          1. asphytxtc

            Re: linux in 60 seconds

            In other news, servers run by idiots get compromised again...

            > 'netstat -ant' shows the "internet" sockets

            In all the years of using netstat.. I never noted the -t flag.. Must read man pages more, useful! thanks!!

          2. moiety

            Re: linux in 60 seconds

            @swampdog - thank you very much for that - very helpful indeed and a ray of light into my all-encompassing bewilderment (although to be fair bewilderment is my default state). I've saved it and will be going through it bit by bit today. The Mint install automatically lands you in a non-root account as part of the setup (by that I mean you have to sudo and type the password in to do all the interesting things...or did you mean a completely separate account?)

            Mint does have iptables and this is what your command returns (without the grep...this is all of it)

            RETURN all -- 0.0.0.0/0 0.0.0.0/0

            ...I shall be attending to that. Not so crucial for me because there's no data to protect as yet...I'm trying to get the foundations right before loading it up; but 'to do very soon'

            It doesn't have fail2ban installed out of the box, so have done that and configuring it is on the 'to do very soon' list too.

            A useful command line editor is 'nano'.

            You know, I've been a bit disappointed with the text editors available (that I've found so far). Nano is installed, but doesn't show up in the menu...I expect I'll find it eventually. Gedit is the Cinnamon Mint editor and that's cheerful enough but basic...there's nothing in the same league as Notepad++, which is my weapon of choice in Windows. I've read enough about emacs and vi to come to the conclusion that life is too short for either one; fantastic that they both may be. Kate looked vaguely promising; but it's an akonadi thing; which explains why it failed to work on Cinnamon (Note to self - programs beginning with the letter 'K'...check for akonadi)

            @Vic

            Whilst I completely understand the reaction, how did you determine that it was exposing this to the Internet? That would probably be a significant bug that needs reporting, if it is the case...

            I can't remember exactly....either netstat or nmap and it's entirely possible that I may be mistaken (certainly from the context of the comments it would appear that my uninstall procedure might be a bit on the enthusiastic side). What I'm doing is starting with an objective; looking up the incantations necessary and then trying them out and seeing what happens; hopefully achieving said objective but (at least) half the time I end up on a tangent doing something else entirely. Then I make a note of successful/useful incantations and my bewilderment about life in general and linux in particular is pushed back a tiny amount. I don't, however, take notes about the failures, so can't really give you a step-by-step (or document it well enough for a bug report) without making a new VM and doing it all over again, and I'm a bit short on diskspace. Posting it El Reg comments is OK because I don't mind looking like a bit of a muppet here...someone will probably be along to point out the flaw and thus future muppittry can be avoided.

            @John Brown (no body)

            Did you try scanning from another PC to see if the listening port is actually listening for external connections?

            No...should have thought of that. But didn't. I was unaware until very recently that there are degrees of listening. At the end of the day though, a Personal Information Manager with tendrils throughout the DE is not a thing I want. Might be fine for the Facebook generation and I expect it's very convenient; but I'm after something that is more of a Personal Information Bunker...not least because it's other people's personal information mostly.

        2. Vic

          I found it in the first place by seeing what open listening ports the computer was showing the internet. Server...red flag. Personal Information...Oh hell no

          Whilst I completely understand the reaction, how did you determine that it was exposing this to the Internet? That would probably be a significant bug that needs reporting, if it is the case...

          Vic.

        3. John Brown (no body) Silver badge

          "I found it in the first place by seeing what open listening ports the computer was showing the internet. Server...red flag. Personal Information...Oh hell no. Fucked up the machine when I turned it off...format time."

          Did you try scanning from another PC to see if the listening port is actually listening for external connections?

          I just did a port scan of my main desktop from another PC on the LAN, confirming that akonadi was running and all I see is:

          PORT STATE SERVICE

          22/tcp open ssh

          111/tcp open rpcbind

          631/tcp open ipp

          2049/tcp open nfs

    3. Vic

      I'd have thought that something as crucial as SSH would have attempt-limiting out of the box?

      It does - but with enough patience, even that can be worked around.

      Solutions like fail2ban and iptables rate-limiting tend to be more effective...

      Vic.

  5. Roland6 Silver badge

    Any particular class/type of Linux Server?

    Be interesting to know if Akamai have done any analysis of the botnet to see if any particular class or type of server is being compromised. My gut reaction is that we are talking about public facing (hosted?) webservers rather than boxes behind firewalls, but we could also be talking about Linux appliances such as firewalls themselves...

    1. sysconfig

      Re: Any particular class/type of Linux Server?

      Likely literally any type of Linux appliance... servers, home/soho routers (manufacturers are notorious for giving customers insecure kit bundled with their broadband offer, which will never receive any proper updates).

      And with the advent of the Internet of Shit, sorry Things, the situation will only get worse.

      As for securing SSH... A large number of servers that expose SSH publicly, in reality shouldn't. It should be exposed via VPN only, or where that's not possible, MFA should be employed. Doesn't cost a thing to use for example Google Authenticator with SSH. Or you can use a keypair plus server-side password.

      Shameless plug... I blogged about it a while ago, with focus on FreeBSD, but that's applicable to Linux as well:

      https://sysconfig.org.uk/two-factor-authentication-with-ssh.html

  6. Anonymous Coward
    Anonymous Coward

    security tips

    never allow remote root login via SSH . its the default still , in most distros...i assume to get up and running as most people dont have out-of-band access. (but most installers let you create users at install time..so use a user and then su/sudo...).

    dont use password SSH logins - use password protected key based (certificates) logins. remove password/pam/gssapi methods from sshd.

    if you can, restrict SSH login from IP addresses you know will be your sources... not the whole internet.

    use fail2ban etc if you want to limit logins - or use the iptables ratelimit method (too?) .

    1. AdamWill

      Re: security tips

      Yeah, the first-time catch 22 is why we (distros) typically leave it available by default. You need to be able to get into a remotely-deployed server one time to set up keys and such. You should disable direct root access and password access after that.

      Out-of-band access mechanisms are fine and all, but tend to be security nightmares in their own right...you can find some pretty hair-raising analyses of some implementations.

  7. Anonymous Coward
    Anonymous Coward

    This would not have happened if they had used Linux.

    1. Destroy All Monsters Silver badge

      The Matrix will now reboot in 3... 2...

  8. J J Carter Silver badge
    Linux

    Epic fail by Linus there

  9. Sandtitz Silver badge
    Joke

    actually...

    "Linux servers capable of blowing websites and other systems off the internet with at least 150Gbps of junk traffic."

    This is why the supercomputers use mostly Linux. With compromised Windows servers the total traffic would have been less than half of that!

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: actually...

        You could run them on Azure if you want faster network performance like you get under Windows:

        https://azure.microsoft.com/en-us/blog/azure-linux-rdma-hpc-available/

  10. Anonymous Coward
    Anonymous Coward

    I don't buy it

    180Gbps ddos power by merely brute forcing, not any user but specifically root? Sorry not on this internet, you experts are probably either missing some nasty 0day or overstating the botnet power.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't buy it

      I think you should indeed buy a book about Unix. (root is king).

    2. gerdesj Silver badge
      Linux

      Re: I don't buy it

      I do buy it: root exists on all Unix boxes and hence is an easy username to try. "password" is still a popular password sadly.

      Top tips: Don't give root a regular password (that's why you have to use sudo all the time) if the machine is wired up to the internet. Disable password logins on ssh. Windows users: create a new administrator and disable the default one. Don't leave rdp open if you can help it. All: use a VPN if you can instead of direct access.

      I run a honeypot or two and root, admin and administrator are the most popular usernames tried.

      1. Lars Silver badge
        Linux

        Re: I don't buy it

        @gerdesj. When possible root login should only be possible using the console. There is also a tweak where you render root worthless. As everyone knows "root", the idea is to make that login worthless even if you manage to login. I haven't used it, only read about it. Anybody out there with better knowledge.

        It seems to me some Linux server maintainers need to wake up. Surprisingly no virus talk yet.

        1. gerdesj Silver badge
          Linux

          Re: I don't buy it

          Calling uid=0 root is really just a convention and you can rename it by editing /etc/passwd. There is bound to be something that gets upset if root is renamed. Also there is nothing much to stop you creating multiple users with uid=0 but that could get unwieldy.

          You can edit /etc/passwd and set root's shell to /bin/false or whatever but be sure you never need one! As you mention, force root logins only at the console is a good idea.

          Kids, if you do decide to play around with disabling root, ensure you have a copy of the systemrescuecd handy or a Gentoo or Arch install disc or frankly pretty much any bootable Linux distro but it must be the same architecture (x86 or amd64 for most people) and do something like this:

          Boot off it. mount /dev/sda3 /mnt/gentoo. mount /dev/sda1 /mnt/gentoo/boot. (mount dev, sys, proc etc). chroot /mnt/gentoo /bin/bash. Fix the system from within. See the Gentoo or Arch install guides for more details - don't do the disc partitioning bits and stop following the guide once you have a chrooted BASH prompt!

          1. gerdesj Silver badge

            Re: I don't buy it

            Forgot to mention this for our Windows brethren: The systemrescuecd can also help recover a Windows box when the MS provided tools fail. At teh very least you can reset the administrator password and copy data off to another box. Howto Geek have a howto on password resetting.

            1. TheVogon Silver badge

              Re: I don't buy it

              "The systemrescuecd can also help recover a Windows box when the MS provided tools fail"

              Not if you use BitLocker.

        2. Vic

          Re: I don't buy it

          There is also a tweak where you render root worthless

          There is a way to set up that makes it pretty much worthless :-)

          Russell Coker has set up a "play machine" where you can ssh in as root. He publishes the password on his website. I had a play when I first discovered it some years ago - I failed to do anything nefarious, even with root access...

          Vic.

          1. Roland6 Silver badge

            Re: I don't buy it

            Re: Russell Coker's SE Linux

            "If you don't correctly disable these settings then logging in to the play machine will put you at risk of being attacked through your SSH client."

            Puts a whole new meaning on 'active' security; it isn't clear whether Russell himself has implemented 'Rottweiler' level of security - namely security that bites back...

      2. Vic

        Re: I don't buy it

        Top tips: Don't give root a regular password (that's why you have to use sudo all the time

        I have an exception to that rule.

        If a machine is only going to be used by one user, it is better to have a root password, and have that user su to root when he needs to. That way, should the machine come under attack, that attacker will need to compromise *both* passwords to achieve privileged access, as opposed to just the one for a sudo-based attack.

        However, if the machine has multiple users that might need some sort of privilege elevation at some point, sudo is the better solution, and your tip above makes a load of sense.

        Vic.

  11. Anonymous Coward
    Anonymous Coward

    I'm still using telnet, so I guess I'm ok then, feeling quite smug right now avoiding all these new fangled technologies. I even avoided sFTP as it looked a bit pointless. When the government said encryption was bad I thought you know what that's good thinking.

    On an unrelated note does anyone know why my web servers keeps needing extra disk capacity? I'm up to 10tb and for some reason my bandwidth usage is through the roof. I wouldn't mind but all my customers are russian with cute cat picture websites.

    1. gerdesj Silver badge

      Don't forget to switch on chargen and echo as well. Chargen looks sooo pretty scrolling up your VT100 and echo is so funny - answering you back, whatever you type in.

      I had a look at some of those pictures. The pussies on show are not cats exactly, more pink than tabby.

      1. Anonymous Coward
        Anonymous Coward

        I know what you mean they were disabled by default for some odd reason, I had to go and edit my inetd config just to get them both started again, terribly frustrating. Do you think a firewall might solve my problems? I'm just a bit concerned after reading about that one in China, it makes me think firewalls are a bad thing.

        I've not had a look at the sites myself to be honest but I was told they were cute pussy websites, I've never seen a pink cat though and cats are pussies and I read somewhere once the internet is full of cat pictures and the what not.

    2. David Roberts Silver badge
      Black Helicopters

      10 Russian Terror Bites ya say?

      Ah'm from the Water Board.

      Assume the position MOFO!

  12. Zmodem

    180Gbps is`nt that much if linux is running on corporate linux boxes that all have 1Gb connection

    1. Anonymous Coward
      Anonymous Coward

      'an it really small botnet if you consider corporate machines often have 10-100Gbps connections these days.

      1. Zmodem

        it would be a different thing, and some FBI action, if XOR was using 20mbs BT domestic connections

      2. TheVogon Silver badge

        "often have 10-100Gbps "

        No they don't. 10Gbits maybe, 40 rarely, 100Gbps - pretty much never.

    2. Anonymous Coward
      Anonymous Coward

      Having 1Gbps connection and being able to send 1Gbps worth of packets to $target are two different things.

  13. Manolo
    Joke

    Some sys-admins...

    I'm running the tiniest of servers: the original EEE PC, running Linux, with an external hard-disk hooked up to it. I can access it locally, and my brother has external access. SSH traffic is forwarded from a non-standard port on my router to the "server". Root login is disabled, as are password logins, only access is with a key. Besides that, the only external IP allowed in is my brother's. This is a configuration by an amateur. So there are paid sys-admins who set up systems with less security?

    Maybe I should become a well paid security consultant to the companies employing these sys-admins.

  14. Anonymous Coward
    Anonymous Coward

    Re.

    Add to this compromised routers being used, apparently some of them have affected firmware which fakes the update routine as well and only changes the version number displayed to the end user which is painfully obvious when you know what to look for.

    I've still got a pile of them here which "seem" fine but no matter how many times you reset them within a few hours the machine they are connected to displays malware-laden popups and slows down to a crawl even if connected fully patched and updated with decent AV running.

    Apparently even smart devices like printers and TVs are being targeted by crooks, I've done some checking and many don't even bother to encrypt their Bluetooth address sending something like "Samsung XW-3020" over plaintext which exposes them to any number of drive-by attacks such as MITM and buffer overflow attacks.

    As for Bluetooth keyboards, so far its open season round here because I found at least four just on a casual walk through Town which anyone could conceivably target with $20 worth of hardware.

  15. Happy Ranter
    WTF?

    What a load of Bull*****

    "XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware"

    I still have the log dumps from a DDOS attack against a company I worked for in 2002 and 80% of the machines involved that I could identify were BIG IRON Linux boxes on backbone speed connections.

    Apparently American university IT technicians thought they were gods and nobody was going to get past their wide open firewalls and guess the root password was err... password.

    Why is there no steaming turd icon?

  16. Anonymous Coward
    Anonymous Coward

    fail2ban

    Is your friend here.

    Its in the repos.

    Apt-get that shiznit. Ban the peeps to protect the things.

  17. People's Poet

    But Linux is the way forward and is safe...

    I can still hear the arguments and they're still thrown around that a Linux box is safer than a Windows box.

    1. Anonymous Coward
      Anonymous Coward

      Re: But Linux is the way forward and is safe...

      I can still hear the arguments and they're still thrown around that a Linux box is safer than a Windows box.

      It is. With Linux you have to at least guess a password correctly.

    2. Anonymous Coward
      Anonymous Coward

      Re: But Linux is the way forward and is safe...

      "I can still hear the arguments and they're still thrown around that a Linux box is safer than a Windows box."

      Actually you are about 4 times more likely to be successfully hacked running an Internet facing Linux server than an internet facing Windows server. Source - website defacement statistics adjusted for relative internet server market share.

      "With Linux you have to at least guess a password correctly."

      Don't you just have to type in a long one? As per the recent Android issue...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019