/srv/irclogs.ubuntu.com/2020/12/28/#ubuntu-server.txt

MIFhow can I force a change of password for all users without having to go through everyone02:05
=== denningsrogue5 is now known as denningsrogue
mybalzitchsed and a for loop?02:06
MIFhow would I do that?02:06
=== rfm_ is now known as rfm
rfmMIF, today is your lucky day, I decided to write the sed script for you.  copy /etc/shadow to /root/shadow, run  "sed -i -e 's/^\([^:]*:[^:]*:\)[^:]*:/\10:/' /root/shadow", verify that it changed only the third field (password age) to 0, copy /root/shadow back over /etc/shadow, remove the /root/shadow.  read "man 5 shadow" to understand.03:19
mybalzitchaww, it's a christmas miracle / act of kindness!03:20
mybalzitch:)03:20
MIFthank you so much rfm03:22
MIFI don't think you understand how much that means to me!03:24
rfmreally I would do this with a shell or python script which would read each line, split on :, replace the 3rd field only on lines with a password03:26
rfmbut that script would be much less of a interesting puzzle03:26
MIFtoday I found out I got hacked so I had to do this, thank you so much rfm03:28
mybalzitchI wouldn't trust the install anymore, or possibly even the machine if someone got root access03:52
MIFthey did not03:53
MIFI have removed the user, and changed all the passwords03:53
=== denningsrogue8 is now known as denningsrogue
tomreynMIF: do you know it wasn't a root compromise, though?05:36
tomreynjust changing passwords is quite likely not enough05:37
ren0v0Hi11:00
ren0v0I'm running RoonServer on an Ubuntu VM. I see that they are running .exe on their systemd unit, how is that possible without Wine ?11:00
ren0v0"exec "$HARDLINK" --debug --gc=sgen --server "$SCRIPT.exe" "$@""11:00
oerheksi think it uses wine, perhaps wine as a snap?11:01
ren0v0nope, no wine installed11:01
ren0v0that's what i don't understand :D11:02
ren0v0here is the running process from systemd11:02
ren0v0|-14937 /opt/RoonServer/RoonMono/bin/RoonServer --gc=sgen --server RoonServer.exe11:02
oerhekshmm, no mention in the installer, indeed >> https://help.roonlabs.com/portal/en/kb/articles/linux-install11:04
ren0v0oerheks, i started looking because they are spamming 100000s of debug logs and wanted to turn them off, and they don't "allow" you. Because they can dip in apparently and read them for themselves11:04
ren0v0which of course I don't like the idea of.11:04
ren0v0this was an easy fix as they pass a --debug flag to the .exe11:05
ren0v0but i was very shocked to see the .exe there11:05
oerhekshmm curious11:06
ren0v0worrying.11:07
MIFdid you see my message?14:23
tewardMIF: the last message from you was: I have removed the user, and changed all the passwords14:55
tewardMIF: however, the original statement by tomreyn is still accurate:14:55
teward<tomreyn> MIF: do you know it wasn't a root compromise, though? just changing passwords is quite likely not enough14:56
tewardso now you are caught up :P14:56
BlueEagleMIF: If the user did have elevated privileges then you should also run a rootkit checker.14:59
MIFno it did now14:59
MIF*not14:59
MIFand I know that for a fact14:59
UssatI would not bother with the rootkit checker, they are pretty much mostly crap. Assume you are rooted, nuke/pave the system and reinstall15:00
MIFit was this https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/15:00
MIFUssat: I can't just do that15:00
UssatMIF "fact"..uh huh15:00
UssatYou better15:00
Ussatbecause you are runing a compromised system15:00
MIFright now the server in offline and in my work shop and I am going through everything15:01
Ussatand you are 100% positive you will not miss anything ?15:01
BlueEagleMIF: There are exploits and backdoors that are sold on the black market, so if you've had baddies in then you're rooted and they have a way in regardless. Copy the data files over to a fresh server and fix the entry point they used.15:02
Ussat^^^15:02
MIFthe user affected was a test user that could not go any farther then /home/user/15:03
BlueEagleMIF: Also if you're running any kind of content management system (read: wordpress, phpmyadm, squirrelmail) then check all those user accounts as well.15:03
MIFthey could not access anything but there home files15:03
UssatOh...thats a heall of an assumption15:03
BlueEagleMIF: chroot is breakable.15:04
MIFdid any of you read the artical I sent?15:04
UssatYup15:04
MIFok, that is what got me15:04
UssatCute blog, no idea wtf Yoroi is, dont care, youre being stupid15:05
JanCren0v0: .exe is just an extension; in this case it seems like that is a .NET application (running on Mono)15:05
JanC(so no need for WINE obviously)15:06
JanCif you want to re-use that hacked system, a firmware reflash might be prudent too...15:10
JanCUssat: certainly looks "professional" with that circle-follows-dot-mouse-cursor  :P15:11
UssatThats what made it stand out to me15:12
JanCnot that it says anything about their skills on security15:13
JanC(there are plenty of professional-looking "enterprise" companies that are mostly useless)15:14
UssatThere are several security blogs I follow, never herd of that one.15:15
JanCit's an Italian company describing itself as a “Managed Security Service Provider”15:18
JanCfounder/CEO: https://twitter.com/Marco_Ramilli & analyst/researcher: https://twitter.com/_antoniopirozzi15:19
MIFI am not looking for a service I was looking for somthing about the attack15:24
Ussat...15:39
MIFwhat?15:39
UssatI would rely on something with a bit more reputation, but yoiu do you15:40
MIFI am looking around the internet15:40
MIFwhat would you recomned?15:40
JanCUssat: they might be fine, just mostly concentrating on the Italian market15:45
JanCthat said, the fact that that particular malware doesn't try to "root" the system _by default_ doesn't mean it can't be used with other payloads15:46
JanCand because of that one should consider the system compromised15:47
jancoowHi. How can I remove the disk usage from message of the day when connecting through ssh16:09
jancoowIt takes terrible long because it needs to spin up all my disks16:10
jancoownvm found it, it was in /etc/update-motd.d/50-landscape-sysinfo16:18
a4ginatlI am new to Unbuntu so have a bunch of dumb questions. I am trying to get Eclipse installed on Ubuntu server. Is this possible or not? I am getting the following error: An error occurred while automatically activating bundle org.eclipse.oomph.setup.installer (135). What am I doing wrong?17:19
devster31logically speaking, should systemd services which run long backup tasks be considered Type=simple or Type=oneshot?17:21
tomreynthe wqy i understand oneshot tasks is that they are meant to be started once, but not meant to be kept running / no action needs to be taken when the process vanishes.17:26
tomreyns/oneshot tasks/services of Type=oneshot/17:27
tomreyn^ devster3117:29
JanCI thought Eclipse was a desktop application...17:29
tomreyna4ginatl: Isn't eclipse a GUI application (servers usually don't have that)? Generally, don't expect to get support *here* with software not packaged in Ubuntu (but see which support forums those softwares provide themselves).17:29
tomreynactually, eclipse is packaged in ubuntu LTS releases until and including 18.04 LTS, if just in universe. but if you'll install it you'll probably want to use current eclipse project provided packages instead. the point about desktop remains.17:31
JanCthere still seem to be lost of eclipse-related packages in Ubuntu (but I guess they can be used for other purposes too?)17:33
JanC*lots of*17:33
devster31tomreyn I considered oneshot as I can use execstartpost for notification commands, but it doesn't seem to be made for long-running processes17:35
tomreynthe "eclipse" packages in Ubuntu are *really* old though https://en.wikipedia.org/wiki/Eclipse_(software)#Releases17:36
tomreynyes, i think oneshot is meant to be forking and be done, soon, or at least not managed by systemd17:37
JanCIIRC maintainers always complained that eclipse was a near impossible mess to package properly17:39
tomreyna very first for java software, i'm sure :)17:41
JanCyeah, it used to be that every FOSDEM edition had at least one talk complaining about that  :)17:42
a4ginatlThanks, so what you are telling me is to install eclipse on a client system and use it that way?18:28
MIFis rsync installed by default?19:39
tieinvMIF i believe it is , i just ssh'd into my server 20.04.1 and rsync was there19:41
MIFokk19:41
MIFwhat are some good ways to harden up a server?19:42
tieinvget rid of passwords and use ssh19:42
MIFok19:42
MIFwhat else?19:43
tieinvchanget the default ssh port and disable root login19:48
MIFok19:48
MIFI have done that19:48
mybalzitchchanging default ssh port is at best security through obscurity. you shouldn't be allowing password based authentication via ssh anyway19:51
MIFok, when I put my server back online the first thing i will do is get the ssh keys then lock the password auth19:53
MIFwhat else do I need to know?19:54
JanCmight be useful to block IPs that try to connect too often too frequently to the SSH port(s) also20:07
MIFI have fail2ban20:09
JanCalso, if possible, implement all the restrictions _before_ you put the server back online  :)20:13
MIFwill do20:14
MIFbecause I bet that my server as soon as it comes online will start getting attacked again20:14
MIFwould you say that?20:15
UssatMIF, you are asking about ways to harden a server, but earlkier you were 100% positive you were not rooted20:21
UssatThis does not inspire confidence20:21
MIFI still am 100% sure the root account was not hacked, I am just looking for ways to make sure I don't get hacked again20:22
MIFis there any other ideas/tips/anything20:35
tewardwhat you're asking is how to harden a server, but you were 100% positive you were not rooted.  These seem like... conflicting viewpoints20:37
tewardif you're sure you weren't rooted, then you should have already hardened your server before hand20:37
tewardif you aren't sure if you've been rooted and are asking how to HARDEN your system20:37
tewardyou're in the wrong line of thought, start your server over.20:37
tewardTHEN harden it20:37
tewardTHEN put it online20:37
tewardand as for 'getting attacked' a lot of the activity on the Internet is Bad.20:38
tewardif you're not fully invested into taking the time to actively monitor/protect your systems actively (it's a full time job!) then you probably shouldn't be *running* a server to start.20:38
tewardhate to be completely blunt but... :P20:38
teward(I'm in the IT SEcurity field, it's always a lot of work to actively protect even just ONE server from 'all threats')20:38
tewardMIF: disallow Password authentication, use SSH keys only.  Disallow root login directly over SSH.  Enable `ufw` firewall and properly configure it to ONLY permit connections you want to permit.  WHITELIST what IPs can connect to the SSH port, block all other SSH attempts with the firewall.  Implement Fail2ban for excessive connections / failed lookups / etc. on all your specific services, where you can access the logs, etc. for those for20:40
tewardfail2ban to view.20:40
tewardIDEALLY:20:40
tewardput your system behind some type of firewall that has threat intelligence datasets into the 'blocklists' so that connections from known badness are blocked by default20:40
MIFok, what I know for a fact, 1. the user did not have root. 2. they started on Dec 14, 2020 at 20:13:25 CST. 3. They used my server to attack others. 4. Fail to ban blocked over 500 ips in that 10 day peorid20:40
tewardhere's a question:20:41
tewardthis is a 'new rogue user' yes?20:41
tewardhow'd that user get *created* to begin with?20:41
MIFI created the user as a test user mounths before my server went online20:41
tewarddon't create users that you don't intend to use / harden20:42
tewardthat's another case of Admin Failure here.20:42
tewarddid this 'test user' ever have `sudo` access in the time since it was 'created'?20:42
MIFno20:42
teward> used my server to attack others20:42
tewardattack how?20:42
teward(important thing you're missing)20:42
teward> fail2ban blocked over 500 IPs in that 10 day period20:42
tewardmeans jack squat20:42
tewardi have f2b lists that're over 2000 **per day**20:43
MIFYou are in the IT SEcurity field, I am in high school20:43
tewardand that's just what gets past the 2mil+ threats that're blocked by the IDS/IPS on the border thanks to threat intel :P20:43
MIFI know20:44
MIFI talked to my ISP20:44
daxMIF: every ssh server on port 22 on the public internet gets hundreds/thousands of ssh login attempts per day, because botnets20:44
MIFI found that out20:44
daxwould be interested in the answer to teward's "attack how?", tbh20:45
teward^ this20:45
tewardbecause I'm real curious how your server was 'attacking' others - it'll help to ID exactly what chaos was going on20:46
tewardhacked or otherwise20:46
tewardIT Security Professional or High School Student, doesn't matter, if you were told your system was attacking others you'll have information about the 'attack' itself20:46
tewardlikely from yoru ISP :P20:46
tewardor whoever reported the server was being used maliciously20:46
teward(alternatively PM me your IP i'll run it through greynoise and that should give me an idea of the type of attacks your system was doing)20:46
MIFok20:47
JanCteward: from what he linked to it seemed like his server became part of a botnet, so really it could have been used for almost anything...20:48
JanCincluding trying to infect others  :)20:48
MIFthat is what I think was going on20:49
JanCor being part of some DDoS20:49
tewardJanC: then I'd start with the "Nuke Your System" approach20:51
JanCobviously20:51
tewardbecause even if it was running as a single user botnets themselves tend to take over the machine overall20:51
tewardMIF: if you haven't started by nuking the system and starting 'fresh' and restoring from last known good backups you're starting off bad20:51
MIFyou are going to hate me for this20:51
JanCbotnets often work as a "simple" user20:51
MIFbut I have not made backups yet20:52
tewardJanC: depends on the infection methond20:52
tewardif it was a simple "run slave agent of botnet as user" then yes20:52
JanCbut if they _can_ get root they won't refuse that opportunity, of course20:52
tewardif it was that leading to systemic infection of multiple bot agents, etc. then it's possible20:52
tewardgiven that OP was 'breached' with password authentication and /etc/passwd is visible I wouldn't be surprised if they did dictionary attacks on ${ALL_ACCOUNTS} on system20:53
tewardto try and break in20:53
tewardhence the 'start over' statement20:53
JanCfor example20:53
MIFthe user did not have a password20:53
JanCso then how did they get in through SSH?20:53
teward^ that20:53
tewarddefault disallows passwordless ssh without SSH keys20:54
teward"PermitEmptyPasswords no" is a default in sshd_config in all Ubuntu deployments of ssh server20:54
tewardfrom install of openssh-server20:54
MIFthat is a good question, I never changed any of the sshd conifg settings20:54
MIFand I put my IP in greyNoise20:55
tewardshould show you SOMETHING if you are using the visualizer - at least if you were part of a botnet heh20:56
tewardin either case20:56
tewardyou've got 'basic' hardening steps i've identified20:56
JanCno matter what, you want to do a re-install  :)20:56
MIFok20:56
tewardbut if the user had no password AND they got in via SSH AND you left the sshd_config the same as install then your hacker infiltrated some other way than SSH20:56
JanCafter saving data20:56
tewardand I would say that you should ASSUME your system was rooted because you don't know how they got in20:56
tewardand torch it after saving any data you need to keeo20:57
teward(then reinstall scratch)20:57
tewardfrom scratch*20:57
MIFyea, I don't have a good way to back that up20:58
MIFI might of set "PermitEmptyPasswords on" I don't know for sure21:13
UssatWAT !!!! you dont have backups ???21:15
MIFI said you would not like it21:15
MIFI don't have any good place to store them21:16
UssatDude....21:16
Ussatand "I might of set "PermitEmptyPasswords on" I don't know fo" is, um..scary21:17
MIFthis server has been running for mounths offline21:17
MIF(did not have a public IP)21:17
Ussatwith no backups21:17
Ussatand in prod21:18
RoyKMIF: didn't have a public ip and then the ISP introduces ipv6 :D21:18
MIFno I got my dad to pay for the ipv421:18
Ussat...21:18
MIFI just ran the 500+ IPs from my fail2ban list21:18
MIF571 came up as 57121:19
UssatWHat was this server doing ?21:19
MIF571 came up as Malicious21:19
JanCmight be useful for some people in here too: https://www.humblebundle.com/books/linux-apress-books21:50
jessequinnhi, quick question. i tried to enable firewalld but i am getting the following error: `Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory` when im doing a firewall-cmd --reload. any ideas?22:33
tomreynsounds like the rule directory doe snot exist or was not accessible. see journalctl for potential related errors (audit/apparmor?), try to find out where the rules should be located and check whether this directory eixsts and appears to be accessible to the service.22:41
tomreynrelated (yes, redhat, may or may not be relevant)? https://bugzilla.redhat.com/show_bug.cgi?id=1836571 https://bugzilla.redhat.com/show_bug.cgi?id=181720522:43
ubot3bugzilla.redhat.com bug 1836571 in Fedora "firewalld startup failure: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: File exists" [Unspecified, New]22:43
ubot3bugzilla.redhat.com bug 1817205 in Red Hat Enterprise Linux 8 "firewalld rules broken by nftables service if started later" [High, Closed: Errata]22:44

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!