[02:05] how can I force a change of password for all users without having to go through everyone === denningsrogue5 is now known as denningsrogue [02:06] sed and a for loop? [02:06] how would I do that? === rfm_ is now known as rfm [03:19] MIF, today is your lucky day, I decided to write the sed script for you. copy /etc/shadow to /root/shadow, run "sed -i -e 's/^\([^:]*:[^:]*:\)[^:]*:/\10:/' /root/shadow", verify that it changed only the third field (password age) to 0, copy /root/shadow back over /etc/shadow, remove the /root/shadow. read "man 5 shadow" to understand. [03:20] aww, it's a christmas miracle / act of kindness! [03:20] :) [03:22] thank you so much rfm [03:24] I don't think you understand how much that means to me! [03:26] really I would do this with a shell or python script which would read each line, split on :, replace the 3rd field only on lines with a password [03:26] but that script would be much less of a interesting puzzle [03:28] today I found out I got hacked so I had to do this, thank you so much rfm [03:52] I wouldn't trust the install anymore, or possibly even the machine if someone got root access [03:53] they did not [03:53] I have removed the user, and changed all the passwords === denningsrogue8 is now known as denningsrogue [05:36] MIF: do you know it wasn't a root compromise, though? [05:37] just changing passwords is quite likely not enough [11:00] Hi [11:00] I'm running RoonServer on an Ubuntu VM. I see that they are running .exe on their systemd unit, how is that possible without Wine ? [11:00] "exec "$HARDLINK" --debug --gc=sgen --server "$SCRIPT.exe" "$@"" [11:01] i think it uses wine, perhaps wine as a snap? [11:01] nope, no wine installed [11:02] that's what i don't understand :D [11:02] here is the running process from systemd [11:02] |-14937 /opt/RoonServer/RoonMono/bin/RoonServer --gc=sgen --server RoonServer.exe [11:04] hmm, no mention in the installer, indeed >> https://help.roonlabs.com/portal/en/kb/articles/linux-install [11:04] oerheks, i started looking because they are spamming 100000s of debug logs and wanted to turn them off, and they don't "allow" you. Because they can dip in apparently and read them for themselves [11:04] which of course I don't like the idea of. [11:05] this was an easy fix as they pass a --debug flag to the .exe [11:05] but i was very shocked to see the .exe there [11:06] hmm curious [11:07] worrying. [14:23] did you see my message? [14:55] MIF: the last message from you was: I have removed the user, and changed all the passwords [14:55] MIF: however, the original statement by tomreyn is still accurate: [14:56] MIF: do you know it wasn't a root compromise, though? just changing passwords is quite likely not enough [14:56] so now you are caught up :P [14:59] MIF: If the user did have elevated privileges then you should also run a rootkit checker. [14:59] no it did now [14:59] *not [14:59] and I know that for a fact [15:00] I would not bother with the rootkit checker, they are pretty much mostly crap. Assume you are rooted, nuke/pave the system and reinstall [15:00] it was this https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/ [15:00] Ussat: I can't just do that [15:00] MIF "fact"..uh huh [15:00] You better [15:00] because you are runing a compromised system [15:01] right now the server in offline and in my work shop and I am going through everything [15:01] and you are 100% positive you will not miss anything ? [15:02] MIF: There are exploits and backdoors that are sold on the black market, so if you've had baddies in then you're rooted and they have a way in regardless. Copy the data files over to a fresh server and fix the entry point they used. [15:02] ^^^ [15:03] the user affected was a test user that could not go any farther then /home/user/ [15:03] MIF: Also if you're running any kind of content management system (read: wordpress, phpmyadm, squirrelmail) then check all those user accounts as well. [15:03] they could not access anything but there home files [15:03] Oh...thats a heall of an assumption [15:04] MIF: chroot is breakable. [15:04] did any of you read the artical I sent? [15:04] Yup [15:04] ok, that is what got me [15:05] Cute blog, no idea wtf Yoroi is, dont care, youre being stupid [15:05] ren0v0: .exe is just an extension; in this case it seems like that is a .NET application (running on Mono) [15:06] (so no need for WINE obviously) [15:10] if you want to re-use that hacked system, a firmware reflash might be prudent too... [15:11] Ussat: certainly looks "professional" with that circle-follows-dot-mouse-cursor :P [15:12] Thats what made it stand out to me [15:13] not that it says anything about their skills on security [15:14] (there are plenty of professional-looking "enterprise" companies that are mostly useless) [15:15] There are several security blogs I follow, never herd of that one. [15:18] it's an Italian company describing itself as a “Managed Security Service Provider” [15:19] founder/CEO: https://twitter.com/Marco_Ramilli & analyst/researcher: https://twitter.com/_antoniopirozzi [15:24] I am not looking for a service I was looking for somthing about the attack [15:39] ... [15:39] what? [15:40] I would rely on something with a bit more reputation, but yoiu do you [15:40] I am looking around the internet [15:40] what would you recomned? [15:45] Ussat: they might be fine, just mostly concentrating on the Italian market [15:46] that said, the fact that that particular malware doesn't try to "root" the system _by default_ doesn't mean it can't be used with other payloads [15:47] and because of that one should consider the system compromised [16:09] Hi. How can I remove the disk usage from message of the day when connecting through ssh [16:10] It takes terrible long because it needs to spin up all my disks [16:18] nvm found it, it was in /etc/update-motd.d/50-landscape-sysinfo [17:19] I am new to Unbuntu so have a bunch of dumb questions. I am trying to get Eclipse installed on Ubuntu server. Is this possible or not? I am getting the following error: An error occurred while automatically activating bundle org.eclipse.oomph.setup.installer (135). What am I doing wrong? [17:21] logically speaking, should systemd services which run long backup tasks be considered Type=simple or Type=oneshot? [17:26] the wqy i understand oneshot tasks is that they are meant to be started once, but not meant to be kept running / no action needs to be taken when the process vanishes. [17:27] s/oneshot tasks/services of Type=oneshot/ [17:29] ^ devster31 [17:29] I thought Eclipse was a desktop application... [17:29] a4ginatl: Isn't eclipse a GUI application (servers usually don't have that)? Generally, don't expect to get support *here* with software not packaged in Ubuntu (but see which support forums those softwares provide themselves). [17:31] actually, eclipse is packaged in ubuntu LTS releases until and including 18.04 LTS, if just in universe. but if you'll install it you'll probably want to use current eclipse project provided packages instead. the point about desktop remains. [17:33] there still seem to be lost of eclipse-related packages in Ubuntu (but I guess they can be used for other purposes too?) [17:33] *lots of* [17:35] tomreyn I considered oneshot as I can use execstartpost for notification commands, but it doesn't seem to be made for long-running processes [17:36] the "eclipse" packages in Ubuntu are *really* old though https://en.wikipedia.org/wiki/Eclipse_(software)#Releases [17:37] yes, i think oneshot is meant to be forking and be done, soon, or at least not managed by systemd [17:39] IIRC maintainers always complained that eclipse was a near impossible mess to package properly [17:41] a very first for java software, i'm sure :) [17:42] yeah, it used to be that every FOSDEM edition had at least one talk complaining about that :) [18:28] Thanks, so what you are telling me is to install eclipse on a client system and use it that way? [19:39] is rsync installed by default? [19:41] MIF i believe it is , i just ssh'd into my server 20.04.1 and rsync was there [19:41] okk [19:42] what are some good ways to harden up a server? [19:42] get rid of passwords and use ssh [19:42] ok [19:43] what else? [19:48] changet the default ssh port and disable root login [19:48] ok [19:48] I have done that [19:51] changing default ssh port is at best security through obscurity. you shouldn't be allowing password based authentication via ssh anyway [19:53] ok, when I put my server back online the first thing i will do is get the ssh keys then lock the password auth [19:54] what else do I need to know? [20:07] might be useful to block IPs that try to connect too often too frequently to the SSH port(s) also [20:09] I have fail2ban [20:13] also, if possible, implement all the restrictions _before_ you put the server back online :) [20:14] will do [20:14] because I bet that my server as soon as it comes online will start getting attacked again [20:15] would you say that? [20:21] MIF, you are asking about ways to harden a server, but earlkier you were 100% positive you were not rooted [20:21] This does not inspire confidence [20:22] I still am 100% sure the root account was not hacked, I am just looking for ways to make sure I don't get hacked again [20:35] is there any other ideas/tips/anything [20:37] what you're asking is how to harden a server, but you were 100% positive you were not rooted. These seem like... conflicting viewpoints [20:37] if you're sure you weren't rooted, then you should have already hardened your server before hand [20:37] if you aren't sure if you've been rooted and are asking how to HARDEN your system [20:37] you're in the wrong line of thought, start your server over. [20:37] THEN harden it [20:37] THEN put it online [20:38] and as for 'getting attacked' a lot of the activity on the Internet is Bad. [20:38] if you're not fully invested into taking the time to actively monitor/protect your systems actively (it's a full time job!) then you probably shouldn't be *running* a server to start. [20:38] hate to be completely blunt but... :P [20:38] (I'm in the IT SEcurity field, it's always a lot of work to actively protect even just ONE server from 'all threats') [20:40] MIF: disallow Password authentication, use SSH keys only. Disallow root login directly over SSH. Enable `ufw` firewall and properly configure it to ONLY permit connections you want to permit. WHITELIST what IPs can connect to the SSH port, block all other SSH attempts with the firewall. Implement Fail2ban for excessive connections / failed lookups / etc. on all your specific services, where you can access the logs, etc. for those for [20:40] fail2ban to view. [20:40] IDEALLY: [20:40] put your system behind some type of firewall that has threat intelligence datasets into the 'blocklists' so that connections from known badness are blocked by default [20:40] ok, what I know for a fact, 1. the user did not have root. 2. they started on Dec 14, 2020 at 20:13:25 CST. 3. They used my server to attack others. 4. Fail to ban blocked over 500 ips in that 10 day peorid [20:41] here's a question: [20:41] this is a 'new rogue user' yes? [20:41] how'd that user get *created* to begin with? [20:41] I created the user as a test user mounths before my server went online [20:42] don't create users that you don't intend to use / harden [20:42] that's another case of Admin Failure here. [20:42] did this 'test user' ever have `sudo` access in the time since it was 'created'? [20:42] no [20:42] > used my server to attack others [20:42] attack how? [20:42] (important thing you're missing) [20:42] > fail2ban blocked over 500 IPs in that 10 day period [20:42] means jack squat [20:43] i have f2b lists that're over 2000 **per day** [20:43] You are in the IT SEcurity field, I am in high school [20:43] and that's just what gets past the 2mil+ threats that're blocked by the IDS/IPS on the border thanks to threat intel :P [20:44] I know [20:44] I talked to my ISP [20:44] MIF: every ssh server on port 22 on the public internet gets hundreds/thousands of ssh login attempts per day, because botnets [20:44] I found that out [20:45] would be interested in the answer to teward's "attack how?", tbh [20:45] ^ this [20:46] because I'm real curious how your server was 'attacking' others - it'll help to ID exactly what chaos was going on [20:46] hacked or otherwise [20:46] IT Security Professional or High School Student, doesn't matter, if you were told your system was attacking others you'll have information about the 'attack' itself [20:46] likely from yoru ISP :P [20:46] or whoever reported the server was being used maliciously [20:46] (alternatively PM me your IP i'll run it through greynoise and that should give me an idea of the type of attacks your system was doing) [20:47] ok [20:48] teward: from what he linked to it seemed like his server became part of a botnet, so really it could have been used for almost anything... [20:48] including trying to infect others :) [20:49] that is what I think was going on [20:49] or being part of some DDoS [20:51] JanC: then I'd start with the "Nuke Your System" approach [20:51] obviously [20:51] because even if it was running as a single user botnets themselves tend to take over the machine overall [20:51] MIF: if you haven't started by nuking the system and starting 'fresh' and restoring from last known good backups you're starting off bad [20:51] you are going to hate me for this [20:51] botnets often work as a "simple" user [20:52] but I have not made backups yet [20:52] JanC: depends on the infection methond [20:52] if it was a simple "run slave agent of botnet as user" then yes [20:52] but if they _can_ get root they won't refuse that opportunity, of course [20:52] if it was that leading to systemic infection of multiple bot agents, etc. then it's possible [20:53] given that OP was 'breached' with password authentication and /etc/passwd is visible I wouldn't be surprised if they did dictionary attacks on ${ALL_ACCOUNTS} on system [20:53] to try and break in [20:53] hence the 'start over' statement [20:53] for example [20:53] the user did not have a password [20:53] so then how did they get in through SSH? [20:53] ^ that [20:54] default disallows passwordless ssh without SSH keys [20:54] "PermitEmptyPasswords no" is a default in sshd_config in all Ubuntu deployments of ssh server [20:54] from install of openssh-server [20:54] that is a good question, I never changed any of the sshd conifg settings [20:55] and I put my IP in greyNoise [20:56] should show you SOMETHING if you are using the visualizer - at least if you were part of a botnet heh [20:56] in either case [20:56] you've got 'basic' hardening steps i've identified [20:56] no matter what, you want to do a re-install :) [20:56] ok [20:56] but if the user had no password AND they got in via SSH AND you left the sshd_config the same as install then your hacker infiltrated some other way than SSH [20:56] after saving data [20:56] and I would say that you should ASSUME your system was rooted because you don't know how they got in [20:57] and torch it after saving any data you need to keeo [20:57] (then reinstall scratch) [20:57] from scratch* [20:58] yea, I don't have a good way to back that up [21:13] I might of set "PermitEmptyPasswords on" I don't know for sure [21:15] WAT !!!! you dont have backups ??? [21:15] I said you would not like it [21:16] I don't have any good place to store them [21:16] Dude.... [21:17] and "I might of set "PermitEmptyPasswords on" I don't know fo" is, um..scary [21:17] this server has been running for mounths offline [21:17] (did not have a public IP) [21:17] with no backups [21:18] and in prod [21:18] MIF: didn't have a public ip and then the ISP introduces ipv6 :D [21:18] no I got my dad to pay for the ipv4 [21:18] ... [21:18] I just ran the 500+ IPs from my fail2ban list [21:19] 571 came up as 571 [21:19] WHat was this server doing ? [21:19] 571 came up as Malicious [21:50] might be useful for some people in here too: https://www.humblebundle.com/books/linux-apress-books [22:33] hi, quick question. i tried to enable firewalld but i am getting the following error: `Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory` when im doing a firewall-cmd --reload. any ideas? [22:41] sounds like the rule directory doe snot exist or was not accessible. see journalctl for potential related errors (audit/apparmor?), try to find out where the rules should be located and check whether this directory eixsts and appears to be accessible to the service. [22:43] related (yes, redhat, may or may not be relevant)? https://bugzilla.redhat.com/show_bug.cgi?id=1836571 https://bugzilla.redhat.com/show_bug.cgi?id=1817205 [22:43] bugzilla.redhat.com bug 1836571 in Fedora "firewalld startup failure: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: File exists" [Unspecified, New] [22:44] bugzilla.redhat.com bug 1817205 in Red Hat Enterprise Linux 8 "firewalld rules broken by nftables service if started later" [High, Closed: Errata]