On Mon, Mar 11, 2013 at 11:40 AM, Vimal Shah wrote: > Thank you for the advice. The necessary security layer that was missing has > been identified and is being incorporated. > > Deploying a server from scratch has been tedious (running each command > manually). Capturing all of these commands into a python script seems > obvious. The python script is slow to develop due to the fact that I'm > trying to learn it and code it at the same time. > look into cfengine to manage configurations - works with subversion too. 1) makes deployment of servers or workstations very easy - and keeps them there 2) dynamic reactions - can deploy/decommission depending on load > Has anyone had any experience with Vagrant? Is it worth the time to > investigate? > > Lastly, if anyone is available for some consulting on these matters (server > security and deployment), please contact me. > > > On Thu, Mar 7, 2013 at 4:25 PM, Paul Mooring wrote: >> >> It's likely that if he left that key in there with a valid e-mail address >> then whoever compromised the server wasn't trying to be discrete. I would >> check my auth logs to see when/if someone was logging in from somewhere >> suspect. Next if the server was compromised, it's done, you can never trust >> it again, no amount of clean up or post-mortem investigation can ever give >> reasonable confidence that there's no back door on it. Move the services >> and data and make a new server/clean install, then look very carefully at >> what attack vector was exploited and close it (like if it was brute force >> you should have ssh for root turned off, more restrictive firewall rules and >> ssh guard). >> >> Having a server compromised can be a huge headache, good luck. >> -- >> Paul Mooring >> Systems Engineer and Customer Advocate >> >> www.opscode.com >> >> From: Vimal Shah >> Reply-To: Main PLUG discussion list >> Date: Thursday, March 7, 2013 4:49 PM >> To: Main PLUG discussion list >> Subject: server compromised? >> >> Hello all, >> >> While randomly looking into the .ssh/authorized_keys file, I noticed a >> line that shouldn't have been there. This was concluded based on the last >> portion of the line. This portion was in the form of user@domain.com, where >> the domain was one of a likely competitor. Does this automatically mean that >> this server has been compromised? The line has been removed. >> >> Thanking everyone in advance. >> >> -- >> Vimal >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > > > -- > Vimal (rhymes with Kimmel) Shah > Front-End / Infrastructure Engineer > Sokikom > Mobile: (480) 752-9269 > Email: vimals@sokikom.com > Web: www.sokikom.com > > Follow us: twitter.com/sokikom > Like us: facebook.com/sokikom > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss