Re: server compromised?

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Paul Mooring
Date:  
To: Main PLUG discussion list
Subject: Re: server compromised?
I just sent a longer e-mail about Chef, but I forgot to add that while I
like Chef, Puppet, CFEngine, ect. Are all good products, what matters is
having well defined reproducible configurations.
--
Paul Mooring
Systems Engineer and Customer Advocate

www.opscode.com






On 3/11/13 2:30 PM, "Ed" <> wrote:

>On Mon, Mar 11, 2013 at 11:40 AM, Vimal Shah <> wrote:
>> Thank you for the advice. The necessary security layer that was missing
>>has
>> been identified and is being incorporated.
>>
>> Deploying a server from scratch has been tedious (running each command
>> manually). Capturing all of these commands into a python script seems
>> obvious. The python script is slow to develop due to the fact that I'm
>> trying to learn it and code it at the same time.
>>
>
>look into cfengine to manage configurations - works with subversion too.
>1) makes deployment of servers or workstations very easy - and keeps them
>there
>2) dynamic reactions - can deploy/decommission depending on load
>
>> Has anyone had any experience with Vagrant? Is it worth the time to
>> investigate?
>>
>> Lastly, if anyone is available for some consulting on these matters
>>(server
>> security and deployment), please contact me.
>>
>>
>> On Thu, Mar 7, 2013 at 4:25 PM, Paul Mooring <> wrote:
>>>
>>> It's likely that if he left that key in there with a valid e-mail
>>>address
>>> then whoever compromised the server wasn't trying to be discrete. I
>>>would
>>> check my auth logs to see when/if someone was logging in from somewhere
>>> suspect. Next if the server was compromised, it's done, you can never
>>>trust
>>> it again, no amount of clean up or post-mortem investigation can ever
>>>give
>>> reasonable confidence that there's no back door on it. Move the
>>>services
>>> and data and make a new server/clean install, then look very carefully
>>>at
>>> what attack vector was exploited and close it (like if it was brute
>>>force
>>> you should have ssh for root turned off, more restrictive firewall
>>>rules and
>>> ssh guard).
>>>
>>> Having a server compromised can be a huge headache, good luck.
>>> --
>>> Paul Mooring
>>> Systems Engineer and Customer Advocate
>>>
>>> www.opscode.com
>>>
>>> From: Vimal Shah <>
>>> Reply-To: Main PLUG discussion list <>
>>> Date: Thursday, March 7, 2013 4:49 PM
>>> To: Main PLUG discussion list <>
>>> Subject: server compromised?
>>>
>>> Hello all,
>>>
>>> While randomly looking into the .ssh/authorized_keys file, I noticed a
>>> line that shouldn't have been there. This was concluded based on the
>>>last
>>> portion of the line. This portion was in the form of ,
>>>where
>>> the domain was one of a likely competitor. Does this automatically
>>>mean that
>>> this server has been compromised? The line has been removed.
>>>
>>> Thanking everyone in advance.
>>>
>>> --
>>> Vimal
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>>
>>
>> --
>> Vimal (rhymes with Kimmel) Shah
>> Front-End / Infrastructure Engineer
>> Sokikom
>> Mobile: (480) 752-9269
>> Email:   
>> Web:    www.sokikom.com

>>
>> Follow us: twitter.com/sokikom
>> Like us: facebook.com/sokikom
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>---------------------------------------------------
>PLUG-discuss mailing list -
>To subscribe, unsubscribe, or to change your mail settings:
>http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss