server compromised?

Ed plug at 0x1b.com
Mon Mar 11 14:30:55 MST 2013


On Mon, Mar 11, 2013 at 11:40 AM, Vimal Shah <vimals at sokikom.com> wrote:
> Thank you for the advice. The necessary security layer that was missing has
> been identified and is being incorporated.
>
> Deploying a server from scratch has been tedious (running each command
> manually). Capturing all of these commands into a python script seems
> obvious. The python script is slow to develop due to the fact that I'm
> trying to learn it and code it at the same time.
>

look into cfengine to manage configurations - works with subversion too.
1) makes deployment of servers or workstations very easy - and keeps them there
2) dynamic reactions - can deploy/decommission depending on load

> Has anyone had any experience with Vagrant? Is it worth the time to
> investigate?
>
> Lastly, if anyone is available for some consulting on these matters (server
> security and deployment), please contact me.
>
>
> On Thu, Mar 7, 2013 at 4:25 PM, Paul Mooring <paul at opscode.com> wrote:
>>
>> It's likely that if he left that key in there with a valid e-mail address
>> then whoever compromised the server wasn't trying to be discrete.  I would
>> check my auth logs to see when/if someone was logging in from somewhere
>> suspect.  Next if the server was compromised, it's done, you can never trust
>> it again, no amount of clean up or post-mortem investigation can ever give
>> reasonable confidence that there's no back door on it.  Move the services
>> and data and make a new server/clean install, then look very carefully at
>> what attack vector was exploited and close it (like if it was brute force
>> you should have ssh for root turned off, more restrictive firewall rules and
>> ssh guard).
>>
>> Having a server compromised can be a huge headache, good luck.
>> --
>> Paul Mooring
>> Systems Engineer and Customer Advocate
>>
>> www.opscode.com
>>
>> From: Vimal Shah <vimals at sokikom.com>
>> Reply-To: Main PLUG discussion list <plug-discuss at lists.phxlinux.org>
>> Date: Thursday, March 7, 2013 4:49 PM
>> To: Main PLUG discussion list <plug-discuss at lists.phxlinux.org>
>> Subject: server compromised?
>>
>> Hello all,
>>
>> While randomly looking into the .ssh/authorized_keys file, I noticed a
>> line that shouldn't have been there. This was concluded based on the last
>> portion of the line. This portion was in the form of user at domain.com, where
>> the domain was one of a likely competitor. Does this automatically mean that
>> this server has been compromised? The line has been removed.
>>
>> Thanking everyone in advance.
>>
>> --
>> Vimal
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
>
> --
> Vimal (rhymes with Kimmel) Shah
> Front-End / Infrastructure Engineer
> Sokikom
> Mobile: (480) 752-9269
> Email:   vimals at sokikom.com
> Web:    www.sokikom.com
>
> Follow us: twitter.com/sokikom
> Like us: facebook.com/sokikom
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss


More information about the PLUG-discuss mailing list