server compromised?
Paul Mooring
paul at opscode.com
Mon Mar 11 14:54:46 MST 2013
I just sent a longer e-mail about Chef, but I forgot to add that while I
like Chef, Puppet, CFEngine, ect. Are all good products, what matters is
having well defined reproducible configurations.
--
Paul Mooring
Systems Engineer and Customer Advocate
www.opscode.com
On 3/11/13 2:30 PM, "Ed" <plug at 0x1b.com> wrote:
>On Mon, Mar 11, 2013 at 11:40 AM, Vimal Shah <vimals at sokikom.com> wrote:
>> Thank you for the advice. The necessary security layer that was missing
>>has
>> been identified and is being incorporated.
>>
>> Deploying a server from scratch has been tedious (running each command
>> manually). Capturing all of these commands into a python script seems
>> obvious. The python script is slow to develop due to the fact that I'm
>> trying to learn it and code it at the same time.
>>
>
>look into cfengine to manage configurations - works with subversion too.
>1) makes deployment of servers or workstations very easy - and keeps them
>there
>2) dynamic reactions - can deploy/decommission depending on load
>
>> Has anyone had any experience with Vagrant? Is it worth the time to
>> investigate?
>>
>> Lastly, if anyone is available for some consulting on these matters
>>(server
>> security and deployment), please contact me.
>>
>>
>> On Thu, Mar 7, 2013 at 4:25 PM, Paul Mooring <paul at opscode.com> wrote:
>>>
>>> It's likely that if he left that key in there with a valid e-mail
>>>address
>>> then whoever compromised the server wasn't trying to be discrete. I
>>>would
>>> check my auth logs to see when/if someone was logging in from somewhere
>>> suspect. Next if the server was compromised, it's done, you can never
>>>trust
>>> it again, no amount of clean up or post-mortem investigation can ever
>>>give
>>> reasonable confidence that there's no back door on it. Move the
>>>services
>>> and data and make a new server/clean install, then look very carefully
>>>at
>>> what attack vector was exploited and close it (like if it was brute
>>>force
>>> you should have ssh for root turned off, more restrictive firewall
>>>rules and
>>> ssh guard).
>>>
>>> Having a server compromised can be a huge headache, good luck.
>>> --
>>> Paul Mooring
>>> Systems Engineer and Customer Advocate
>>>
>>> www.opscode.com
>>>
>>> From: Vimal Shah <vimals at sokikom.com>
>>> Reply-To: Main PLUG discussion list <plug-discuss at lists.phxlinux.org>
>>> Date: Thursday, March 7, 2013 4:49 PM
>>> To: Main PLUG discussion list <plug-discuss at lists.phxlinux.org>
>>> Subject: server compromised?
>>>
>>> Hello all,
>>>
>>> While randomly looking into the .ssh/authorized_keys file, I noticed a
>>> line that shouldn't have been there. This was concluded based on the
>>>last
>>> portion of the line. This portion was in the form of user at domain.com,
>>>where
>>> the domain was one of a likely competitor. Does this automatically
>>>mean that
>>> this server has been compromised? The line has been removed.
>>>
>>> Thanking everyone in advance.
>>>
>>> --
>>> Vimal
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>>
>>
>> --
>> Vimal (rhymes with Kimmel) Shah
>> Front-End / Infrastructure Engineer
>> Sokikom
>> Mobile: (480) 752-9269
>> Email: vimals at sokikom.com
>> Web: www.sokikom.com
>>
>> Follow us: twitter.com/sokikom
>> Like us: facebook.com/sokikom
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>---------------------------------------------------
>PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>To subscribe, unsubscribe, or to change your mail settings:
>http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
More information about the PLUG-discuss
mailing list