Compute safely … attacks on the rise

Going this morning to a customer who had a set of systems compromised. It appears that a windows trojan did some keylogging, and someone logged in, as root, from the compromised machine.
Folks, stay safe. Don’t use passwords for ssh. Use keys.
And, bluntly, seriously reconsider running any windows machine anywhere near a server/HPC resource.
Our efforts to help fix their problem are going to cost this customer thousands of dollars and lots of our time. This isn’t what they want or anyone else needs.
If you must run windows, run it in a VM atop a heavily firewalled Linux/Mac machine. You can isolate the VM so that it can never see the outside world apart from very specific ports.
It looks like this customer let their bot infect other machines, and eventually take control over their server, compute nodes, and backup system.

4 thoughts on “Compute safely … attacks on the rise”

  1. “Don???t use passwords for ssh. Use keys.”
    Use both, in the form of a passphrase-protected key. Otherwise, somebody could log in from one of your systems to others without even needing a keylogger. Two-factor authentication (something you have plus something you know) is becoming a minimum, and three-factor (add something you are) deserves serious consideration in all but the least secure situations.
    (Yes, I know “something you have’ usually refers to something physical.)

    • @Jeff
      Good clarification. I agree, passphrase protected keys. Unfortunately, keyloggers abound, and stealing typed data is becoming easier under windows systems. I’ve been thinking of 3 factor for a while.
      We have a few other things we can do to set up systems that generally make it very hard to compromise, but they limit utility as a server. I need to look at them and see if we can make these more palatable.

  2. “Don???t use passwords for ssh. Use keys.”
    Hey, if it uses ssh, it ain’t the Windows way. Did the hack really involve keylogging of an ssh login from a Windows machine? Would Active Directory have been more secure?

  3. @Sam
    I wasn’t able to definitively establish the attack entry mechanism, only the entry point. I know ssh isn’t the windows way. Then again, running everything as administrative user is the windows way. Look at how well this helped 🙁

Comments are closed.