<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hey Nick,<br>
<br>
Some general advice for securing a VPS;<br>
<br>
- disable root ssh login <br>
- disable ssh password login and only allow key based logins
(<a class="moz-txt-link-freetext" href="https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2">https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2</a>)<br>
- install fail2ban<br>
- disable / remove any services you aren't using<br>
- use full disk encryption<br>
- use a decent iptables config
(<a class="moz-txt-link-freetext" href="https://www.linode.com/docs/security/securing-your-server#creating-a-firewall">https://www.linode.com/docs/security/securing-your-server#creating-a-firewall</a>)<br>
- keep the box up to date using unattended upgrades
(<a class="moz-txt-link-freetext" href="https://wiki.debian.org/UnattendedUpgrades">https://wiki.debian.org/UnattendedUpgrades</a>)<br>
<br>
Generally fail2ban, key-only login, iptables, and software updates
should be enough to keep the box secure. You probably got hacked
either through pwd bruteforcing (which would be prevented by
fail2ban or disabling pwd login) or by a vulnerability (which would
be prevented by software upgrades).<br>
<br>
I've generally found Edis to be very good (e.g. one of my VPS has an
uptime > 1 year).<br>
<br>
Cheers,<br>
<br>
Dan<br>
<br>
<div class="moz-cite-prefix">On 25/10/14 16:36, Nick Sheppard wrote:<br>
</div>
<blockquote cite="mid:544BB555.6080800@attglobal.net" type="cite">For
the last month I've been running a middle relay (no guard flag
yet) on a 512 MB VPS provided by Edis.at in Switzerland (4.99 euro
per month). The software is Tor 0.2.5.8-rc with obfsproxy 2 and 3
running on up-to-date Debian Wheezy 7.6. I left the iptables at
their defaults.
<br>
<br>
Last night Edis suspended my VPS because of a suspected outgoing
DDoS attack, and emailed me. I rang their (very helpful) phone
support in London and they de-suspended the VPS so I could ssh
into it and investigate. ( I told them it was running a tor
non-exit relay - that wasn't a problem.)
<br>
<br>
Sure enough the Solus control panel traffic graphs show the tor
relay traffic stopping abruptly last night, followed about 40
minutes later by an exponentially increasing spike of outgoing
traffic, soon cut off when the VPS was suspended.
<br>
<br>
I ssh'd into the VPS ("last login" showed my own last login, so no
problem there) and looked at logs and top. notices.log simply cut
off when the tor traffic stopped, but showed nothing unusual
before that.
<br>
<br>
The Solus control panel traffic graph started showing (a very
small amount of) outgoing traffic as soon as the VPS was
de-suspended, so I assumed the malware was still active, and used
top.
<br>
<br>
This is typical of what I found.
<br>
<br>
1 root 20 0 10604 832 700 S ... 0:00.10 init
<br>
2 root 20 0 0 0 0 S ... 0:00.00 kthreadd/3277
<br>
3 root 20 0 0 0 0 S ... 0:00.00 khelper/3277
<br>
1370 root 20 0 36976 660 492 S ... 0:00.38 hxyqbutesc
<br>
1400 root 20 0 109m 1616 1188 S ... 0:00.00 rsyslogd
<br>
1446 root 20 0 18836 884 680 S ... 0:00.00 cron
<br>
1473 root 20 0 49888 1212 608 S ... 0:00.00 sshd
<br>
3187 root 20 0 27556 744 504 S ... 0:00.00 vzctl
<br>
3188 root 20 0 17808 1968 1500 S ... 0:00.00 bash
<br>
5374 root 20 0 21584 1416 1072 R ... 0:00.00 top
<br>
5440 root 20 0 6244 536 296 S ... 0:00.00 akcviaxtbl
<br>
5443 root 20 0 6244 532 296 S ... 0:00.00 akcviaxtbl
<br>
5446 root 20 0 6244 532 296 S ... 0:00.00 akcviaxtbl
<br>
5448 root 20 0 6244 536 300 S ... 0:00.00 akcviaxtbl
<br>
5449 root 20 0 6244 532 296 S ... 0:00.00 akcviaxtbl
<br>
<br>
There is a strange line near the top for process "hxyqbutesc",
which didn't change; and a strange block of lines at the bottom,
which changed every second or two. Sometimes it was five similar
lines, as above; sometimes it was several block of lines, eg this:
<br>
<br>
5276 root 20 0 6244 528 292 S 0.0 0.1 0:00.00 qscntoweqb
<br>
5277 root 20 0 6244 536 300 S 0.0 0.1 0:00.00 qscntoweqb
<br>
5280 root 20 0 6244 532 296 S 0.0 0.1 0:00.00 qscntoweqb
<br>
5282 root 20 0 6244 536 300 S 0.0 0.1 0:00.00 qscntoweqb
<br>
5283 root 20 0 6244 528 292 S 0.0 0.1 0:00.00 qscntoweqb
<br>
5290 root 20 0 6244 532 296 S 0.0 0.1 0:00.00 saqizxaihz
<br>
5294 root 20 0 6244 528 300 S 0.0 0.1 0:00.00 saqizxaihz
<br>
5295 root 20 0 6244 532 296 S 0.0 0.1 0:00.00 saqizxaihz
<br>
5296 root 20 0 6244 524 296 S 0.0 0.1 0:00.00 saqizxaihz
<br>
5298 root 20 0 6244 528 296 S 0.0 0.1 0:00.00 saqizxaihz
<br>
<br>
Each block is always 5 lines, and the names (always 10 lower-case
letters) seem to be different every time. The blocks change
fairly regularly every second or two.
<br>
<br>
I shut the VPS down to stop it doing any more harm, but I didn't
delete anything; I can restart it and ssh in again for further
investigation if necessary.
<br>
<br>
Eventually I'll have to reinstall everything from scratch,
straightforward enough, but what can I do to make sure it doesn't
happen again? Would hardening my iptables work? Has anyone else
seen this?
<br>
<br>
Nick Sheppard
<br>
<br>
<br>
<br>
<br>
_______________________________________________
<br>
tor-relays mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div>Dan Rogers</div>
<div>+44 7539 552349<br>
<a>skype: dan.j.rogers</a></div>
<div><a href="https://secure.techwang.com/gpg/public_key.txt">gpg
key</a>
</div>
<div><a href="http://www.linkedin.com/in/danrogerslondon"
target="_blank">linkedin</a> | <a
href="http://twitter.com/danjrog" target="_blank">twitter</a> |
<a href="http://open.spotify.com/user/bonkbonkonk"
target="_blank">spotify</a> | <a
href="http://holdingitwrong.com" target="3D"_blank"">music</a></div>
</div>
</body>
</html>