Differences

This shows you the differences between two versions of the page.

--- manuals:vps:incidents [2024/04/15 06:52] – Sort alphabetically aither
+++ manuals:vps:incidents [2024/04/15 07:14] (current) – Add descriptions for mysql/postgres/redis/dns/malware aither
@@ Line 5: / Line 5: @@
 be precautionary when services which are known to be exploitable are available
 from the public Internet.
+===== Accessible-MySQL =====
+Your MySQL/MariaDB database is publicly accessible on port **3306** over **IPv4**.
+If possible, it is best to configure the database to listen only on localhost,
+e.g. in ''my.cnf'':
+<code>
+[mysqld]
+bind-address = 127.0.0.1
+</code>
+If you need to connect to the database remotely, you could restrict access
+using firewall, so that only selected IP addresses could connect.
+===== Accessible-PostgreSQL =====
+Your PostgreSQL databae is accessible on port **5432** over **IPv4**.
+If possible, it is best to configure the database to listen only on localhost,
+e.g. in ''postgresql.conf'':
+<code>
+listen_addresses = localhost
+</code>
+If you need to connect to the database remotely, you could restrict access
+using firewall, so that only selected IP addresses could connect.
+===== Accessible-SMB =====
+There is a publicly accessible samba (smbd) instance running on your VPS.
+It is highly recommended to use VPN and allow access to samba only from your
+private network. Alternatively, you can use protocol with better security,
+such as SFTP over SSH.
+===== DNS-Open-Resolvers =====
+There is a DNS resolver running on port **53** that is publicly accessible over **IPv4**.
+DNS resolved should be configured to either listen only on localhost, or to resolve queries
+from selected networks, e.g. addresses of your VPS or your private network.
+Openly accessible DNS resolvers are frequently used in amplification attacks -- the
+response sent by the server is much larger than the request. The attacker can use this
+to direct server responses to the victim.
+===== IPv6-Accessible-MySQL =====
+Your MySQL/MariaDB database is publicly accessible on port **3306** over **IPv6**.
+If possible, it is best to configure the database to listen only on localhost,
+e.g. in ''my.cnf'':
+<code>
+[mysqld]
+bind-address = 127.0.0.1
+</code>
+If you need to connect to the database remotely, you could restrict access
+using firewall, so that only selected IP addresses could connect.
+===== IPv6-Accessible-PostgreSQL =====
+Your PostgreSQL databae is accessible on port **5432** over **IPv6**.
+If possible, it is best to configure the database to listen only on localhost,
+e.g. in ''postgresql.conf'':
+<code>
+listen_addresses = localhost
+</code>
+If you need to connect to the database remotely, you could restrict access
+using firewall, so that only selected IP addresses could connect.
+===== IPv6-DNS-Open-Resolvers =====
+There is a DNS resolver running on port **53** that is publicly accessible over **IPv6**.
+DNS resolved should be configured to either listen only on localhost, or to resolve queries
+from selected networks, e.g. addresses of your VPS or your private network.
+Openly accessible DNS resolvers are frequently used in amplification attacks -- the
+response sent by the server is much larger than the request. The attacker can use this
+to direct server responses to the victim.
+===== malware =====
+There is a malware running in your VPS. There's probably a vulnerability in your websites
+or other publicly accessible service. It is also possible you have a weak SSH password.
+Malware usually makes the VPS a part of a botnet, which is then used to attack other
+systems, send spam and mine cryptocurrencies.
+We can find the vulnerable application by looking at the system user the malware is running as
+and the path to its executable. For example, if the user is ''www-data'', you can be certain
+it is one of your websites. The incident report further includes the path to its executable --
+you can read it yourself from '/proc/<pid>/exe'. If you're using containers, you can
+use the cgroup path as a pointer to which container it is, e.g. compare the cgroup path
+with ''docker ps''. Note that ''/proc/<pid>/cmdline'' (usually seen in top and ps) might be
+made up by the malware.
+If the malware is running as an unprivileged user, it can be enough to kill its processes,
+remove its files, update the application, the system, change passwords, etc. Consider that
+the malware had access wherever the system user it run as had access. Malware often
+uses cron to launch itself repeatedly, check ''/var/spool/cron'' for malignant crontabs.
+In case the malware is running as root, nothing in that VPS can be trusted. Unless you've
+been prepare for such a situation and have checksums of all files, you can never know
+what it changed and what backdoors it made for itself. It has access to all of your files,
+including configuration files with passwords, etc. Packaging systems can check integrity
+of installed packages, but that won't include your data and system configuration files.
+It's best to reinstall the VPS and configure it anew.
 ===== open-memcached =====
@@ Line 36: / Line 136: @@
 Note that iptables rules configured like this will be lost when the VPS is restarted.
 For these rules to be persistent, consult your distribution's documentation.
+===== Open-Redis =====
+There is a redis server running on port **6379**, which is publicly accessible over **IPv4**.
+It is recommended to configure redis to listen only on localhost, or to protect it by firewall.

Knowledge base

User Tools

Site Tools

Differences

Page Tools