This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
manuals:vps:incidents [2023/08/14 19:13] – [open-portmapper] Aither | manuals:vps:incidents [2024/04/15 07:14] (current) – Add descriptions for mysql/postgres/redis/dns/malware aither | ||
---|---|---|---|
Line 5: | Line 5: | ||
be precautionary when services which are known to be exploitable are available | be precautionary when services which are known to be exploitable are available | ||
from the public Internet. | from the public Internet. | ||
+ | |||
+ | ===== Accessible-MySQL ===== | ||
+ | Your MySQL/ | ||
+ | If possible, it is best to configure the database to listen only on localhost, | ||
+ | e.g. in '' | ||
+ | |||
+ | < | ||
+ | [mysqld] | ||
+ | bind-address = 127.0.0.1 | ||
+ | </ | ||
+ | |||
+ | If you need to connect to the database remotely, you could restrict access | ||
+ | using firewall, so that only selected IP addresses could connect. | ||
+ | |||
+ | ===== Accessible-PostgreSQL ===== | ||
+ | Your PostgreSQL databae is accessible on port **5432** over **IPv4**. | ||
+ | If possible, it is best to configure the database to listen only on localhost, | ||
+ | e.g. in '' | ||
+ | |||
+ | < | ||
+ | listen_addresses = localhost | ||
+ | </ | ||
+ | |||
+ | If you need to connect to the database remotely, you could restrict access | ||
+ | using firewall, so that only selected IP addresses could connect. | ||
+ | |||
+ | ===== Accessible-SMB ===== | ||
+ | There is a publicly accessible samba (smbd) instance running on your VPS. | ||
+ | It is highly recommended to use VPN and allow access to samba only from your | ||
+ | private network. Alternatively, | ||
+ | such as SFTP over SSH. | ||
+ | |||
+ | ===== DNS-Open-Resolvers ===== | ||
+ | There is a DNS resolver running on port **53** that is publicly accessible over **IPv4**. | ||
+ | DNS resolved should be configured to either listen only on localhost, or to resolve queries | ||
+ | from selected networks, e.g. addresses of your VPS or your private network. | ||
+ | |||
+ | Openly accessible DNS resolvers are frequently used in amplification attacks -- the | ||
+ | response sent by the server is much larger than the request. The attacker can use this | ||
+ | to direct server responses to the victim. | ||
+ | |||
+ | ===== IPv6-Accessible-MySQL ===== | ||
+ | Your MySQL/ | ||
+ | If possible, it is best to configure the database to listen only on localhost, | ||
+ | e.g. in '' | ||
+ | |||
+ | < | ||
+ | [mysqld] | ||
+ | bind-address = 127.0.0.1 | ||
+ | </ | ||
+ | |||
+ | If you need to connect to the database remotely, you could restrict access | ||
+ | using firewall, so that only selected IP addresses could connect. | ||
+ | |||
+ | ===== IPv6-Accessible-PostgreSQL ===== | ||
+ | Your PostgreSQL databae is accessible on port **5432** over **IPv6**. | ||
+ | If possible, it is best to configure the database to listen only on localhost, | ||
+ | e.g. in '' | ||
+ | |||
+ | < | ||
+ | listen_addresses = localhost | ||
+ | </ | ||
+ | |||
+ | If you need to connect to the database remotely, you could restrict access | ||
+ | using firewall, so that only selected IP addresses could connect. | ||
+ | |||
+ | ===== IPv6-DNS-Open-Resolvers ===== | ||
+ | There is a DNS resolver running on port **53** that is publicly accessible over **IPv6**. | ||
+ | DNS resolved should be configured to either listen only on localhost, or to resolve queries | ||
+ | from selected networks, e.g. addresses of your VPS or your private network. | ||
+ | |||
+ | Openly accessible DNS resolvers are frequently used in amplification attacks -- the | ||
+ | response sent by the server is much larger than the request. The attacker can use this | ||
+ | to direct server responses to the victim. | ||
+ | |||
+ | ===== malware ===== | ||
+ | There is a malware running in your VPS. There' | ||
+ | or other publicly accessible service. It is also possible you have a weak SSH password. | ||
+ | Malware usually makes the VPS a part of a botnet, which is then used to attack other | ||
+ | systems, send spam and mine cryptocurrencies. | ||
+ | |||
+ | We can find the vulnerable application by looking at the system user the malware is running as | ||
+ | and the path to its executable. For example, if the user is '' | ||
+ | it is one of your websites. The incident report further includes the path to its executable -- | ||
+ | you can read it yourself from '/ | ||
+ | use the cgroup path as a pointer to which container it is, e.g. compare the cgroup path | ||
+ | with '' | ||
+ | made up by the malware. | ||
+ | |||
+ | If the malware is running as an unprivileged user, it can be enough to kill its processes, | ||
+ | remove its files, update the application, | ||
+ | the malware had access wherever the system user it run as had access. Malware often | ||
+ | uses cron to launch itself repeatedly, check ''/ | ||
+ | |||
+ | In case the malware is running as root, nothing in that VPS can be trusted. Unless you've | ||
+ | been prepare for such a situation and have checksums of all files, you can never know | ||
+ | what it changed and what backdoors it made for itself. It has access to all of your files, | ||
+ | including configuration files with passwords, etc. Packaging systems can check integrity | ||
+ | of installed packages, but that won't include your data and system configuration files. | ||
+ | It's best to reinstall the VPS and configure it anew. | ||
+ | |||
+ | ===== open-memcached ===== | ||
+ | memcached is often used for amplification attacks. The attacker uses your memcached | ||
+ | server to send responses to victims, as the response is much larger than the attacker' | ||
+ | request. If you're using memcached only locally, it is best to have it listen only | ||
+ | on localhost. In case you're using memcached from multiple VPS, secure it using | ||
+ | the firewall to not be available from the public Internet. | ||
===== open-portmapper ===== | ===== open-portmapper ===== | ||
Line 30: | Line 137: | ||
For these rules to be persistent, consult your distribution' | For these rules to be persistent, consult your distribution' | ||
- | ===== open-memcached | + | ===== Open-Redis ===== |
- | memcached | + | There is a redis server |
- | server | + | It is recommended to configure redis to listen only on localhost, |
- | request. If you're using memcached only locally, it is best to have it listen only | + | |
- | on localhost. In case you're using memcached from multiple VPS, secure | + | |
- | the firewall | + | |