OJBs Web Site: Blog Page

Note: You are currently viewing my old web site. There is a new version with most of this content at OJB.NZ.
The new site is being updated, uses modern techniques, has higher quality media, and has a mobile-friendly version.
This old site will stay on-line for a while, but maybe not indefinitely. Please update your bookmarks. Thanks.

Add a Comment (Go Up to OJB's Blog Page)

Not a Good Week

Entry 300, on 2006-03-17 at 17:10:59 (Rating 1, Computers)

This has not been one of my better weeks at work. Things have gone from bad to worse in relation to the security problems on my servers. It now turns out that two of my machines have been compromised. But at least there hasn't been a repeat of the DoS attack of the beginning of the week.

After doing some research on the Internet and on the affected computer, it turns out that the machine was initially compromised by a brute force attack on SSH. In other words, the group attacking the computer just hit it with passwords until they got the right one. They had a program to send the passwords of course, not just a bunch of continuously typing hackers!

It seems that there was no specific weakness in Mac OS X Server. Any service relying on passwords for authentication is potentially open to this sort of attack, I just didn't use secure enough passwords. Most likely it was not my administration accounts which were used, but accounts of users on the servers. Unfortunately the system allocates new users SSH access automatically when they are added. I know I should have disabled that for all users who didn't need it. Many things are obvious with hindsight!

Well, at least I think I understand the mechanism of the attack. A brute force attack looks for passwords on servers running SSH - it would also work for standard Mac OS X with SSH (Remote Login) on with international access through the firewall, or any other OS with a remote login system. Then an IRC server is installed using the compromised account. While IRC is used the machine would continue to work normally. Finally, sometimes a disagreement on an IRC channel running on the server results in the launch of a DoS attack to disable the machine.

I now use passwords so obscure even I don't know what they are! I'll have a few hours rebuilding the servers next week. Overall, the whole thing is just a really annoying waste of time, but a lesson about taking security seriously - even on a Mac!

There are no comments for this entry.

You can leave comments about this entry using this form.

To add a comment: enter a name and email (both optional), type the number shown above, enter a comment, then click Add.
Note that you can leave the name blank if you want to remain anonymous.
Enter your email address to receive notifications of replies and updates to this entry.
The comment should appear immediately because the authorisation system is currently inactive.