TurnKey Linux Virtual Appliance Library

Amazon said my TK linux (joomla 1.5) is compromised by an external attacker

Got this email from Amzon on Friday night...

Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.

It's possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured.

I've checked my server and it looks normal except very high network IO during the period that Amazon said I was doing DDOS attack.  does anyone have similar experience?  beside setting a long password, any other way to harden your TK linux in Amazon?  is it a known vulnerability?

this is the log I got from Amazon:

2011-12-09 22:06:11.077031 IP (tos 0x0, ttl 64, id 19848, offset 0, flags [DF], proto UDP (17), length 78) 10.xxx.xxx.xxx.36157 > 184.xxx.xxx.163.53: 29556 updateM [b2&3=0x6400] [0q] (50)

2011-12-09 22:06:11.077044 IP (tos 0x0, ttl 64, id 19849, offset 0, flags [DF], proto UDP (17), length 78) 10.xxx.xxx.xxx.36157 > 184.xxx.xxx.163.53: 29556 updateM [b2&3=0x6400] [0q] (50)

 

Same here.

Hi There,

We were also notified by Amazon of similar abuse:

Wonder if the appliance itself is compromised in some way and we need fixes.

How can one contact Turnkey to check it out? Or, does anyone have a suggestion for

the same?

 

2011-12-27 21:06:17.711848 IP (tos 0x0, ttl 64, id 54472, offset 0, flags [DF], proto: UDP (17), length: 43) 10.xxx.xxx.xx.57211 > 89.xx.xx.xx.53: 12337 op6% [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain]
2011-12-27 21:06:17.711864 IP (tos 0x0, ttl 64, id 54473, offset 0, flags [DF], proto: UDP (17), length: 43) 10.xxx.xxx.xx.57211 > 89.xx.xx.xx.53: 12337 op6% [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain]

Eric (tssgery)'s picture

IMHO...

IMHO... the turnkey appliances are not secure out of the box. They're great for getting started and for use within internal networks but I definately harden the appliances before exposing them to the wild.

Here are some handy hints if you want to expose an appliance on the internet

- Enable the firewall. I can't emphasize this enough. Build the rules you need, exposing only the critical ports and limiting access to specific addresses if possible. I have one appliance that is on a public IP and I have the firewall set to disallow any incoming connections except from my class C network. As an example, limit the webmin and Joomla administrative ports as much as possible. Also, make sure that iptables (the firewall) starts on a reboot.

- Disable ssh access for root. Setup a non-privileged account and use that with sudo for any administrative work you need.

- Install security patches regularly. Joomla is not the most secure package in the world and they do relelase updates. You MUST apply any/all security updates yourself as Turnkey does not automate of the Joomla patches/updates. The same holds true for operating system patches/updates.

 

I strongly suggest that Turnkey releases a "System Hardening" document, but until then you should look through google results for how to harden an Ubuntu 10.04 system as well as a Joomla system.


Jeremy's picture

A couple of things...

I wouldn't arue with your overall sentiments but a couple of responses to your points.

- Enable the firewall.

Good suggestion, although this is not such an issue with EC2 appliances. AWS has a firewall built-in. So there is no need to enable IPtables in any appliances launched from the Hub.

- Disable ssh access for root.

Whilst it definately applies to Linux desktop systems, IMO it's not so relevant in a server setup. All applications that are running should be running in non-priveleged accounts already so the root account is only used for admin. And a hacked sudo user account is no less dangerous to your server than a hacked root account. More often that not you will be wanting to do lots of stuff that requires root (or sudo) when logged in anyway, so while it doesn't really give you any more security, it does mean extra typing.

 - Install security patches regularly.

Whilst TKL auto installs Ubuntu security updates, you are right that the apps installed from upstream aren't and must be manually updated (if the app itself doesn't have some update mechanism). It's also worth keeping in mind that apps installed from the universe repo don't automatically get any updates (even if if they relate to security).

I strongly suggest that Turnkey releases a "System Hardening" document...

Yeah that'd be cool. Perhaps someone could start one on the community docs wiki?

Eric (tssgery)'s picture

I would enable the firewall,

I would enable the firewall, even on AWS. And, I would go so far as to suggest it should be on by default. That would make users explicitly turn it off if they don't want it. Maybe I am paranoid as I have had a system compromised but err on the side if safety. Imho, root access for ssh should always be disabled. Using sudo forces log messages to be written that can easily be monitored for intrusion detection. As you mention, not all security patches are deployed automatically. You must be diligent in monitoring for them and applying them if they impact your threat model.


Liraz Siri's picture

Not an attacker, just a bug + paranoid Amazon monitor...

For what it's worth, your Joomla probably wasn't compromised by an external attacker. There was a bug (which we've since fixed) which left a stray e-mail to a non-existent address in the outgoing mail queue. The postfix server on your appliance tried sending that e-mail over and over again and Amazon's network monitoring system triggers on a hairpin with anything to do with e-mail.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)