Eric's picture

I am wondering what steps are needed to immediately secure a new appliance.?

I recently setup a test appliance via the Turnkey Hub and AWS and played around with it for a few hours. Pretty damn cool how easy it was to get something up and running! I got back into the server via PuTTY after the weekend and just happened to scroll back through my commands and noticed a bunch of commands that I had not entered in my testing.

The gist of them was to download a file called "courier-authlibauttvd" from a nefarious looking website at this address http://  121 dot 12 dot 168 dot 62:6789/  and run it. I immediately destroyed the server instance.

I did use an admin password when setting up the appliance (although a very basic one) and thought I had setup SSH authentication.  I was also assuming that the appliances had already been configured to implement best security practices.  

What did I miss?

Jeremy Davis's picture

Then they must have logged in via SSH. To do that that either your private SSH key has been compromised (assuming you used key authentication) or they cracked your root password (probably brute forced it...?!).

TBH I would have thought that it would have been highly unlikely that this sort of attack would occur out of the blue within such a small window of time...

Actually I just did a quick google and according to this guy this particular malware (i.e. courier-authlibauttvd is installed following a brute force SSH attack. That would suggest that your root password wasn't so great... Would that be right?

As you're possibly aware, security is always a compromise against user-friendliness/convenience. The best way to avoid brute force SSH attacks like this is to disable password login (make sure that you have your keys set up properly first!).

Edit /etc/ssh/sshd_config and ensure that the following are uncommented (i.e. don't have a '#' at the start of the line):

PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes

Then restart SHH

service ssh restart

PS I edited your post to remove the direct malware link

Liraz Siri's picture

Jeremy probably has it right and this is a case of a weak password that was guessed. I've never had a problem with this on any of our machines and so far this seems to be an isolated incident so the password was probably at fault. FWIW, I have it on authority that bruteforce attacks against SSH on IP ranges are all the range on AWS. It's best not to allow password logins at all.
Eric's picture

It was a very insecure password, since I was just experimenting/testing.  Kinda scary though how fast the system was found and compromised!  Good to know that AWS is a target and requires extra precaution. 

Thanks for the heads up!

Liraz Siri's picture

Back when I was mapping the Internet for vulnerable machines it wasn't as trivial as it is today. These days you can scan the entire Internet in 45 minutes from a single well connected machine:

Something to keep in mind. On the Internet, there are no good neighborhoods and bad neighborhoods. The distance between any two IPs is effectively 0. Servers have a direct interface with the seediest people in the network.

Davel's picture

I just setup some appliances locally at some clients, after check this conversations ,I will make shure the passwords are more complex, this 45min scan is so scary..

Davel Sanchez

Add new comment