Ben Stevens's picture

How can I prevent my TurnKey instance being hacked? What measures should I take?

I have received an email from AWS telling me that my instance has been used for DoS attacks, and currenly my bill with AWS is 400% over normal - and we're only 1/2 way through the month.

As an emergency measure I have cancelled my AWS account - to prevent more costs - but it has now been re-instated.

It looks like my TurnKey instance has stopped too, I assume because I closed my AWS account. Am I right in thinking that if I get another access key from AWS I can re-instate the TurnKey instance on the Amazon Cloud?

I host RedMine and one other database on my TurnKey virtual machine.
  • In order for my users to access Redmine, I need (I believe) to have HTTP and HTTPS ports open to any IP address.
  • In order that I can access my MySQL databases from anywhere I need port 3306 open to any IP address..
  • And I also ping my instance, so I believe I need to allow access from any IP address using the ICMP protocol.

Many thanks in advance.

 

Forum: 
Jeremy Davis's picture

So having a good password is a must. Or disabling password login altogether (and use keys instead) is best...

Have a look at this post as essentially my answer would be the same.

The difference here though is that you took immediate action. IMO that makes the chances of Amazon giving you a refund pretty good.

As for other security measures; if you don't use Webmin or Webshell then disable them (ports 12320 & 12321). If you do use them then you could limit access to an IP (if you have a static IP where you connect from; or an IP range if you don't). Again with MySQL, depending on who/what needs access; you may be able to limit that to a particular IP (or IP range) too. However I doubt very much that these would have been the attack vector; my guess is a guessable password...

Ben Stevens's picture

Thanks for your comment above.

You were right in saying that Amazon would refund my charges because I took prompt action... albeit desparate action.

I have now restarted my Amazon account, and linked my TurnKey account to it using IAM roles / policies.

So far so good.

I now have 2 issues that I don;t know how to overcome.

The first is the most pressing: Security going forward. You have suggested using a pass phrase (at least) or SSH keys (better). I have tried changing my password under:

https://hub.turnkeylinux.org/profile/ -> profile -> Account Details -> change Password

I am consistently getting the error message that "Passwords do not match or are not specified"

What do I need to do to set a passphrase?

Having reviewed some of the posts in this forum, SSH keys appear to be beyond me - I have absolutely no idea how to do this.

 

The Second:

How do I restart the Redmine instance that I was using in TurnKey with my new Amazon Service ..

I've tried rebooting

Jeremy Davis's picture

Your first issue:

The server itself needs a good password (or passphrase); I wasn't referring to your Hub account (although that needs a good password too). Assuming that my guess is correct, the brute force attack would have been directly against your server (not your Hub account or AWS account). Amazon own specific IP address ranges and the bad guys just do port scans on those IPs looking for servers whice have things like SSH running. They then try to brute force login; and if they can, they install nasties and your server becomes part of their botnet...

So like I said the best way to go is to use SSH keys to login and disable passwords. I just finished writing up a doc to do exactly that (assuming you are using Windows), check it out here. Be careful disabling SSH password log in though as if you lose your SSH private key you will be stuffed. If you are a bit scared off by that; leave it enabled and just set your root password as something really long and complex. Using SSH key login will still be much more convenient that remembering (and typing) a really long complex password.

Your second issue:

I'm not quite sure what you mean? Are you trying to restart your old server from a new Amazon account? If so, I'm almost certain that that will not be possible. From your first post I was under the impression that you had your old Amazon account re-instated?

If you did have your old account reinstated, then your old server should still be there in the Hub. And you should be able to restart it. However, it will still be infected so you will need to lock it down (so it doesn't start DoSing again), then disinfect it.

If you are not sure how to start with that then you have 3 choices (that I can think of):

  1. Do lots of reading, research, testing and learn all about it and do it yourself.
  2. Find someone else who can do it for you. In theory that's quite easy, in practice often not. Ideally at some point in the future we'd like to be able to offer "one off" paid support to assist with things like that but unfortunately we just don't have the resources...
  3. Start again with a new server. If you have a pre-infection backup you could restore that so at least all is not lost.

Add new comment