0

I'm about to install a new ubuntu server after having this virus https://askubuntu.com/questions/1115770/crond64-tsm-virus-in-ubuntu .

When installing the new VPS I'm going to install clamav and follow these protection tips: https://www.eurovps.com/blog/20-ways-to-secure-linux-vps/

Is it enough or are there any other tips in general or specifically to this virus that I should apply to the new VPS?

Thanks

Amos
  • 141
  • 6

1 Answers1

2

Should you actually be compromised, the most important thing is to do is to do a comprehensive root cause analysis. See the canonical question on this topic: How do I deal with a compromised server? Look at what processes and technical controls failed, for every system. This will be time consuming, but worthwhile to not make those mistakes again.

Once you have lessons learned, yes rebuilding from a clean known good operating system is a reasonable thing to do.

  • Update your software regularly. Operating system and application.
  • Only install software from sources you trust. Beware that your software supply chain can be vulnerable to developers' weak opsec.
  • Only grant users that you trust shells.
  • Use ssh keys and disable passwords entirely.
  • Pay attention to last login times that were not you or your team, or are outside your typical IP space.
  • Monitor resource utilization, 100% CPU is bad.

And so on. There is more to security, but this hygiene stuff is a large part of it.

Some of EuroVPS's advice is flawed.

  • IPv6 should be enabled.

    • Better to put proper controls in place than ignore v6, because it isn't going away.
    • It is infeasible for attackers to scan the entire address space like v4. They'll have to find your DNS like everyone else.
    • 30% of Google's global traffic is IPv6
    • IPv6 is faster than v4 in many networks

  • Password complexity of alphanumeric special is obsolete. NIST 800-63B says allow very long passwords, disallow dictionary words and previous breach corpuses, but do not impose alphanumeric special requirements. The latter is easy for computers to crack, but difficult for humans to remember.

  • I don't see the point of changing the ssh port. You can to avoid some of the brute force scanning noise. But it doesn't really matter if you secure your ssh keys, don't use passwords, and ban misbehaving IPs at the firewall.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Thank you very much for the detailed response. I will read the link you posted. 1. Is it known how this virus hacks or did it simply managed to find the root pass and from there everything was easy? 2. Is there a good (short :)) article about ssh keys instead of passwords? 3. Is there a better/newer article about protecting a VPS? or are there other points you find obsolete in the article I posted? 4. clamav did remove that virus (from cpu point of view) but strange logins kept happening (seemingly did nothing) so I decided to start from scratch. – Amos Feb 02 '20 at 12:43
  • I read here https://linuxize.com/post/how-to-set-up-ssh-keys-on-ubuntu-1804/ My computer has windows 10, what does it mean "ubuntu client" in this matter? Can I just create the keys on the ubuntu server itself (using windows ssh) without the need to copy the key afterwards? – Amos Feb 02 '20 at 13:02
  • Please ignore my second above comment, I couldn't edit it. I read here https://linuxize.com/post/how-to-set-up-ssh-keys-on-ubuntu-1804/ 1. Can I just create the keys on the ubuntu server itself? I understand correctly that it will only allow me to connect from my computer? What if I replace it? what about sftp, there's a password there.... thanks. – Amos Feb 02 '20 at 13:09
  • Edit your question to add details about your malware (not someone else's), the indicators of compromise, and how it is similar or different to what you linked. Regarding ssh keys, many articles have been written, choose one and open a different question if you have trouble. – John Mahowald Feb 02 '20 at 14:42