-1

Recently, I got e-mail from Microsoft Azure Safeguards Team saying that there was a complaint of malicious activity originating from my deployment (VM).

Description is: "SSH Brute Force".

Now, I wasn't even remotely sure what this means. That someone used my VM for some malicious activity, and brute forced into it, or used it to brute force somewhere else?

I'm pretty sure no one had access to my Ubuntu Azure VM since last password change.

It was said that all this may result in suspension of my deployment. And I can't afford that because this machine is used to deploy a business application.

So my question is - what methods of protection should I look into, in order to prevent incidents as the one described above? What else should I use besides firewall on a Linux VM in cloud(Azure)? For now, the port 22 is closed, until I resolve this issue.

Thanks.

lidagon
  • 31
  • 2
  • 1) See this canonical "my server was hacked, what do I do" question - http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server and 2) hire someone who does know what they're doing - "teach me to secure my production servers" is wayyy too broad for a question, (and off-topic as a request for learning material, really). 3) "*Now, I wasn't even remotely sure what this means.*" - see: `originating from` your server. Used your server to brute force attack somewhere else. 4) "*used to deploy a business application*" - an insecure one, by any chance? – TessellatingHeckler Aug 31 '16 at 03:08

1 Answers1

3

Now, I wasn't even remotely sure what this means. That someone used my VM for some malicious activity, and brute forced into it, or used it to brute force somewhere else?

Yes, your host instance is the source of malicious attacks. Welcome to the Internet! You got rooted and are now a spam cannon.

I'm pretty sure no one had access to my Ubuntu Azure VM since last password change.

Bless your heart.

It was said that all this may result in suspension of my deployment. And I can't afford that because this machine is used to deploy a business application.

So my question is - what methods of protection should I look into, in order to prevent incidents as the one described above? What else should I use besides firewall on a Linux VM in cloud(Azure)? For now, the port 22 is closed, until I resolve this issue.

First, that host is now about as trustworthy as an ice bridge in the Sahara. You have no reasonable choice except wiping it and restoring from a known good backup.

You got pwned, dawg!

Second, you must evaluate all software packages on the host and all listening services. All listening services must be evaluated based on versions running, known exploits for the versions, as well as auditing their permissions. Assume that any service that's listening for communication can in turn be exploited and have an escalation of privileges.

Wesley
  • 32,320
  • 9
  • 80
  • 116