Normally, the breach is due to BAD PASSWORDS!
The easiest way to get onto the database or the server is to guess the
password. Poor, easily guessed passwords provide the hacker with
the entry point.
Here I want to focus on a security hole in the Linux OS, ssh or the
secure shell. Again the problem is not that ssh is insecure,
but that by default it relies on passwords.
The problem with passwords is; if they are easy, they are easy to break,
if they are too difficult, the user will write them down somewhere.
You have to find a happy medium, a mix of upper and lower case, numbers
and letters that do not spell actual words.
Note to DBA: oracle/oracle is a bad username/password!
Since ssh is a standard shell for UNIX and Linux, most attacks against
it have been automated. An attacker finds your computer, checks
port 22 and finds ssh. He then tries a set of common passwords and
given enough time will eventually break an easy password.
How common is this type of attack? My home server acts as my mail
gateway and runs Linux. During a three week period about a month
ago, my server averaged over 500 attempts to log in as root per day!
Recently a client had a performance issue on a file server and found a
root user upgrading operating system packages. It tuned out that
not only had a hacker gotten root privileges on the box, but was
actually upgrading the OS to support his new zombie tools.
So what do you do?
1. Don't open port 22 to the internet unless you need that
capability. I only open that port when someone is logging onto the
server from outside the firewall. Otherwise that port stays
protected behind the firewall.
2. Do not allow anyone to log onto the server as root.
an easy fix.
Edit the file /etc/ssh/sshd_config and set "PermitRootLogin no".
Restart the service with
# service ssh restart
This will force users who need root access to log on as an unprivileged
account and su to root.
3. Stop using passwords and go to Public Key
Authentication. This is a little more complicated. Using
your ssh client (ssh, SecureCrt, putty. etc) generate a public and
private key. Place the public key on the server for each user.
In the /etc/ssh/sshd_config file set:
This will allow the use of keys and disallow the use of password.
Now the hacker can guess passwords forever. You aren't using them.
Note: not all keys are the same and some require conversion to work with
Linux's OpenSSH. SecureCrt keys must be converted. See the
documentation for your ssh client to determine it your keys need to be
Make sure your keys contain a passphrase to keep someone from sitting
down at your computer and using you private key.
4. Lastly, keep your system up to date.
When a hole is
found in ssh, the community (or distributor) will release an update to
close the hole. You do not have to update the entire OS, but you
should keep any program that touches the Internet updated.
Bottom line: Protect your data! Don't allow access to the
Internet unless necessary. Use difficult to guess passwords or
public key authentication.
Remember, if I can log onto your server as root, I can su to oracle and
log onto your database