New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I have no idea what you're saying. None of my other VPS's have ever been compromised with the base Debian template after performing aptitude updates and installing SSH Guard. In any case given I have VPS's that are in some cases 5+ years old and they're not compromised and fine... I have enough faith in Debian if it's unaltered w/o extra services. I have nginx on a few and some other daemons without issues, granted I installed those myself. In any case, this is kind of derailing the thread so people should make a new thread about default templates if they want to continue. /end
This topic is so off topic now it reminds me of Damien.
You had to be there.
not sure but I believe that this thread at one point was explicitly claimed as Soverign Letizen Territorah ...
Maybe best to start a new thread about securing after installation from default debian template(s) ...
Yup - I checked history, I am sure that
sudo
is the only package I installed via apt or any other method.That's the exact same command that I used.
I now prefer to use
apt update && apt --with-new-pkgs upgrade
But not sure that would make a difference in this case.
My BF-SPECIAL-OVZ is on node NYOVZ12 with 640 MB ram / 30 GB ssd, ordered on November 25 2018
Here are the 217 packages currently installed as per dpkg:
I haven't gone over this list with a fine-tooth comb but
xauth
was the only thing that stood out as potentially interesting.I'm of the opinion that Virmach generally has their act together but that's just based on my relatively limited experience with them over the last couple years (mostly on KVM with debian installed from ISO, just a couple OVZ installed from template).
Anyway, I'd be interested to learn more about what happened but in fairness to Virmach (and as a general principle) would suggest focusing on explanations beyond their default template. The welcome emails also contain login information for the VNC console, and I suspect people may not be as quick to update that password as they would (hopefully) know to do for their VPS. So be sure to consider that possibility as well.
EDIT2:
As they say, there's more than one way to skin a buffalo ...
The xauth program is used to edit and display the authorization information used in connecting to the X server. This program is usually used to extract authorization records from one machine and merge them in on another (as is the case when using remote logins or granting access to other users).
https://www.x.org/archive/current/doc/man/man1/xauth.1.xhtml
Indeed - I suspect having
xauth
in the mix would have something to do with forwarding the X11 protocol via ssh, which is a common practice.Anyway, I see @Xei has started a new thread for discussion: https://www.lowendtalk.com/discussion/156020/admins-how-do-you-analyze-a-compromised-vps-or-node
EDIT2: