craven.fr (.ox.ac.uk)

If any of you tried to get on James' website, or any of the other password protected ones, between Thursday and Saturday last week, you may have found it impossible to log in. I was aware of the problem myself, but little did I expect to uncover what turned out to be its cause: Chinese hackers had partially infiltrated my system!. Luckily, 'partially' here is the key word: root access was never compromised, which allowed me to quickly remedy the situation and block the IP addresses in question from ever accessing the machine again. I also changed all the passwords on the machine to adhere to the highest security level, to ensure that no such easy cracking can happen again.

The account that was cracked had a very poor password, because I had not intended for it to be exposed to the outside internet. However, although the port the account was used for was blocked by firewall, I had not realised that an ssh login—an open port—would still be possible! I never used that account for remote login, so it didn't occur to me that someone else might! Looking at the failed logins in auth.log, apparently people overlook this with a lot of other software packages too. Thankfully, the account in question had very minimal permissions on the server, and an audit showed that nothing nefarious had been done with the cracked account before I was able to fix everything. Still, it was quite a wake-up call as far as internet security goes! (From my description you may think that I stupidly had logins enabled on a daemon account, but that's not exactly what was going on—I just don't want to get into too many details.) I've now implemented a much larger /etc/hosts.deny based on blacklists widely available on the internet (such as here), in addition to tightening my passwords, which was the most important thing.

Above all though it was a reassurance to me, in that I now know that I am able to deal with a security breach calmly and thouroughy, and that my UNIX knowledge is of sufficient depth that I feel certain that not only have all effects of the attack been purged from my system, but also that any future attacks of the same nature will not succeed. To be able to say with confidence that the problem has been handled is no small feat, and I can only imagine how stressful it would be if I did not have the certainty of having all my bases covered. There is definitely something to be said for having an open, transparently-functioning operating system when you need to figure out what has and what hasn't been tampered with!

And now, I have the oddest urge to go read the Cuckoo's Egg for some reason :-)