This is not a human attacker, but a robot. My question is: if I apply chattr +i to $(pkg-config --variable=systemdsystemconfdir systemd), will the OS continue to work fine or this is nonsense? Philip
On Sun, Jun 13, 2021 at 9:54 AM Silvio Knizek <[email protected]> wrote: > Am Sonntag, dem 13.06.2021 um 09:32 -0400 schrieb Saint Michael: > > One of the most dramatic hacks to 50+ servers of mine is a bitcoin > > miner, xmrig. It installs a service file at /etc/systemd/system, > > enables it and kills the machine. > > Nobody knows how it propagates. I think that SSHD has been broken in > > a foreign land or they just brute-force any machine where > > passwordautorization=yes. > > The point is, for this list, how can I prevent systemd from adding > > ANY new service at all. I am thinking to add chattr +i to > > /etc/systemd/system, but want to know if this makes any sense or if > > there is a better way to do this. > > Philip > Hi Philip, > > if someone can add files into > $(pkg-config --variable=systemdsystemconfdir systemd) > then the attacker has already root rights, so any suggestion here would > only be a nuisance for an attacker. Be happy that the payload wasn't > written in the boot loader. > > A general approach would be a stateless system with man:systemd.preset > and a /etc as tmpfs, so after a reboot the system would be fresh again. > Disabling root login via ssh is always a good idea and only using > polkit/sudo for elevating rights. This could be combined with some two- > factor authentication via PAM, so a cracked/guessed password isn't the > end. > > But in the end this are all generic approaches to system security, > nothing systemd specific. > > HTH > Silvio > > _______________________________________________ > systemd-devel mailing list > [email protected] > https://lists.freedesktop.org/mailman/listinfo/systemd-devel >
_______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
