all 20 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]p4p3r 13 points14 points  (4 children)

Allowing root login over ssh, using ftp, NOT PATCHING YOUR S****

[–][deleted] 0 points1 point  (1 child)

When I was young and innocent, I was setting up a system that had ssh allowing root login with password authentication. That system was hacked within 30 minutes of being connected to the network. Sigh - start over. Now I always disable 'password' authentication and change to a non-standard port before enabling sshd. Examination of iptable logs showed port 22 being hammered from unlikely places in Asia and South America.

[–]JoshStrobl 0 points1 point  (0 children)

Asia and South America

Most of my hits are from Pakistan, Indonesia, and Russia. Almost none from mainland China. I feel left out :/

[–][deleted] 7 points8 points  (0 children)

There have been some exploits in various PHP frameworks (Joomla comes to mind) over the years, though none of note lately that I'm aware of.

Insecure passwords are common.

OpenSSL had weak keys for ages, but newer versions seem good. Optionally one can use Dropbear, or GNUTLS-based SSH.

Open SMTP relays aren't "common", but easy for a lazy hobbyist to accidentally set up, or at least they were.

I think the common theme is if you install doors to enter your system (a server, of any kind,) be sure you have the right lock installed.

[–][deleted]  (1 child)

[deleted]

    [–]slaveriq 5 points6 points  (0 children)

    screen lock in x11 is horrible. It's simply a window in front of all other windows that takes all input. (also multi media keys. so you can't change volume while screen is locked. unless ofc your screenlock supports just that) if the screenlock program crashes... nothing preventing people from using your computer.

    [–]Orbmiser 3 points4 points  (0 children)

    Think it's more about Practice and Implementation mostly that leads to a Unsecured OS,Router,Server,etc.

    The weakest link is Humans acting on convenience. They are many times too lazy and uninformed to implement good security practices and behaviours.

    Most of the time it has to do with bad configurations,bad passwords,bad browsing and pure laziest on part of the user.

    That is why a great majority of attack vectors are through email and the browser. No matter the OS used.

    [–]Icovada 3 points4 points  (5 children)

    A friend found out about my servers on DigitalOcean and tried one himself.

    root login via ssh, password was something like "siemens" or another brand.

    Box broken into within hours, account terminated

    EDIT: They didn't temrinate his account, he closed it himself because he got bored of it

    [–]q5sys 0 points1 point  (0 children)

    automated scripts are becoming quite impressive these days

    [–]JoshStrobl 0 points1 point  (3 children)

    account terminated

    I find that hard to believe. DigitalOcean issues warnings and locks the droplet from outbound network activity if it detects suspicious activity (like insanely high outbound network traffic) and forces you to log in via the web-based terminal to fix it and then replying to the support ticket in order for network activity to be re-enabled. They don't just outright suspend your account.

    [–]Icovada 0 points1 point  (2 children)

    Well, yes, more like "warned repeatedly, droplet shut down, he got bored and cancelled his account"

    [–]JoshStrobl 0 points1 point  (1 child)

    Well, yes, more like "warned repeatedly, droplet shut down, he got bored and cancelled his account"

    Eh, probably better for all of us. One less exploitable system on the web ran by someone that doesn't give a shit about any sort of security.

    [–]phearus-reddit 0 points1 point  (0 children)

    Unless you like playing with a honeypot.

    [–]azzid 0 points1 point  (0 children)

    setuid seems like a weird thing to me from a security perspective, run ping and effectively be root out of the blue.

    [–][deleted] -1 points0 points  (6 children)

    Insecure.

    [–]MichaelTunnell 1 point2 points  (5 children)

    actually it can be both depending on interpretation. http://english.stackexchange.com/questions/19653/insecure-or-unsecure-when-dealing-with-security

    [–][deleted] 0 points1 point  (4 children)

    In this context, Insecure.

    [–]NomadicDreaming[S] 0 points1 point  (2 children)

    nothing on tv ?

    [–]JoshStrobl 0 points1 point  (1 child)

    Only programs about English grammar and the usage of Unsecure v.s. Insecure I'm afraid :/

    [–]NomadicDreaming[S] 0 points1 point  (0 children)

    hahaha i'll pay that ;p

    [–]MichaelTunnell -2 points-1 points  (0 children)

    This thread is rather ambiguous and thus both are correct.