From day one, with details about stolen system administrator passwords leaking out, many of us knew the Sony hack had to be an inside job. The simple reason for this is that the system administrator sets up notifications for both declined login attempts, and more importantly, there. Alert for successful login, These hackers allegedly stole a “system administrator’s password”, which gave them extensive access to Sony’s computer systems. Still, this high-level breach went unnoticed by Sony’s IT for several weeks?! What is your opinion on Sony hack?
If hackers stole your admin credentials, would you know about it?
The screen crop above is an actual alert that I receive every time I successfully log into that server as administrator (root). So yes, I’m alerting myself that I just logged in successfully. May sound strange to some, but this way, even if someone gains access to your administrator credentials and is able to access your PC or IP remotely, you will still be notified by email and/or SMS . Imagine having lunch with your spouse or significant other, or completing your workout at the gym and being alerted to a successful login using your password!
Undoubtedly, Sony administrators must have had this basic precaution. Thus, why do I even believe it was at least partly an internal function! The above example was an alert from a cPanel based server. But there are free, paid or self-coded solutions that can be used to accomplish this using any Linux distro. For example, installing configserver security and firewall And then configuring its LF_* security options. Thus, that’s what’s surprising about the Sony hack. Not that this happened, no, but that it was done using an administrator’s credentials and yet went completely unnoticed… or, more likely, not reported.
“Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable.” so said security guru Bruce Schneier, Therefore, we must plan for the worst and hope for the best. Here are some other precautions:
- Use tough passwords (change them regularly).
- Use SSH keys for root access instead of passwords.
- Make sure that multiple system administrators do not share the same account or password where possible.
- System administrator access can be limited to specific IPs and ports.
- Setup ongoing scanning for file uploads and changes to files/accounts to which alerts should also be sent.
- Avoid Microsoft Windows and Server products when possible. Or learn what’s involved in securing them.
- Add your suggestions in the comments…
Server security is very similar to home security in that we spend time and money protecting the home, yet we’ll sleep with a baseball or cricket bat under our beds. (Or for many US states, a pistol in the nightstand drawer.) In the same way, There’s a Post-Hack Plan That Starts With Knowing when You are compromising!
Disclaimer: This article is in no way claiming that the Sony hack was limited to Linux systems. But instead focusing on general best practices related to this area of Linux web server administration. Sony and other large companies use (should use) enterprise-level solutions to notify them of breaches quickly.