Currently I can only copy a single .tar file. But how can I copy directories recursively with scp?
When I try to ssh to another box, I get this strange error
$ ssh hostname
Bad owner or permissions on ~/.ssh/config
But I made sure that I own and have rw permissions on the file:
ls -la ~/.ssh/
total 40K
drwx------ 2 robert robert 4.0K Mar 29 11:04 ./
drwx------ 7 robert robert 4.0K Mar 29 11:04 ../
-rw-r--r-- 1 robert robert 2.0K Mar 17 20:47 authorized_keys
-rw-rw-r-- 1 robert robert 31 Mar 29 11:04 config
-rw------- 1 robert robert 1.7K Aug 4 2010 id_rsa
-rw-r--r-- 1 robert robert 406 Aug 4 2010 id_rsa.pub
-rw-r--r-- 1 robert robert 6.1K Mar 29 11:03 known_hosts
How to automate SSH login with password? I'm configuring my test VM, so heavy security is not considered. SSH chosen for acceptable security with minimal configuration.
ex)
echo password | ssh id@server
This doesn't work.
I remember I did this with some tricks somebody guided me, but I can't remember now the trick I used...
This is a Canonical Question about Server Security - Responding to Breach Events (Hacking)
See Also:
Canonical Version
I suspect that one or more of my servers is compromised by a hacker, virus, or other mechanism:
- What are my first steps? When I arrive on site should I disconnect the server, preserve "evidence", are there other initial considerations?
- How do I go about getting services back online?
- How do I prevent the same thing from happening immediately again?
- Are there best practices or methodologies for learning from this incident?
- If I wanted to put a Incident Response Plan together, where would I start? Should this be part of my Disaster Recovery or Business Continuity Planning?
Original Version
2011.01.02 - I'm on my way into work at 9.30 p.m. on a Sunday because our server has been compromised somehow and was resulting in a DOS attack on our provider. The servers access to the Internet has been shut down which means over 5-600 of our clients sites are now down. Now this could be an FTP hack, or some weakness in code somewhere. I'm not sure till I get there.
How can I track this down quickly? We're in for a whole lot of litigation if I don't get the server back up ASAP. Any help is appreciated. We are running Open SUSE 11.0.
2011.01.03 - Thanks to everyone for your help. Luckily I WASN'T the only person responsible for this server, just the nearest. We managed to resolve this problem, although it may not apply to many others in a different situation. I'll detail what we did.
We unplugged the server from the net. It was performing (attempting to perform) a Denial Of Service attack on another server in Indonesia, and the guilty party was also based there.
We firstly tried to identify where on the server this was coming from, considering we have over 500 sites on the server, we expected to be moonlighting for some time. However, with SSH access still, we ran a command to find all files edited or created in the time the attacks started. Luckily, the offending file was created over the winter holidays which meant that not many other files were created on the server at that time.
We were then able to identify the offending file which was inside the uploaded images folder within a ZenCart website.
After a short cigarette break we concluded that, due to the files location, it must have been uploaded via a file upload facility that was inadequetly secured. After some googling, we found that there was a security vulnerability that allowed files to be uploaded, within the ZenCart admin panel, for a picture for a record company. (The section that it never really even used), posting this form just uploaded any file, it did not check the extension of the file, and didn't even check to see if the user was logged in.
This meant that any files could be uploaded, including a PHP file for the attack. We secured the vulnerability with ZenCart on the infected site, and removed the offending files.
The job was done, and I was home for 2 a.m.
The Moral - Always apply security patches for ZenCart, or any other CMS system for that matter. As when security updates are released, the whole world is made aware of the vulnerability. - Always do backups, and backup your backups. - Employ or arrange for someone that will be there in times like these. To prevent anyone from relying on a panicy post on Server Fault.
One thing that annoys me no end about Windows is the old sharing violation error. Often you can't identify what's holding it open. Usually it's just an editor or explorer just pointing to a relevant directory but sometimes I've had to resort to rebooting my machine.
Any suggestions on how to find the culprit?