Ask HN: Anonymous person sent proof of SSH access to our prod. What’s next?

This has been covered elsewhere (like on serverfault: http://serverfault.com/a/107346/2557 )But it comes down to:- Take existing server down immediately. I’m assuming it is not on an isolated network — so this should really be a priority.- Prep a new patched server (with a smaller attack surface and updated security credentials)- Postmortem the old box on an isolated network. Try to understand how the attacker got in. If necessary, get security professionals involved.

Do you have a way to reply to the person? I don’t see any harm in thanking them and asking for more details.But in the meantime I’d have to assume everything is compromised: save a copy or an image of the server for analysis, but take it offline and build a new one. Rotate all passwords and credentials. Assuming you’re not doing something strange with SSH, they probably got legitimate


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/Iq8xmFWLhTs/item

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: