[systemd-devel] Block systemd from adding new services

Saint Michael venefax at gmail.com
Sun Jun 13 14:49:57 UTC 2021


This is not a human attacker, but a robot. My question is: if I apply
chattr +i to $(pkg-config --variable=systemdsystemconfdir systemd), will
the OS continue to work fine or this is nonsense?
Philip

On Sun, Jun 13, 2021 at 9:54 AM Silvio Knizek <killermoehre at gmx.net> wrote:

> Am Sonntag, dem 13.06.2021 um 09:32 -0400 schrieb Saint Michael:
> > One of the most dramatic hacks to 50+ servers of mine is a bitcoin
> > miner, xmrig. It installs a service file at /etc/systemd/system,
> > enables it and kills the machine.
> > Nobody knows how it propagates. I think that SSHD has been broken in
> > a foreign land or they just brute-force any machine where
> > passwordautorization=yes.
> > The point is, for this list, how can I prevent systemd from adding
> > ANY new service at all. I am thinking to add chattr +i to
> > /etc/systemd/system, but want to know if this makes any sense or if
> > there is a better way to do this.
> > Philip
> Hi Philip,
>
> if someone can add files into
> $(pkg-config --variable=systemdsystemconfdir systemd)
> then the attacker has already root rights, so any suggestion here would
> only be a nuisance for an attacker. Be happy that the payload wasn't
> written in the boot loader.
>
> A general approach would be a stateless system with man:systemd.preset
> and a /etc as tmpfs, so after a reboot the system would be fresh again.
> Disabling root login via ssh is always a good idea and only using
> polkit/sudo for elevating rights. This could be combined with some two-
> factor authentication via PAM, so a cracked/guessed password isn't the
> end.
>
> But in the end this are all generic approaches to system security,
> nothing systemd specific.
>
> HTH
> Silvio
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20210613/aa507d39/attachment.htm>


More information about the systemd-devel mailing list