<div dir="ltr"><div class="gmail_default" style="font-size:small">This is not a human attacker, but a robot. My question is: if I apply chattr +i to $(pkg-config --variable=systemdsystemconfdir systemd), will the OS continue to work fine or this is nonsense?</div><div class="gmail_default" style="font-size:small">Philip</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Jun 13, 2021 at 9:54 AM Silvio Knizek <<a href="mailto:killermoehre@gmx.net">killermoehre@gmx.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Am Sonntag, dem 13.06.2021 um 09:32 -0400 schrieb Saint Michael:<br>
> One of the most dramatic hacks to 50+ servers of mine is a bitcoin<br>
> miner, xmrig. It installs a service file at /etc/systemd/system,<br>
> enables it and kills the machine. <br>
> Nobody knows how it propagates. I think that SSHD has been broken in<br>
> a foreign land or they just brute-force any machine where<br>
> passwordautorization=yes. <br>
> The point is, for this list, how can I prevent systemd from adding<br>
> ANY new service at all. I am thinking to add chattr +i to<br>
> /etc/systemd/system, but want to know if this makes any sense or if<br>
> there is a better way to do this.<br>
> Philip<br>
Hi Philip,<br>
<br>
if someone can add files into<br>
$(pkg-config --variable=systemdsystemconfdir systemd)<br>
then the attacker has already root rights, so any suggestion here would<br>
only be a nuisance for an attacker. Be happy that the payload wasn't<br>
written in the boot loader.<br>
<br>
A general approach would be a stateless system with man:systemd.preset<br>
and a /etc as tmpfs, so after a reboot the system would be fresh again.<br>
Disabling root login via ssh is always a good idea and only using<br>
polkit/sudo for elevating rights. This could be combined with some two-<br>
factor authentication via PAM, so a cracked/guessed password isn't the<br>
end.<br>
<br>
But in the end this are all generic approaches to system security,<br>
nothing systemd specific.<br>
<br>
HTH<br>
Silvio<br>
<br>
_______________________________________________<br>
systemd-devel mailing list<br>
<a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank">systemd-devel@lists.freedesktop.org</a><br>
<a href="https://lists.freedesktop.org/mailman/listinfo/systemd-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/systemd-devel</a><br>
</blockquote></div>