146
linuxxx
6y

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did πŸ˜… 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Comments
  • 10
    πŸ“reading after work
  • 2
    i get an certificate Error with https://linu.xxx/much-security.nl. You havent added your linu.xxx domain to the certificate.
  • 1
    @stop nice try :P
  • 2
    @stop Oh wait you actually meant both domains xD. Linu.xxx isn't setup anymore so wondering why it actually shows anything..
  • 1
    i meant only the linu.xxx domain
  • 1
    @linuxxx cool read, you seem to have big programming balls! :))
  • 0
    @Condor Thanks! How'd vpn remove the need of something like CSF though...?
  • 0
    @securiter I'm a programmer in my free time, Linux sysadmin professionally :)
  • 0
    here is the photo
  • 0
    @stop xD, I haven't even setup the domain on that server yet haha
  • 1
    @linuxxx I guess you may think of me as some stupid guy, but .. i understood only 1% of your rant and i loved it xD..

    I like when ppl talk about data security and privacy, but for me , the biggest achievement " as a hacker " is to use torrents with vpn and block ppl on my wify using some root android app ...

    would you like to give pointers on how can i get into a journey to stuff kali linux, black hats/white-hats data security as a carrier, etc..
    (and understand more of rants like this :D)
  • 1
    @chaostools Simply start looking into both offensive and defensive security as for servers and web apps :). And don't do anything stupid!experimenting is key by the way but do it safely.
  • 4
    Your 2 Ubuntu servers got hacked from outside your network? How did they become externally accessible by default? That doesn't sound right
  • 1
    @linuxxx thanks... btw what do say about security in android?
  • 1
    @LrdShaper Vps's rented from a vps provider haha

    @chaostools security is fair enough, privacy isn't but that's why my root firewall keeps Google outside :)
  • 1
    CSF FOR THE WIN. πŸ‘
  • 0
    Can you teach me where to start to learn hacking?
  • 1
    I honestly thought you were around the 30s 😡

    Are you hosting some better known services on your servers? I have a vserver for several years with basically no security measures at all (except for whatever the hoster has) and I update it only every few months. Am not really using it, but it has a teamspeak server that's used daily and one or two webservices that I regularely use, and I never had problems that made me think it could be hacked. Also never seen an unknown process or whatever. So why do you get so many attacks?
  • 1
    @Forside No clue honestly. As for the sites I run, i know not everyone likes me (my linuxxx identity) so possibly that one doesn't help much.

    Most ssh attacks are automated at least but except for that idk haha

    And nope I'm still young :)
  • 2
    @Androidxxxx I started learning how to 'hack' through programming and defensive security :)
  • 2
    I know out of scope, but I'm about to launch a service with a VPS from Vultr,
    1. I closed all ports,
    2. Installed knockd,
    3. fail2ban,
    4. rkhunter,
    5. disable root
    6. disable password for ssh
    7. ufw firewall

    anything else i'm missing?
  • 1
    I'm too late to this !rant!
  • 1
    @gitpull you give git's a bad name, what a shame :p
  • 1
    @gitpush I am so sorry, my bruddah
  • 1
    @gitpull πŸ˜›πŸ˜›πŸ˜‚πŸ˜‚πŸ˜‚
  • 1
    @linuxxx have you tried something like Yubikey for storing ssh keys?
    I’m doing it now, and I’m going to try to activate 2FA with it too
  • 0
    @ChainsawBaby this is possible(without gpg)?
  • 0
    @stop I’ve swapped my default SSH socket witg gpg-agent, so ssh gets the private key from my yubikey.
    Next step is just to see if I can get 2fa to work (literally just means I need to physically touch my yubikey)
  • 0
    @ChainsawBaby I ordered a yubikey a few days ago but I ordered version 4 which runs on closed source software so going to return that one and buy a new one afterwards :)
  • 1
    @linuxxx yeah, I don't like that it's closed source. Might look at how it's to make my own
  • 0
    @linuxxx defensive security? What do you mean by that? I'm very interested to learn hacking. I just don't know where to start and what the tools are needed
  • 1
    @Androidxxxx Literally what I said haha. You don't just learn it like this. Defensive security is the part where you defend yourself from attacks.

    Gotta say that I learned mostly 'how to hack' through programming though.
  • 0
    @linuxxx can I hack using java?
  • 2
    @linuxxx your a girl now πŸ˜“
    @thatdude what have you done to linuxxx πŸ˜“πŸ˜“
  • 1
  • 0
    @Kulijana is it bad? Cause it was my first pl and idk if it's work :(
  • 1
    @Androidxxxx
    I think your intentions arent the best, but that is none of my business. What @linuxxx is trying to tell you is that you need to gather a lot of knowledge to be able to hack certain things, and it cant be taught in a day, month, most likely not even a year. If you are really interested you can start with the normal programming which may give you some basic insigh in software, and its security mechanisms as well. After that you should get interested in the security topic deeper, which is by no means a small field. There you will learn some of the defense mechanisms, and the reasoning behind them, so if you ever see that defense not be applied to something, you might be able to "hack" it. Its a jouney of a million steps, and when you finally catch up to it all, with the speed of which its all evolving, you will have a million steps more.
  • 0
    Okay, now I get it. Thanks for this informative comment.

    Long way to go for me!
  • 0
    Thanks guys for the info about provider level, better than on wikipedia
Add Comment