This blog was offline for a few weeks
I had my account suspended, my blog down, and a entirely warrented, and slightly annoyed email from my VPS host threatening to shut down my service if this happened again…. cause I was too lazy to set key based authentication.
I always figured a reasonably strong, alphanumeric password was enough, and linux was reasonably safe from viruses. An attacker would need to somehow know my password to get in (and yeah, I REALLY should have known better) and that keeping my software minimal and up to date was good enough.
Turns out I got hit by the xorbddos trojan. Lovely. It brute forced my password, injected a rootkit, and used my little, carefully built VPS to DDOS others. On one hand, I should have known better. I’ve set up good key based authentication and am pondering port knocking.
Victim blaming rarely helps, but there’s a few places where I really messed up.
Passwords arn’t good enough. I actually may redo my key based auth setup with stronger keys than what I have now. Its a pain remembering to have my keys so I need to create device specific keys, and a backup one on a USB drive or something. Key based auth is *easy*. There’s tons of good tutorials out there, and it takes less htna 5 minutes.
I didn’t have real backups – my db is elsewhere and in theory (and practice!) I could easily rebuild my wordpress instance quickly. However, if that install *had* been compromised, well.. I’d be in trouble. Still looking for a good solution there. Pondering a periodic scripted tarball of my /var/www and/or something WP specific
My VPS was running *too* well. I’d probably have noticed if I was paying attention to it. I need to log in and look for *obvious* things like high processor usage. I noticed this when I’d logged in to get my WP install out. In short, I need to *proactively* check on this, and not just run apt-get update every so often.
Some people suck. Seriously. However, a little patience means that they can’t ruin your day by turning your system into a one of the sources of a DDOS attack 😉