Re: Block systemd from adding new services

[Silvio Knizek <killermoehre@xxxxxxx>]

Am Sonntag, dem 13.06.2021 um 09:32 -0400 schrieb Saint Michael:
> One of the most dramatic hacks to 50+ servers of mine is a bitcoin
> miner, xmrig. It installs a service file at /etc/systemd/system,
> enables it and kills the machine. 
> Nobody knows how it propagates. I think that SSHD has been broken in
> a foreign land or they just brute-force any machine where
> passwordautorization=yes. 
> The point is, for this list, how can I prevent systemd from adding
> ANY new service at all. I am thinking to add chattr +i to
> /etc/systemd/system, but want to know if this makes any sense or if
> there is a better way to do this.
> Philip
Hi Philip,

if someone can add files into
$(pkg-config --variable=systemdsystemconfdir systemd)
then the attacker has already root rights, so any suggestion here would
only be a nuisance for an attacker. Be happy that the payload wasn't
written in the boot loader.

A general approach would be a stateless system with man:systemd.preset
and a /etc as tmpfs, so after a reboot the system would be fresh again.
Disabling root login via ssh is always a good idea and only using
polkit/sudo for elevating rights. This could be combined with some two-
factor authentication via PAM, so a cracked/guessed password isn't the
end.

But in the end this are all generic approaches to system security,
nothing systemd specific.

HTH
Silvio

_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel