No you're right, I didn't mean the firewall would have saved them, but just as a general point of advice. And yes a second VPS running opnSense or similar makes a nice cheap proxy and then you can firewall off the main server completely. Although that wouldn't have saved them either - they'd still need to forward HTTP/S to the main box.

▲

Nextgrid 5 days ago | parent [-]

A firewall blocking outgoing connections (except those whitelisted through the proxy) would’ve likely prevented the download of the malware (as it’s usually done by using the RCE to call a curl/wget command rather than uploading the binary through the RCE) and/or its connection to the mining server.

▲

denkmoon 5 days ago | parent | next [-]

How many people do proper egress filtering though, even when running a firewall

▲

drnick1 4 days ago | parent | prev [-]

In practice, this is basically impossible to implement. As a user behind a firewall you normally expect to be able to open connections with any remote host.

	▲	metafunctor 4 days ago \| parent [-]
		Not impossible at all with a policy-filtering HTTPS proxy. See https://laurikari.github.io/exfilguard/ In this model, hosts don’t need any direct internet connectivity or access to public DNS. All outbound traffic is forced through the proxy, giving you full control over where each host is allowed to connect. It’s not painless: you must maintain a whitelist of allowed URLs and HTTP methods, distribute a trusted CA certificate, and ensure all software is configured to use the proxy.