| ▲ | gus_ 5 days ago | |||||||||||||
it doesn't matter what netfilter frontend you use if you allow outbound connections from any binary. In order to stop these attacks, restrict outbound connections from unknown / not allowed binaries. This kind of malware in particular requires outbound connections to the mining pools. Others downloads scripts or binaries from remote servers, or try to communicate with their c2c servers. On the other hand, removing exec permissions to /tmp, /var/tmp and /dev/shm is also useful. | ||||||||||||||
| ▲ | bostik 4 days ago | parent | next [-] | |||||||||||||
> On the other hand, removing exec permissions to /tmp, /var/tmp and /dev/shm is also useful. Sadly that's more of a duck tape or plaster, because any serious malware will launch their scripts with the proper '/bin/bash /path/to/dropped/payload' invocation. A non-exec mount works reasonably well only against actual binaries dropped into the paths, because it's much less common to launch them with the less known '/bin/ld.so /path/to/my/binary' stanza. I've also at one time suggested that Debian installer should support configuring a read-only mount for /tmp, but got rejected. Too many packaging scripts depend on being able to run their various steps from /tmp (or more correctly, $TMPDIR). | ||||||||||||||
| ||||||||||||||
| ▲ | crote 4 days ago | parent | prev | next [-] | |||||||||||||
It is really unfortunate that a lot of services expect to have write access to their config files, so you can tweak settings with a web UI. If this weren't the case, plenty of containers could probably have a fully read-only filesystem. | ||||||||||||||
| ▲ | 3abiton 4 days ago | parent | prev | next [-] | |||||||||||||
Is there an automated way of doing this? | ||||||||||||||
| ||||||||||||||
| ▲ | Aeolun 4 days ago | parent | prev [-] | |||||||||||||
Wasn’t there that npm malware thing a while ago that trashed your home folder if it couldn’t phone home? | ||||||||||||||