Why on god's good green earth would you open those ports to the Internet?

Drhtmal, I need to manage my system remotely and have other apps besides HS3 running on it. Do you have another recommendation to managing the ZEE remotely besides a properly secured SSH connection?

I do not know what router you are using but most support some sort of VPN connection.

Highly recommend you vpn to your router (or do
site to site vpn if the two locations are fixed) this way none of those ports need to be directly on internet.

Good suggestions. I actually have 2 systems at 2 different locations. One has an Asus router that supports a VPN, the other site has Verizon Fios router that I am pretty sure does not. Luckily, most of my SSH need is ‘to’ the site with the Asus router. Thanks for the help.

Been using VPN a long time here for my home network.

I do remote manage a few peers here using SSH. It is sort of a poor man's VPN connection and can be utilized for all sorts of things and is much easier to set up remotely then a VPN tunnel (here utilize IPSec rather than OpenVPN).

IE: here use a reverse proxy to see the HS3 web gui. Use x windows with single remote x windows applications. (not recommended)

There are ways to harden the SSH connection. First time you open SSH to the internet you will see robots hitting it within seconds. It's been like this for a while.



First have a read over here ==> hxxps://linux-audit.com/audit-and-harden-your-ssh-configuration/

and then edit /etc/ssh/sshd_config

If you continue down the SSH route via the internet vs a VPN, I strongly recommend disabling passwords and forcing ssh keys for authentication. You will need to generate a ssh key and transfer it to your ssh server before you remove password authentication. There is a sub-url in the url Pete posted on how to set this up.

PubkeyAuthentication yes
PasswordAuthentication no

BTW this is not a specific "Zee Trojan" rather it is an SSH bot that sets up house on your RPi to replicate throughout the internet.

It is a "back door" trojan. There are many. Here is one description of Ebury:

Background

In February 2013, CERT-Bund started analyzing Ebury in depth and was able to identify thousands of systems around the world infected with the malware. Subsequently, an international Working group was formed. In a joint research effort with ESET, the Swedish National Infrastructure for Computing and the European Organization for Nuclear Research (CERN), and with kind support from CERTs and hosting providers in several countries, many thousand additional systems infected with Ebury could be identified.

Since February 2013, hosting providers and national CERTs in more than 60 countries have been notified of infected machines hosted on networks within their responsibility.

About one-third of the systems that were found to be infected are hosted in the US, another ten percent in Germany. Other countries with large numbers of infections include France, Italy, Great Britain, Netherlands, Russian Federation, Ukraine, Mexico and Canada.

What is Ebury?

Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems (like FreeBSD or Solaris). It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (ssh, sshd, ssh-add, etc.) or modifying a shared library used by SSH (libkeyutils).

On infected hosts, Ebury steals SSH login credentials (username/password) from incoming and outgoing SSH connections. The harvested credentials are sent to dropzone servers controlled by the attackers using specially crafted DNS-like packets. Additionally, SSH private keys stored on the compromised system for use with outgoing SSH connections are stolen by the attackers.

Ebury provides a backdoor the attackers can use to get a remote root shell on infected hosts even if passwords for user accounts are changed on a regular basis.

Why do you think my system is infected with Ebury?

Login credentials harvested by Ebury from SSH connections from/to your system were seen being sent to a dropzone server for the malware. Corresponding timestamps have been included in our reports to ISPs, hosting providers and national CERTs.

What do the attackers use compromised systems like mine for?

The compromised systems are used for various criminal activities, such as sending massive amounts of spam, redirecting visitors of compromised websites to drive-by-exploits or running nameservers for malicious domains. See for details.

Equipped with root-level privileges, the attackers can take full control of your machine and are able to access, delete or alter any kind of data processed or stored on the system. For example, if the compromised system is running a web shop the attackers might gain access to sensitive information like personal customer data or credit card numbers.