Welcome to the Linux Foundation Forum!

Following Lab4 with "admin" user security concern

When mimicing the lab instruction on "Lab 4", I set up the "admin" user similar to the image with "admin/admin", (which of course is not secure)

Interestingly I found the next day that someone had maliciously installed a crypto miner on my GCP by connecting through the GCP, login in as admin and then running a jenkins job installing the cryptominer.

Just wanted to inform, and make sure to clearly state the importance of strong password in this context since gcp makes it possible for anyone to connect really.

Comments

  • Hi @kasil, are you talking about the Jenkins credentials for logging in? Where exactly did you find admin/admin for user and password?

    Regards,
    Luis.

  • kasil
    kasil Posts: 5

    Hi @luisviveropena if you look at the image in the lab when creating a user, you have filled out all fields with admin, the password is then also 5 asterisks, which could be interpreted as "admin".

  • Hi @kasil, I found it. The lab instructs to create an admin user and also says that you can use any user and password. So we are not instructing students to use admin/admin.

    Luis.

  • kasil
    kasil Posts: 5
    edited October 2023

    Hi, as I mentioned, in the image itself it can definitely be interpreted as admin/admin without explicitly stating it, so my recommendation is to not use that image but it's up to the course creators of course. Maybe also stating to use a secure password would be good since you have instructed to open up the ports. Anyways, if any other taking the course sees this then just keep it in mind.

  • luisviveropena
    luisviveropena Posts: 1,248
    edited October 2023

    Hi @kasil,

    Ok, we'll take that into consideration.

    Regards,
    Luis.

Categories

Upcoming Training