Follow

Basic hardening for sshd on Internet-connected servers that most images don't have by default:

PermitRootLogin no
PasswordAuthentication no

Make sure you can log into a non-root sudoer with publickey auth first!

· brutaldon · 5 · 6 · 10

@alexbuzzbee That happened to me the other day. Was nearly locked out of my server. Good thing I was able to log back in under the admin account.

@alexbuzzbee
No kidding so many open VPS out there. First thing I do is harden sshd and install Duo security free MFA. Within min about 100 attempts in logs on ssh login attempts from CZ and CN stopped. Free good enough for me.

@ironmonkey Personally I think publickey auth is a better solution than OTP MFA when it's an option, and SSH does a pretty good job of it.

@alexbuzzbee
I also tend to deactivate login on tty with PAM. Lessons learned 😉

@x2ero @alexbuzzbee
> deactivate login on tty with PAM

What do you mean by this? You mean preventing access via lights-out management (e.g. HP ILO)?

@ultem
No. Prevent access on a local console.
I had a Hack Attac where the foe somehow managed to force my server to reboot, and in that process somehow managed to log in with a local terminal session as root.
local terminal sessions are referred to as tty1 tty2 etc. on Linux. You can deactivate that. And only allow remote logins ( on pts/1....x).
@alexbuzzbee

@x2ero @alexbuzzbee
> somehow managed to log in

You can either use the recovery mode from Grub (for e.g. Ubuntu) to spawn a root shell without any credentials or add `init=/bin/bash` to the Grub commands to spawn directly into a root shell.

@ultem
From remote? How did the attacker reboot my machine and then from the Internet access grub?
@alexbuzzbee

@alexbuzzbee
Then I should see an IP adress from my provider? I have seen the IP where the attack came from.
@ultem

@x2ero @ultem You wouldn't because it would be in the hosting provider's internal logs. Most VM providers let you get to the console via the Internet so that you can troubleshoot issues that break SSH.

The most likely scenario here is that someone got the credentials to your account with the hosting provider and used them to get at the console on your server.

@alexbuzzbee
I use OTP for that very login.
I can see that same IP that tries to login right before the reboot in my apache logs. It looks very much like an outside attacker exploiting a bug.

@ultem

@alexbuzzbee +1 for a different port, I have seen some pretty enormous auth logs! Chose a random port a few years ago and have used it on all my servers since.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.