Basic hardening for sshd on Internet-connected servers that most images don't have by default:
Make sure you can log into a non-root sudoer with publickey auth first!
@alexbuzzbee That happened to me the other day. Was nearly locked out of my server. Good thing I was able to log back in under the admin account.
No kidding so many open VPS out there. First thing I do is harden sshd and install Duo security free MFA. Within min about 100 attempts in logs on ssh login attempts from CZ and CN stopped. Free good enough for me.
@ironmonkey Personally I think publickey auth is a better solution than OTP MFA when it's an option, and SSH does a pretty good job of it.
Use different port
@JonossaSeuraava And don't pick port 2222 because that's obvious.
I also tend to deactivate login on tty with PAM. Lessons learned 😉
No. Prevent access on a local console.
I had a Hack Attac where the foe somehow managed to force my server to reboot, and in that process somehow managed to log in with a local terminal session as root.
local terminal sessions are referred to as tty1 tty2 etc. on Linux. You can deactivate that. And only allow remote logins ( on pts/1....x).
@x2ero @ultem You wouldn't because it would be in the hosting provider's internal logs. Most VM providers let you get to the console via the Internet so that you can troubleshoot issues that break SSH.
The most likely scenario here is that someone got the credentials to your account with the hosting provider and used them to get at the console on your server.
@alexbuzzbee +1 for a different port, I have seen some pretty enormous auth logs! Chose a random port a few years ago and have used it on all my servers since.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.