Debain Server hacked via SSH pw login / my pw in auth.log in clear found

blunix said:
SSH is encrypted too ;)

How many layers of encryption do you need? ;)
Click to expand...
It would be to secure the sequence ports, since if you normally setup port-knocking if someone is listening on the network they can see the sequence ports that are used, if you encrypt them they won't be able to see which ports you use for port-knocking when doing the knocking sequence.

blunix said:
I do not understand this sentence. A successful port knock modifies the firewall on the server to open a port (or open the floodgates / all ports and protocols) to a specific IP.
Click to expand...
@vs2-free-users probably meant that with port-knocking it only opens the port but you still have to authenticate afterwards to get into the system.
 


@blunix finaly its like thay say in the one hacker movie. NO SYSTEM IS SECURE. We can only try to make it as secure as its possible. On cubes os it possible to read your ram out if the hardware have failures or the kernel of the host.
 
vs2-free-users said:
NO SYSTEM IS SECURE.
Click to expand...
I remember someone saying, security is a process not a destination. But everything in the IT world now days seems to be called a process lol.
 
@f33dm3bits yes this is what i mean. As basic setup.

  • ssh port changed to an other port.
  • ssh only via key not via password.
  • iptables blocking all ips and all traffic accept whitelist
  • portknocking to open the ssh port for the knocking ip.

 
ssh port changed to an other port.
Click to expand...

that only prevents MOST automated scans as they target port 22. one nmap and this is gone.

iptables blocking all ips and all traffic accept whitelist
Click to expand...

I honestly don't see the reason. Port 443 is still open and the wordpress running on that server is still an entry.

portknocking to open the ssh port for the knocking ip.
Click to expand...

I still consider that overkill (although we do offer that to clients - so far nobody wanted it because wireguard and its just more security killing comfort than required)
 
I have a suggestion. Why don't we co-author a guide here in the forum like "the ultimate guide to reasonably securing your new Debian/Ubuntu server for people that are new to Linux". With configuration examples that just make sense, and (automated) ways to check those configurations, like this ssh scan tool.

We can discuss in the thread how to do that and agree on certain items, and the admin or so can then combine those into the top of the post.

This way we can just link people who have similar problems to said thread.
 
blunix said:
that only prevents MOST automated scans as they target port 22. one nmap and this is gone.



I honestly don't see the reason. Port 443 is still open and the wordpress running on that server is still an entry.



I still consider that overkill (although we do offer that to clients - so far nobody wanted it because wireguard and its just more security killing comfort than required)
Click to expand...
As an example webserver:

  • Block all traffic from all ips
  • Whitelist port 443 for all ips
  • Disable ssh password, enable sshkey , add local passwort for your ssh key
  • change the port of ssh to 50000
  • configure portknock to open port 50000 to the knocking ip if knock signal match

So this is a good setup i think.
  • If somebody scan for ssh he strickes the firewall
  • If somebody sniff your portknocking and fake your ip he must find the open ssh port first and than he have too login with a key he doesnt know.
  • If your key was leaked. Its required to unlock it via your local passwort.
  • Your webserver is normaly accessable
 
And If you do configure your ssh port to be open for the entire internet it's also a good idea to setup fail2ban to scan for failed authentication attempts on your ssh port and ban it after several failed attempts.
 
blunix said:
I have a suggestion. Why don't we co-author a guide here in the forum like "the ultimate guide to reasonably securing your new Debian/Ubuntu server for people that are new to Linux". With configuration examples that just make sense, and (automated) ways to check those configurations, like this ssh scan tool.
Click to expand...
Yeah we can do that, and can probably post some of the most recent replies in this topic to that new topic.
 
Wow what a traffic here:) I also change port to a high number on all my different server now. In auth.log there are also login in appemts. So it is much less than port 22 but not zero.

Here some IP from auth.log on high port

107.170.227.24 (San Francisco, California)
107.170.233.14 (San Francisco, California)
162.243.133.33 (San Francisco, California)
172.233.58.223 (Amsterdam, North Holland)
192.241.197.5 (San Francisco, California)
198.199.110.18 (San Francisco, California)
 
Last edited:
A
horstmc said:
Wow what a traffic here:) I also change port to a high number on all my different server now. In auth.log there are also login in appemts. So it is much less than port 22 but not zero.

Here some IP from auth.log on high port

107.170.227.24 (San Francisco, California)
107.170.233.14 (San Francisco, California)
162.243.133.33 (San Francisco, California)
172.233.58.223 (Amsterdam, North Holland)
192.241.197.5 (San Francisco, California)
198.199.110.18 (San Francisco, California)
Click to expand...
As a simple trick if you have IPv6 on client and server you can limit the ssh to IPv6 only. The most port scanners doesn't use IPv6.
 
@blunix, I just use ipv8;)

So, the honeypot server is set up on the same domain and same port 22. I hope the leaked pw is still in use by the bots.
If someone will come and log in, everything it/he does will be logged independent from bash history.
 
horstmc said:
@blunix, I just use ipv8;)

So, the honeypot server is set up on the same domain and same port 22. I hope the leaked pw is still in use by the bots.
If someone will come and log in, everything it/he does will be logged independent from bash history.
Click to expand...
POV you underestimated the OP oO

can you give us some insight into how you setup the honeypot?
 
blunix said:
POV you underestimated the OP oO

can you give us some insight into how you setup the honeypot?
Click to expand...
Yes sure, may be you can give me some advices.

Again, what happend to the broken server:
  • bash was delete, history was delete, whitecat has been installed
  • auth.log was still present
  • some useraccounts with root access have been created like:
htop with root access and bash
plex user (like plexmediaserverm but there was no plexmediaserver on the system...)

finally server crashed due to OOM, but there were many postiv ssh login over a month before already, until the system crashed.
I could have noticed the break-ins beforehand if i had logged onto the server or monitored it with zabbix, for example (maybe)

PS: I hope you are not the fella to make these attacks;)

So I installed:

I renamed the binaries and filenames of these tools hide them (a try)

Maybe there is some deeper logging tool for recording, unterneth the user area?
 
Last edited:
if you are capable of implementing these steps - why did you open this thread to ask for advice and why did you not use ssh key authentication instead of pw based with a short password in the first place?
 
blunix said:
if you are capable of implementing these steps - why did you open this thread to ask for advice and why did you not use ssh key authentication instead of pw based with a short password in the first place?
Click to expand...
I use it now, as I said, I was too reckless.
I am asking, because I am not a security expert and I want to learn and I like to know the experience of others.
 
You must log in or register to reply here.

Members online

Total: 708 (members: 2, guests: 706)

Latest posts

Top