Debain Server hacked via SSH pw login / my pw in auth.log in clear found

[f33dm3bits]

SSH is encrypted too

How many layers of encryption do you need?

It would be to secure the sequence ports, since if you normally setup port-knocking if someone is listening on the network they can see the sequence ports that are used, if you encrypt them they won't be able to see which ports you use for port-knocking when doing the knocking sequence.

I do not understand this sentence. A successful port knock modifies the firewall on the server to open a port (or open the floodgates / all ports and protocols) to a specific IP.

@vs2-free-users probably meant that with port-knocking it only opens the port but you still have to authenticate afterwards to get into the system.

 

[vs2-free-users]

@blunix finaly its like thay say in the one hacker movie. NO SYSTEM IS SECURE. We can only try to make it as secure as its possible. On cubes os it possible to read your ram out if the hardware have failures or the kernel of the host.

 

[f33dm3bits]

NO SYSTEM IS SECURE.

I remember someone saying, security is a process not a destination. But everything in the IT world now days seems to be called a process lol.

 

[vs2-free-users]

@f33dm3bits yes this is what i mean. As basic setup.

• ssh port changed to an other port.
• ssh only via key not via password.
• iptables blocking all ips and all traffic accept whitelist
• portknocking to open the ssh port for the knocking ip.

​

 

[blunix]

I remember someone saying, security is a process not a destination.

two likes for this one

 

[blunix]

ssh port changed to an other port.

that only prevents MOST automated scans as they target port 22. one nmap and this is gone.

iptables blocking all ips and all traffic accept whitelist

I honestly don't see the reason. Port 443 is still open and the wordpress running on that server is still an entry.

portknocking to open the ssh port for the knocking ip.

I still consider that overkill (although we do offer that to clients - so far nobody wanted it because wireguard and its just more security killing comfort than required)

 

[blunix]

I have a suggestion. Why don't we co-author a guide here in the forum like "the ultimate guide to reasonably securing your new Debian/Ubuntu server for people that are new to Linux". With configuration examples that just make sense, and (automated) ways to check those configurations, like this ssh scan tool.

We can discuss in the thread how to do that and agree on certain items, and the admin or so can then combine those into the top of the post.

This way we can just link people who have similar problems to said thread.

 

[vs2-free-users]

that only prevents MOST automated scans as they target port 22. one nmap and this is gone.



I honestly don't see the reason. Port 443 is still open and the wordpress running on that server is still an entry.



I still consider that overkill (although we do offer that to clients - so far nobody wanted it because wireguard and its just more security killing comfort than required)

As an example webserver:

• Block all traffic from all ips
• Whitelist port 443 for all ips
• Disable ssh password, enable sshkey , add local passwort for your ssh key
• change the port of ssh to 50000
• configure portknock to open port 50000 to the knocking ip if knock signal match

So this is a good setup i think.

• If somebody scan for ssh he strickes the firewall
• If somebody sniff your portknocking and fake your ip he must find the open ssh port first and than he have too login with a key he doesnt know.
• If your key was leaked. Its required to unlock it via your local passwort.
• Your webserver is normaly accessable

 

[f33dm3bits]

And If you do configure your ssh port to be open for the entire internet it's also a good idea to setup fail2ban to scan for failed authentication attempts on your ssh port and ban it after several failed attempts.

 

[f33dm3bits]

I have a suggestion. Why don't we co-author a guide here in the forum like "the ultimate guide to reasonably securing your new Debian/Ubuntu server for people that are new to Linux". With configuration examples that just make sense, and (automated) ways to check those configurations, like this ssh scan tool.

Yeah we can do that, and can probably post some of the most recent replies in this topic to that new topic.

 

[blunix]

ref: https://www.linux.org/threads/the-u...tu-linux-server-for-users-new-to-linux.49199/

 

[horstmc]

Wow what a traffic here I also change port to a high number on all my different server now. In auth.log there are also login in appemts. So it is much less than port 22 but not zero.

Here some IP from auth.log on high port

107.170.227.24 (San Francisco, California)
107.170.233.14 (San Francisco, California)
162.243.133.33 (San Francisco, California)
172.233.58.223 (Amsterdam, North Holland)
192.241.197.5 (San Francisco, California)
198.199.110.18 (San Francisco, California)

 

[vs2-free-users]

A

Wow what a traffic here I also change port to a high number on all my different server now. In auth.log there are also login in appemts. So it is much less than port 22 but not zero.

Here some IP from auth.log on high port

107.170.227.24 (San Francisco, California)
107.170.233.14 (San Francisco, California)
162.243.133.33 (San Francisco, California)
172.233.58.223 (Amsterdam, North Holland)
192.241.197.5 (San Francisco, California)
198.199.110.18 (San Francisco, California)

As a simple trick if you have IPv6 on client and server you can limit the ssh to IPv6 only. The most port scanners doesn't use IPv6.

 

[blunix]

As a simple trick if you have IPv6 on client and server you can limit the ssh to IPv6 only. The most port scanners doesn't use IPv6.

HAHAHHA YES! Thats a really good one

That is security by obscurity though.

 

[horstmc]

@blunix, I just use ipv8

So, the honeypot server is set up on the same domain and same port 22. I hope the leaked pw is still in use by the bots.
If someone will come and log in, everything it/he does will be logged independent from bash history.

 

[blunix]

• move data to rack in your basement and airgap
• remove door and replace with bricks
• construct steel frame around your house
• pour concrete over the house

 

[blunix]

@blunix, I just use ipv8

So, the honeypot server is set up on the same domain and same port 22. I hope the leaked pw is still in use by the bots.
If someone will come and log in, everything it/he does will be logged independent from bash history.

POV you underestimated the OP oO

can you give us some insight into how you setup the honeypot?

 

[horstmc]

POV you underestimated the OP oO

can you give us some insight into how you setup the honeypot?

Yes sure, may be you can give me some advices.

Again, what happend to the broken server:

• bash was delete, history was delete, whitecat has been installed
• auth.log was still present
• some useraccounts with root access have been created like:

htop with root access and bash
plex user (like plexmediaserverm but there was no plexmediaserver on the system...)

finally server crashed due to OOM, but there were many postiv ssh login over a month before already, until the system crashed.
I could have noticed the break-ins beforehand if i had logged onto the server or monitored it with zabbix, for example (maybe)

PS: I hope you are not the fella to make these attacks

So I installed:

• script, so every login session will be recorded
• snoopy https://github.com/a2o/snoopy

I renamed the binaries and filenames of these tools hide them (a try)

Maybe there is some deeper logging tool for recording, unterneth the user area?

 

[blunix]

if you are capable of implementing these steps - why did you open this thread to ask for advice and why did you not use ssh key authentication instead of pw based with a short password in the first place?

 

[horstmc]

if you are capable of implementing these steps - why did you open this thread to ask for advice and why did you not use ssh key authentication instead of pw based with a short password in the first place?

I use it now, as I said, I was too reckless.
I am asking, because I am not a security expert and I want to learn and I like to know the experience of others.