@techwiz who knows… some people has sent me feedback that is worked for them.
it’s can’t be particular answer - everyone has other rules (that marking their email as spam in gmail)
How to secure a server
-
OK so my server was hacked!!
B"H was well prepared so everything is safe
now what and how do you secure your servers?
what I did so far- changed root password
- created another non-root user with sudo privileges, my question is where to go from here
should I disable SSH for root? should I change SSH port? allow SSH only with key? install Fail2Ban?
Can anyone tell me what is necessary and what won’t help in any case?
Thanks
-
@Chocolate From what you’re describing it sounds like you’re using some sort of Linux server. Could you please specify what type of server you’re talking about?
-
Correct, Linux server
This particular one is a CentOS
bur the same applies to all. -
@Chocolate said in How to secure a server:
should I disable SSH for root? should I change SSH port? allow SSH only with key? install Fail2Ban?
Do every single one… but mainly disable SSH for root (but still give your root user a strong password) and allow SSH only with key. The others will lessen the hacking attempts and clean up your logs a bit but are not critical.
-
@Chocolate in addition you should enable the firewall and only allow inbound connections on a as-needed basis. If you only need incoming SSH from specific IPs only enable those IPs.
📧 יוסי@יצ.קום
-
@yzahn said in How to secure a server:
Do every single one… but mainly disable SSH for root (but still give your root user a strong password) and allow SSH only with key
I din’t get the point, if they will manage to crack my pass then whats the difference if it’s root on a non-root with sudo privileges? they can do whatever they wand with sudo.
@Chocolate in addition you should enable the firewall and only allow inbound connections on a as-needed basis. If you only need incoming SSH from specific IPs only enable those IPs.
Anything else to do except for whitelisting inbound connections, it’s not really possible for me to do that?
Just out of curiosity how do they manage to hack a 16 digit password that is a combination of letters caps & digits, it should take years, no?
and one more what are those guys gaining? except for them deleting a couple of files nothing changed, whats their goal? -
@Chocolate said in How to secure a server:
I din’t get the point, if they will manage to crack my pass then whats the difference if it’s root on a non-root with sudo privileges? they can do whatever they wand with sudo.
You are right if they have your password.
There ways of getting into an account without having the password.Anything else to do except for whitelisting inbound connections, it’s not really possible for me to do that?
It’s possible to whitelist/blacklist complete ranges of addresses. IDK, maybe that would work for you.
Just out of curiosity how do they manage to hack a 16 digit password that is a combination of letters caps & digits, it should take years, no?
It is indeed very very unlikely that they brute-forced/guessed a strong password.
Why are you sure that they got in via SSH? Did you go through logs?
Maybe your password was in the clear somewhere?
There are many possibilities.
It is כדאי to understand how they got in, in order to protect yourself in future.what are those guys gaining? except for them deleting a couple of files nothing changed, whats their goal?
- Not all servers are as invaluable as yours… until they get in they don’t know what valuable information may be there.
- Often they will run a bitcoin miner…
- They can earn a ransom sometimes by encrypting your files.
- They can make it part of a botnet.
BTW, the general rule in the industry is that once bad guys have gotten on to your server, you should never trust it again. i.e. wipe it and start fresh.
📧 יוסי@יצ.קום
-
@yzahn said in How to secure a server:
BTW, the general rule in the industry is that once bad guys have gotten on to your server, you should never trust it again. i.e. wipe it and start fresh.
So true, just had a crazy story where someone had all his server resources being eaten up, it was a no-brainer checking the PID’s and seeing what the culprit was, turnd out he had some kind of breach long time ago and had some securtiy consultant supposley take care of it,
and as we say the rest is history…
