How to secure a server



  • OK so my server was hacked!!
    B"H was well prepared so everything is safe
    now what and how do you secure your servers?
    what I did so far

    1. changed root password
    2. created another non-root user with sudo privileges, my question is where to go from here

    should I disable SSH for root? should I change SSH port? allow SSH only with key? install Fail2Ban?

    Can anyone tell me what is necessary and what won’t help in any case?

    Thanks



  • @Chocolate From what you’re describing it sounds like you’re using some sort of Linux server. Could you please specify what type of server you’re talking about?



  • Correct, Linux server
    This particular one is a CentOS
    bur the same applies to all.



  • @Chocolate said in How to secure a server:

    should I disable SSH for root? should I change SSH port? allow SSH only with key? install Fail2Ban?

    Do every single one… but mainly disable SSH for root (but still give your root user a strong password) and allow SSH only with key. The others will lessen the hacking attempts and clean up your logs a bit but are not critical.



  • @Chocolate in addition you should enable the firewall and only allow inbound connections on a as-needed basis. If you only need incoming SSH from specific IPs only enable those IPs.



  • @yzahn said in How to secure a server:

    Do every single one… but mainly disable SSH for root (but still give your root user a strong password) and allow SSH only with key

    I din’t get the point, if they will manage to crack my pass then whats the difference if it’s root on a non-root with sudo privileges? they can do whatever they wand with sudo.

    @Chocolate in addition you should enable the firewall and only allow inbound connections on a as-needed basis. If you only need incoming SSH from specific IPs only enable those IPs.

    Anything else to do except for whitelisting inbound connections, it’s not really possible for me to do that?

    Just out of curiosity how do they manage to hack a 16 digit password that is a combination of letters caps & digits, it should take years, no?
    and one more what are those guys gaining? except for them deleting a couple of files nothing changed, whats their goal?



  • @Chocolate said in How to secure a server:

    I din’t get the point, if they will manage to crack my pass then whats the difference if it’s root on a non-root with sudo privileges? they can do whatever they wand with sudo.

    You are right if they have your password.
    There ways of getting into an account without having the password.

    Anything else to do except for whitelisting inbound connections, it’s not really possible for me to do that?

    It’s possible to whitelist/blacklist complete ranges of addresses. IDK, maybe that would work for you.

    Just out of curiosity how do they manage to hack a 16 digit password that is a combination of letters caps & digits, it should take years, no?

    It is indeed very very unlikely that they brute-forced/guessed a strong password.
    Why are you sure that they got in via SSH? Did you go through logs?
    Maybe your password was in the clear somewhere?
    There are many possibilities.
    It is כדאי to understand how they got in, in order to protect yourself in future.

    what are those guys gaining? except for them deleting a couple of files nothing changed, whats their goal?

    1. Not all servers are as invaluable as yours… until they get in they don’t know what valuable information may be there.
    2. Often they will run a bitcoin miner…
    3. They can earn a ransom sometimes by encrypting your files.
    4. They can make it part of a botnet.

    BTW, the general rule in the industry is that once bad guys have gotten on to your server, you should never trust it again. i.e. wipe it and start fresh.


Log in to reply
 

Suggested Topics

1
Online

364
Users

278
Topics

1.4k
Posts

Copyright © 2020 | info@shutfim.com