New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
There's always firewalling off port 22 to only approved IP addresses. No fail2ban load, and it keeps it on a standard port for any odd awkward stuff. Fail2ban can make your logs pretty big too.
First thing my VPS auto-setup script does is firewall off port 22 to my home IP and that of my other VPSes. My home IP's static, but if my internet is down for some reason, I can still access any of my VPSes by visiting a certain page on one of my sites. The page just logs the IP I visited on, then adds that IP to the whitelisted IPs on my VPSes.
I keep meaning to look into actual port knocking, but I never seem to get around to it...
sure is a lot of talk about ssh security.. this compromise was almost certainly not thru ssh
@twain true, but one would hope that once you focus on the most powerful access to your system you might actually start researching other means of access and disabling them.
Please post your full nginx logs if you still have them, (and if they logged all warnings/errors). Also your mysql logs as well. Pastebin it.
Or if it's to large, upload it to a .txt on your server and link please.
I'd be more interested in seeing the netstat/lsof/sockstat output to see what's listening publicly (like having mysql listening on the public port with a weak root password for example). Like on most of my VPSes, the only public ports is ssh [not 22], and web [80/443].
Custom SSH ports haven't caused any issues with anything I have used.
And updating ~/.ssh/config with your custom port didn't make it work?
@dmmcintyre3 wouldn't it be /etc/ssh/sshd_config ? (least it's been that way on both Linux and FreeBSD for me.
The only scenario that I know of where ssh port changing breaks, is if you fail to update something like a firewall with an exception to that port, or if your provider uses a custom API to control your server via the SSH port.
Any CLI binary that I've used (scp, rsync, etc) always has an option to specify a alternate SSH port.
sshd_config is for the openssh server.
~/.ssh/config is for the user you are logged in as's ssh client.
@dmmcintyre3 but the part you want to address IS the server, not the client (unless you're wanting to set a default port to log into if you're too lazy to type -p ###) Edit: though looks like you were just stating how you could get around it if you didn't know the syntax... nothing a lil man-page lookup couldn't solve).
suggestion #1: zbblock
suggestion #2: modsecurity (beta) for nginx
suggestion #3: csf firewall
I wouldn't mess with # 2, any kind of apache-equiv modules ported to nginx tends to make matters much worse. Though there is a fully supported NAXSI module for nginx now.
The first thing that I did, was kill all his processes, then deluser
then figure out how it happend, check logs.
look in the sshd_config
check flushbb
No. /etc/ssh/sshd_config is for your SSH daemon, /etc/ssh/ssh_config is for system-wide SSH client settings, and ~/.ssh/config is for user-specific SSH client settings.
No. I've been trying various methods to get it to work for hours on end, including that.
It's often a better idea to edit /etc/passwd and set the users shell to /bin/false - this way you can prevent shell logins, but you still have all his data for some security breach forensics
How do you do that? "add the IP to the whitelisted IPs" by only visiting a page?
umm..I forgot to save the logs (all logs exactly).
look in the sshd_config
I've tried to do that. But whatever I did, he could come back, logged in few seconds.
I couldn't delete the intruder too and finally, I couldn't trace him using who -u command. Looks like he was hidden.
So, here is what I've done.
Reinstall the OS
Disable root login
Change ssh port
What I'm planning to do next is installing csf firewall. Isn't it only for cPanel user?
CSF isn't just for cpanel, though it's used by it (directadmin also uses it).
http://configserver.com/cp/csf.html
Course if you're on debian, ubuntu, etc you can use UFW which is much simpler to configure (I would say you could use it on FreeBSD too, but PF [packet filter] is much more powerful)
As far as @garys auto whitelisting webpage, hope it requires some type of auth first, else all the search bot ips will get whitelisted, plus anyone else who wanders into the page.
It's an unlinked to page, with a strange path and page filename. Nobody else could find it. In all the time it's been up (years, now) no crawlers etc have touched it.
I visit a certain page, it save the IP I visit from to a file. Periodically, the VPSes wget that file and add any new IPs to the firewalls.
Something like that.
I am not sure about the security with uploading photo's with fluxbb. I think joepie or someone if they got time, would be more than happy to browse the source code and see if it might contain any vulnerabilities or if they notice anything "fishy". I have heard in the past, attacks do come from the uploading avatar feature. I know for a fact, fluxbb has been down an out and not doing an absolute thing. (Moved to some shtty framework) as well.
@Fritz, hope everything is ok and you're up now. Sht happens and I hope you learned from whatever it was.
Stay strong and L.E.B has got your back. It's a great community here if you don't pull a ajones. ^^
CSF also includes a Webmin module for managing it.
Thanks @Nexus :-)
I'm going to look after it, thanks for your recommendation.
I have another idea how to secure your box. Use a really strong password for SolusVM.
If your SolusVM is compromised then all the efforts to secure your box is useless.
apt-get install denyhosts
If someone is interested, i made a perl script that runs in background to which you point your syslog service to ban attackers in real time. It can use hosts.deny or iptables.
http://goo.gl/Bx8KU
@shaunpud - apt-get install fail2ban