New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I don't see where this was ever stated, insinuated, or hinted at..call off the wolves guys, geeze..
@mtoledoce: I understand your anger, but having the server hacked is not so uncommon when experience is scarce. The first time I got a server hacked, I had very little experience on web services. I simply found a small readme file on the root directory. I was puzzled and I opened it on the editor. It contained a single phrase: "If you don't plug the hole, the boat will sink". It was a nice hacker, indeed. Second time, It was a OVH dedicated server. The compromised server was used by the hacker to DOS another server. IP address was simply disabled and OVH gave out some (poor) outage explanation after almost a full day. I then had to convince them that the server was compromised, othervise they will simply terminate the service. This time, the root password was apparently brute-forced because I forgot to check that fail2ban was properly installed. So my advice is to value this episode as a useful experience: security is important and must always be improved, tools that worked in the past could be not enough for today.
I also need to thank you because your post reminded me that I forgot to shut down ipv6 addresses on my Prometeus VPS SolusVM control panel, so one of my VPS was unnecessarily exposed to IPv6 threats.
@prometeus: I also have two OVZ VPSs, almost a year old, that have no IPv6 enable/disable buttons on the SolusVM control panel. Is it safe to assume they don't have any IPv6 addresses, or you maybe added IPv6 later, as I discovered with one of my year-old KVM that also has no IPv6 button in SolusVM, but it has a perfectly working IPv6?
The reality is 100% secured is a fantasy, and somewhere in the world there is always someone with more technical skills than you, and so every machine at every provider (from the cheapest low end box to the most expensive enterprise server) is potentially unsecure if the right person comes along and decides to hack it.
If your IP or range was "risky", that may explain why the VPS was compromised faster than if you were with another provider, but still doesn't explain how it was compromised. Could you elaborate more?
...this.
Liam changed the title, so I'm guessing the others were complaining about what it said before we got here.
@pcan old openvz dont have ipv6 assigned. All prometeus networks have slaac enabled so the ipv6 is assigned automatically. I will make this more clear in the welcome message...
If you want a explanation about how he or they coming to the machine, i don't know it yet, i only know was via IPv6 and coming from Romania and was a lonely guy . The VPS was shutdown after when try to access to other servers on my production evironment based on information in that VPS. My feeling is than the "visitor" was an amateur because in 5 minutes with control he can't hack another nodes with good information.
Or this is just a chapter of the history.
@mtoledoce -
What internet-facing services did you have? web server (and if so, what apps)?
If via ssh brute force, did you have root login permitted?
Since I'm sure you will never use it again, what was your root password? People's ideas of "strong passwords" are not universal. Of course, if you had other non-root users who could sudo to root...same question.
fail2ban can stop annoyances and some kind of attacks, but honestly, even without it, getting hacked is usually the result of either (a) admin error, (b) admin poor practices, (c) vulnerability in something internet-facing.
You do realize there is attacks hitting port 22 all day long from all around the world.
goto /etc/ssh/sshd_config and change the port, reload ssh and you are already safer.
The fact is that YOU are responsible for the security in your container. They as a provider can't block port 22 as suddenly you wouldn't be able to access your vps.
You were also probably not "Hacked" rather a bot was able to guess your password, and as such reported the correct login to the real hacker.
Take some time and do an nmap on your server and see what is open, it might surprise you.
Yep, i know all kind of tricks too to get a server safe, my default port is not 22. Im not sure yet if was via root or SSH brute force. (1 user, almost idle VPS).
Thanks.
I boot the server again with 4 IPv6 disabled, i will try to get more accurately info.
My port is 22
Panel uses port 22 and password authentication from the front end for console, yay (temporary). But you can always do more. For me, I disable password authentication for root and use a couple keys with impossible pass phrases. Among other things, of course.
Be creative. There are a lot of things you can do.
Many services when started will listen on all interfaces -- ipv4 and ipv6. Yet most traditional "how to secure your server" guides deal only with ipv4. Which leaves a gaping ipv6 hole.
While it's nice/cool to be ipv6-ready, there are few reasons to have ipv6 enabled. Unless you know what you're doing, disable it. And if you don't know how to disable it, re-configure your services to listen only on ipv4.
@raindog308 Reinstalled just 2-3 days ago with a desktop to check sites with firefox etc. Centos 6, not so much use today. I start with the idea of Web Hosting and cPanel etc, is a SSD Plan. But i get better responses in USA for the site, the fancy Italy attracts "Same as Facebook" thing but i need USA for this.
Sure can login with ssh with a non-default port.
All my password was generated with pwgen 10 chars.
We always think we do all alright. I dont know...
So, you haven't looked at the logs? :P
Sure, auth is clean
Well i have in just 2 days a very long list of fails attempts, in every cPanel i get 5 - 6 IPs banned by day, here 30 in 2 days. This was looking for a user named "amanda" 2 IPs calling for her, searching ports etc. Was love.
Bad luck to me, i get a IP with dubious past. @prometeus can you change the IP?
open a ticket and we will see what can be done.
High target IP is a good opportunity to improve security. A less targeted IP may only be a temporary condition anyway. Just my thoughts.
Having a high target IP would be fun. I'd put a small LEB on it and practice my defenses :-)
I suspect you had more running facing the Internet than you expected. nmapping from another host may be instructive.
Maybe I have a new advertising angle
Seriously Dallas gets hit like a free hooker with a clean bill of health in Vegas. I've found it quite entertaining and educational.
@Jarland should show me the way of the ssh forces :P
Denyhosts, @Damian's sshcheck.php script (> iptables rules that only cover new), "PermitRootLogin without-password", ssh key with impossible pass phrase, echo alert to email in /root/.bashrc, logwatch twice daily for audit, win
@jarland listening to Jar is like being taught by a Jedi master
This thing raises a few questions:
1. The IPv6 are so many that hitting at random is impractical. Chances are you will use a lot of traffic till you find a working one, not to mention exploitable. The attacker most likely knew the IPv6, was unlikely a bot.
2. I do not think that the IP's past draws more attacks, perhaps DDoSes or other types, not security exploits.
3. Everything on the net is attacked all the time. Looking in my logs does not look like Prometeus gets more attacks than other IPs, at my former job one day found out the mail server was way too slow and found out that was because the brute forcing of SSH was slowly crawling up to amount to a DDoS. When you get 10k attempts in 1 hour you begin to wonder whom you upset...
4. A VPS is like a computer you buy in a shop or lease, it has a fresh install of an OS you have to update and secure. You dont go to the shop to complain they didnt do it for you, unless you specifically bought that service.
This happened yesterday, I noticed an outgoing attack and suspended the service, the guy said he didnt do it, I checked and he was rooted indeed.
It happens all the time, as someone pointed out, there is no 100% secured server, NASA, FBI, got hacked and they spend probably millions a month for security.
Nobody should feel guilty here, personally I never noticed being hacked, but I think this was just luck, sooner or later it is going to happen, I just hope it wont be a bad outcome from it.
Even if you take the best by-the-book precautions, there will always be a 0-day exploit in some app, if someone is after you and has enough resources or knowledge, it will happen.
(Yes I turned off the filter for today)
Past may not be related, but absolutely true that certain ranges are hit harder than others for reasons that are not necessarily apparent or related to the current resident. The very moment we got our 192 range we started getting slammed (thousands per day per IP), mostly from but not limited to China, all day every day. Not a single other range of ours hit with anything even vaguely similar in scope. Our 23 range falls in second place though, not terribly far behind, same story of the frequency being established prior to our provisioning it for any actual use. Our 199 range has been in play and tied to our business in easy to locate ways for much longer than those two and if I disabled any automatic blocks, it might get 100 attempts a day per IP.
I'm not sure exactly why, I can only speculate, but the entire ranges seem to get equal treatment and not just single IPs. I've had to increase security on client containers as well to keep them shielded from what I consider well above average brute force attempts. Damian's sshcheck.php is a big part of that.
Probably quite true that ipv6 shouldn't be subject to this.
A way to disable IPv6 is:
echo 1 > /proc/sys/net/ipv6/conf/[interface]/disable_ipv6
Do you know better/alternate ways?
You should turn it back on, I am back from vacation.