Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.

Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.

Rolled back to the backup before I made it public and now I have a security checklist.

  • satans_methpipe@lemmy.world
    13·
    7 days ago

    On a new linux install or image I will always:

    • Make new users(s)
    • Setup new user to sudo
    • Change ssh port
    • Change new user to authenticate ssh via key+password
    • Disable root ssh login
  • Fedegenerate@lemmynsfw.comEnglish
    3·
    7 days ago

    I don’t think I’m ever opening up anything to the internet. It’s scary out there.

    I don’t trust my competence, and if I did, I dont trust my attention to detail. That’s why I outsource my security: pihole+firebog for links, ISP for my firewall, and Tailscale for tunnels. I’m not claiming any of them are the best, but they’re all better than me.

  • kibiz0r@midwest.socialEnglish
    59·
    8 days ago

    One time, I didn’t realize I had allowed all users to log in via ssh, and I had a user “steam” whose password was just “steam”.

    “Hey, why is this Valheim server running like shit?”

    “Wtf is xrx?”

    “Oh, it looks like it’s mining crypto. Cool. Welp, gotta nuke this whole box now.”

    So anyway, now I use NixOS.

  • Hozerkiller@lemmy.caEnglish
    36·
    8 days ago

    I’ve gotta say this post made me appreciate switching to lemmy. This post is actually helpful for the poor sap that didn’t know better, instead of pure salt like another site I won’t mention.

    • Tablaste@linux.communityOPEnglish
      28·
      8 days ago

      I shared it because, out there, there is a junior engineer experiencing severe imposter syndrome. And here I am, someone who has successfully delivered applications with millions of users and advanced to leadership roles within the tech industry, who overlook basic security principles.

      We all make mistakes!

    • Tablaste@linux.communityOPEnglish
      52·
      8 days ago

      I published it to the internet and the next day, I couldn’t ssh into the server anymore with my user account and something was off.

      Tried root + password, also failed.

      Immediately facepalmed because the password was the generic 8 characters and there was no fail2ban to stop guessing.

      • lud@lemm.ee
        67·
        8 days ago

        Don’t use passwords for ssh. Use keys and disable password authentication.

        • Voroxpete@sh.itjust.works
          412·
          8 days ago

          More importantly, don’t open up SSH to public access. Use a VPN connection to the server. This is really easy to do with Netbird, Tailscale, etc. You should only ever be able to connect to SSH privately, never over the public net.

          • troed@fedia.io
            221·
            8 days ago

            It’s perfectly safe to run SSH on port 22 towards the open Internet with public key authentication only.

                • DefederateLemmyMl@feddit.nl
                  4·
                  8 days ago

                  A VPN like Wireguard can run over UDP on a random port which is nearly impossible to discover for an attacker. Unlike sshd, it won’t even show up in a portscan.

                  This was a specific design goal of Wireguard by the way (see “5.1 Silence is a virtue” here https://www.wireguard.com/papers/wireguard.pdf)

                  It also acts as a catch-all for all your services, so instead of worrying about the security of all the different sshds or other services you may have exposed, you just have to keep your vpn up to date.

                • designatedhacker@lemm.ee
                  2·
                  8 days ago

                  Are you talking a VPN running on the same box as the service? UDP VPN would help as another mentioned, but doesn’t really add isolation.

                  If your vpn box is standalone, then getting root is bad but just step one. They have to own the VPN to be able to even do more recon then try SSH.

                  Defense in depth. They didn’t immediately get server root and application access in one step. Now they have to connect to a patched, cert only, etc SSH server. Just looking for it could trip into some honeypot. They had to find the VPN host as well which wasn’t the same as the box they were targeting. That would shut down 99% of the automated/script kiddie shit finding the main service then scanning that IP.

                  You can’t argue that one step to own the system is more secure than two separate pieces of updated software on separate boxes.

          • josefo@leminal.space
            4·
            8 days ago

            Tailscale? Netbird? I have been using hamachi like a fucking neanderthal. I love this posts, I learn so much

      • stoy@lemmy.zip
        5·
        8 days ago

        I ran a standard raspian ssh server on my home network for several years, default user was removed and my own user was in it’s place, root was configured as standard on a raspbian, my account had a complex but fairly short password, no specific keys set.

        I saw constant attacks but to my knowledge, it was never breached.

        I removed it when I realized that my ISP might take a dim view of running a server on their home client net that they didn’t know about, especially since it showed up on Shodan…

        Don’t do what I did, secure your systems properly!

        But it was kinda cool to be able to SSH from Thailand back home to Sweden and browse my NAS, it was super slow, but damn cool…

        • troed@fedia.io
          3·
          8 days ago

          Why would a Swedish ISP care? I’ve run servers from home since I first connected up in … 1996. I’ve had a lot of different ISPs during that time, although nowadays I always choose Bahnhof because of them fighting the good fights.

          • stoy@lemmy.zip
            3·
            8 days ago

            They probably don’t, unless I got compromised and bad traffic came from their network, but I was paranoid, and wanted to avoid the possibility.

        • MonkeMischief@lemmy.today
          1·
          8 days ago

          But it was kinda cool to be able to SSH from Thailand back home to Sweden and browse my NAS, it was super slow, but damn cool…

          That feels like sorcery, doesn’t it? You can still do this WAY safer by using Wireguard or something a little easier like Tailscale. I use Tailscale myself to VPN to my NAS.

          I get a kick out of showing people my NextCloud Memories albums or Jellyfin videos from my phone and saying “This is talking to the box in my house right now! Isn’t that cool!?” Hahaha.

          I’m almost glad I had to go that route. Most of our ISPs here in the U.S will block outgoing ports by default, so they can keep the network safe sell you a home business plan lol.

      • JustEnoughDucks@feddit.nl
        5·
        8 days ago

        Lol ssh has no reason to be port exposed in 99% of home server setups.

        VPNs are extremely easy, free, and wireguard is very performant with openvpn also fine for ssh. I have yet to see any usecase for simply port forwarding ssh in a home setup. Even a public git server can be tunneled through https.

        • MonkeMischief@lemmy.today
          1·
          8 days ago

          Yeah I’m honest with myself that I’m a security newb and don’t know how to even know what I’m vulnerable to yet. So I didn’t bother opening anything at all on my router. That sounded way too scary.

          Tailscale really is magic. I just use Cloudflare to forward a domain I own, and I can get to my services, my NextCloud, everything, from anywhere, and I’m reasonably confident I’m not exposing any doors to the innumerable botnet swarms.

          It might be a tiny bit inconvenient if I wanted to serve anything to anyone not in my Tailnet or already on my home LAN (like sending al someone a link to a NextCloud folder for instance.), but at this point, that’s quite the edge case.

          I learned to set up NGINX proxy manager for a reverse proxy though, and that’s pretty great! I still harden stuff where I can as I learn, even though I’m confident nobody’s even seeing it.

          • JustEnoughDucks@feddit.nl
            2·
            8 days ago

            Honestly, crowdsec with the nginx bouncer is all you need security-wise to start experimenting. It isn’t perfect security, but it is way more comprehensive than fail2ban for just getting started and figuring more out later.

            Here is my traefik-based crowdsec docker composer:

            services:
  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    environment:
      GID: $PGID
    volumes:
      - $USERDIR/dockerconfig/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - $USERDIR/data/Volumes/crowdsec:/var/lib/crowdsec/data/
      - $USERDIR/dockerconfig/crowdsec:/etc/crowdsec/
      - $DOCKERDIR/traefik2/traefik.log:/var/log/traefik/traefik.log:ro
    networks:
      - web
    restart: unless-stopped

  bouncer-traefik:
    image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: $CROWDSEC_API
      CROWDSEC_AGENT_HOST: crowdsec:8080
    networks:
      - web # same network as traefik + crowdsec
    depends_on:
      - crowdsec
    restart: unless-stopped

networks:
  web:
    external: true

            https://github.com/imthenachoman/How-To-Secure-A-Linux-Server this is a more in-depth crash course for system-level security but hasn’t been updated in a while.

    • DefederateLemmyMl@feddit.nl
      3·
      8 days ago

      Do not allow username/password login for ssh

      This is disabled by default for the root user.

      $ man sshd_config

...
       PermitRootLogin
               Specifies whether root  can  log  in  using  ssh(1).   The  argument  must  be  yes,  prohibit-password,
               forced-commands-only, or no.  The default is prohibit-password.
...
  • communism@lemmy.ml
    28·
    8 days ago

    How are people’s servers getting compromised? I’m no security expert (I’ve never worked in tech at all) and have a public VPS, never been compromised. Mainly just use SSH keys not passwords, I don’t do anything too crazy. Like if you have open SSH on port 22 with root login enabled and your root password is password123 then maybe but I’m surprised I’ve never been pwned if it’s so easy to get got…

    • cmnybo@discuss.tchncs.deEnglish
      19·
      8 days ago

      By allowing password login and using weak passwords or by reusing passwords that have been involved in a data breach somewhere.

      • communism@lemmy.ml
        6·
        8 days ago

        That makes sense. It feels a bit mad that the difference between getting pwned super easy vs not is something simple like that. But also reassuring to know, cause I was wondering how I heard about so many hobbyist home labs etc getting compromised when it’d be pretty hard to obtain a reasonably secured private key (ie not uploaded onto the cloud or anything, not stored on an unencrypted drive that other people can easily access, etc). But if it’s just password logins that makes more sense.

  • DaCrazyJamez@sh.itjust.works
    23·
    8 days ago

    As a linux n00b who just recently took the plunge and set up a public site (tho really just for my own / selfhosting),

    Can anyone recommend a good guide or starting place for how to harden the setup? Im running mint on my former gaming rig, site is set up LAMP

  • Fair Fairy@thelemmy.club
    22·
    8 days ago

    I’m confused. I never disable root user and never got hacked.

    Is the issue that the app is coded in a shitty way maybe ?

    • Xanza@lemm.eeEnglish
      19·
      7 days ago

      You can’t really disable the root user. You can make it so they can’t login remotely, which is highly suggested.

        • Xanza@lemm.eeEnglish
          8·
          7 days ago

          There’s no real advantage to disable the root user, and I really don’t recommend it. You can disable SSH root login, and as long as you ensure root has a secure password that’s different than your own account your system is just as safe with the added advantage of having the root account incase something happens.

          • Possibly linux@lemmy.zipEnglish
            22·
            7 days ago

            That wouldn’t be defense in depth. You want to limit anything that’s not necessary as it can become a source of attack. There is no reason root should be enabled.

            • Faresh@lemmy.mlEnglish
              5·
              7 days ago

              I don’t understand. You will still need to do administrative tasks once in a while so it isn’t really unnecessary, and if root can’t be logged in, that will mean you will have to use sudo instead, which could be an attack vector just as su.

            • Xanza@lemm.eeEnglish
              21·
              7 days ago

              Why do like, houses have doors man. You gotta eliminate all points of egress for security, maaaan. /s

              There’s no particular reason to disable root, and with a hardened system, it’s not even a problem you need to worry about…

  • phx@lemmy.ca
    16·
    8 days ago

    Had this years ago except it was a dumbass contractor where I worked who left a Windows server with FTP services exposed to the Internet and IIRC anonymous FTP enabled, on a Friday.

    When I came in on Monday it had become a repository for warez, malware, and questionable porn. We wiped out rather than trying to recover anything.

  • DavidGA@lemmy.world
    13·
    8 days ago

    Although disabling the root user is a good part of security, leaving it enabled should not alone cause you to get compromised. If it did, you were either running a very old version of OpenSSH with a known flaw, or, your chosen root password was very simple.

      • DavidGA@lemmy.world
        10·
        8 days ago

        It should be a serious red flag that your VPS host is generating root passwords simple enough to get quickly hacked.

        • Tablaste@linux.communityOPEnglish
          3·
          8 days ago

          I’m pretty sure they assumed if you bought their service, you have the competency to properly set it up.

          And I proved them wrong.

  • nonentity@sh.itjust.works
    12·
    8 days ago

    Permitting inbound SSH attempts, but disallowing actual logins, is an effective strategy to identify compromised hosts in real-time.

    The origin address of any login attempt is betraying it shouldn’t be trusted, and be fed into tarpits and block lists.

  • gerryflap@feddit.nl
    11·
    7 days ago

    I’ve been quite stupid with this but never really had issues. Ever since I changed the open ssh port from 22 to something else, my server is basically ignored by botnets. These days I obviously also have some other tricks like fail2ban, but it was funny how effective that was.

    • surph_ninja@lemmy.world
      31·
      6 days ago

      We’re not really supposed to expose the ssh port to the internet at all. Better to hide it behind a vpn.

      But it’s too damn convenient for so many use cases. Fuck it. Fail2Ban works fine.

      You can also set up an ssh tarpit on port 22, which will tie up the bot’s resources and get them stuck in a loop for a while. But I didn’t think it was worth attracting extra attention from the bot admins to satisfy my pettiness.

    • kureta@lemmy.ml
      8·
      7 days ago

      Almost the same here. I also change some ssh settings: disable root login, disable password, allow only public key login. That’s about it. I never had any problems.