I didn't know you were supposed to disable root user...

I'm having the opposite problem right now. Tightend a VM down so hard that now I can't get into it.

At least you had a backup

I've been quite stupid with this but never really had issues. Ever since I changed the open ssh port from 22 to something else, my server is basically ignored by botnets. These days I obviously also have some other tricks like fail2ban, but it was funny how effective that was.

Weird. My last setup had a NAT with a few VMs hosting a few different services. For example, Jellyfin, a web server, and novnc/vm. That turned out perfectly fine and it was exposed to the web. You must have had a vulnerable version of whatever web host you were using, or maybe if you had SSH open without rate limits.

I'm confused. I never disable root user and never got hacked.

Is the issue that the app is coded in a shitty way maybe ?

sudo sudoku

This sounds like something everyone should go through at least once, to underscore the importance of hardening that can be easily taken for granted

I can’t even figure out how to expose my services to the internet, honestly it’s probably for the best Wireguard gets the job done in the end.

Permitting inbound SSH attempts, but disallowing actual logins, is an effective strategy to identify compromised hosts in real-time.

The origin address of any login attempt is betraying it shouldn’t be trusted, and be fed into tarpits and block lists.

Yeah, about this; any ssh server that can be run as user and doesn't do shenanigans like switching user?

As a linux n00b who just recently took the plunge and set up a public site (tho really just for my own / selfhosting),

Can anyone recommend a good guide or starting place for how to harden the setup? Im running mint on my former gaming rig, site is set up LAMP

I've gotta say this post made me appreciate switching to lemmy. This post is actually helpful for the poor sap that didn't know better, instead of pure salt like another site I won't mention.

Basic setup for me is scripted on a new system. In regards to ssh, I make sure:

• Root account is disabled, sudo only
• ssh only by keys
• sshd blocks all users but a few, via AllowUsers
• All 'default usernames' are removed, like ec2-user or ubuntu for AWS ec2 systems
• The default ssh port moved if ssh has to be exposed to the Internet. No, this doesn't make it "more secure" but damn, it reduces the script denials in my system logs, fight me.
• Services are only allowed connections by an allow list of IPs or subnets. Internal, when possible.

My systems are not "unhackable" but not low-hanging fruit, either. I assume everything I have out there can be hacked by someone SUPER determined, and have a vector of protection to mitigate backwash in case they gain full access.

Had this years ago except it was a dumbass contractor where I worked who left a Windows server with FTP services exposed to the Internet and IIRC anonymous FTP enabled, on a Friday.

When I came in on Monday it had become a repository for warez, malware, and questionable porn. We wiped out rather than trying to recover anything.

Do not allow username/password login for ssh. Force certificate authentication only!

How are people's servers getting compromised? I'm no security expert (I've never worked in tech at all) and have a public VPS, never been compromised. Mainly just use SSH keys not passwords, I don't do anything too crazy. Like if you have open SSH on port 22 with root login enabled and your root password is password123 then maybe but I'm surprised I've never been pwned if it's so easy to get got...

One time, I didn’t realize I had allowed all users to log in via ssh, and I had a user “steam” whose password was just “steam”.

“Hey, why is this Valheim server running like shit?”

“Wtf is xrx?”

“Oh, it looks like it’s mining crypto. Cool. Welp, gotta nuke this whole box now.”

So anyway, now I use NixOS.

Lol you can actually demo a github compromise in real time to an audience.

Make a repo with an API key, publish it, and literally just watch as it takes only a few minutes before a script logs in.

Interesting. Do you know how it got compromised?

You should turn off ssh password logins on external facing servers at a minimum. Only use ssh keys, install fail2ban, disable ssh root logins, and make sure you have a firewall limiting ports to ssh and https.

This will catch most scripted login attempts.

If you want something more advanced, look into https://en.m.wikipedia.org/wiki/Security_Technical_Implementation_Guide and try to find an ansible playbook to apply them.

I like to spin up a public facing server and run tcpdump

And this is why every time a developer asks me for shell access to any of the deployment servers, I flat out deny the request.

Good on you for learning from your mistakes, but a perfect example for why I only let sysadmins into the systems.

i use su -

Use gnome powder to shrink, go behind the counter, kick his ass and get your money back.

I’ve always felt that if you’re exposing an SSH or any kind of management port to the internet, you can avoid a lot of issues with a VPN. I’ve always setup a VPN. It prevents having to open up very much at all and then you can open configured web portal ports and the occasional front end protocol where needed.

Although disabling the root user is a good part of security, leaving it enabled should not alone cause you to get compromised. If it did, you were either running a very old version of OpenSSH with a known flaw, or, your chosen root password was very simple.

I do worry about putting up public servers that other people might rely on because there's something I might not realize making it vulnerable.

So far I have pubkey root login only on the VPSs I'm messing around with, but my ol' reliable private key from 6 years ago might be beginning to fall behind on encryption standards.

This is like browsing /c/selfhosted as everyone portforwards every experimental piece of garbage across their router...

Good on you learning new skills.

This is why other sysadmins and cybetsecurity exist. Be nice to them.