linuxmemes @lemmy.world Tablaste @linux.community 5mo ago

I didn't know you were supposed to disable root user...

Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.

Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.

Rolled back to the backup before I made it public and now I have a security checklist.

150

You're viewing a single thread.

150 comments

Interesting. Do you know how it got compromised?
- I published it to the internet and the next day, I couldn't ssh into the server anymore with my user account and something was off.
  
  Tried root + password, also failed.
  
  Immediately facepalmed because the password was the generic 8 characters and there was no fail2ban to stop guessing.
  
  wow crazy that this was the default setup. It should really force you to either disable root or set a proper password (or warn you)
  
  Most distributions disable root by default
  
  Which ones? I'm asking because that isn't true for cent, rocky, arch.
  
  Mostly Ubuntu. And... I think it's just Ubuntu.
  
  Fedora (immutable at least) has it disabled by default I think, but it's just one checkbox away in one of the setup menus.
  
  Standard Fedora does as well
  
  Ah fair enough, I know that's the basis of a ton of distros. I lean towards RHEL so I'm not super fluent there.
  
  we're probably talking about different things. virtually no distribution comes with root access with a password. you have to explicitly give the root user a password. without a password no amount of brute force sshing root will work. I'm not saying the root user is entirely disabled. so either the service OP is building on is basically a goldmine for compromised machines or OP literally shot themselves in the root by giving root a password manually. something you should never do.
  
  Yeah I was confused about the comment chain. I was thinking terminal login vs ssh. You're right in my experience...root ssh requires user intervention for RHEL and friends and arch and debian.
  
  Side note: did you mean to say "shot themselves in the root"? I love it either way.
  
  Side note: did you mean to say “shot themselves in the root”? I love it either way.
  
  ssh its better with the typo. ;)
  
  Many cloud providers (the cheap ones in particular) will put patches on top of the base distro, so sometimes root always gets a password. Even for Ubuntu.
  
  There are ways around this, like proper cloud-init support, but not exactly beginner friendly.
  
  #no thank you lol
  
  Rocky asks during setup, I assume centOS too
  
  Love Hetzner. You just give them your public key and they boot you into a rescue system from which you can install what you want how you want.
  
  I think their auction servers are a hidden gem. I mean the prices used to be better. Now they have some kind of systrem that resets them when they get too low. But the prices are still pretty good I think. But a year or two ago I got a pretty good deal on two decently spec'd servers.
  
  People are scared off by the fact you just get their rescue prompt on auctions boxes... Except their rescue prompt has a guided imaging setup tool to install pretty much every popular distro with configurable raid options etc.
  
  Yeah, I basically jump from auction system to auction system every other year or so and either get a cheaper or more powerful server or both.
  
  I monitor for good deals. Because there's no contract it's easy to add one, move stuff over at your leisure and kill the old one off. It's the better way to do it for semi serious stuff.
  
  Now that you mentioned it, it didn't! I recall even docker Linux setups would yell at me.
  
  because the password was the generic 8 characters and there was no fail2ban to stop guessing
  
  Oof yea that'll do it, your usually fine as long as you hardened enough to at least ward off the script kiddies. The people with actual real skill tend to go after...juicer targets lmao
  
  Haha I'm pretty sure my little server was just part of the "let's test our dumb script to see if it works. Oh wow it did what a moron!"
  
  Lessons learned.
  
  Ah, timeless classic.
  
  Which distro allows root to login via SSH?
  
  All of them if you configure it?
  
  Lol ssh has no reason to be port exposed in 99% of home server setups.
  
  VPNs are extremely easy, free, and wireguard is very performant with openvpn also fine for ssh. I have yet to see any usecase for simply port forwarding ssh in a home setup. Even a public git server can be tunneled through https.
  
  Any idea what ip addresses were used to compromise it?

150 comments