On 03/03/2021 08.05, Per Jessen wrote:
Lew Wolfgang wrote:
On 3/2/21 4:03 PM, Carlos E.R. wrote:
Thus, no vulnerability in the system, no compromised update. The root account was not compromised.
Fortunately! I wonder if they tried to get root?
Mitigations for the future:
- Don't open ssh port 22, use a high port on a strange number (not 50000, for instance).
Changing ports might help a bit, but dedicated hackers can discover moved ports easily.
Absolutely. It is only a matter of time.
They have not found mine... :-)
If ssh is to be open publicly, setting up public key authentication is the way to go.
Setting up something like fail2ban would also be a good thing.
Possibly - for 14-15 years, our firewall has automatically blocked new external accesses after a certain rate per minute, both for ssh, sip, and ftp traffic. That has worked well, but hackers have become very patient - brute force attacks was yesterday. Today it is slow, thorough, distributed - maybe 50 machines slowly trying out passwords, once a minute, one machine after the other. Such slow, patient attacks usually don't trigger any traps or fail2ban.
Well, security is not really about doing only one thing, we have to do several. One thing alone doesn't stop them. Use everything you can: change the port, set up public keys, dynamic firewalling, etc. Some of the measures will not stop a determined attack, but it does a script kiddie. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)