Lew Wolfgang wrote:
On 3/2/21 4:03 PM, Carlos E.R. wrote:
Thus, no vulnerability in the system, no compromised update. The root account was not compromised.
Fortunately! I wonder if they tried to get root?
Mitigations for the future:
- Don't open ssh port 22, use a high port on a strange number (not 50000, for instance).
Changing ports might help a bit, but dedicated hackers can discover moved ports easily.
Absolutely. It is only a matter of time. If ssh is to be open publicly, setting up public key authentication is the way to go.
Setting up something like fail2ban would also be a good thing.
Possibly - for 14-15 years, our firewall has automatically blocked new external accesses after a certain rate per minute, both for ssh, sip, and ftp traffic. That has worked well, but hackers have become very patient - brute force attacks was yesterday. Today it is slow, thorough, distributed - maybe 50 machines slowly trying out passwords, once a minute, one machine after the other. Such slow, patient attacks usually don't trigger any traps or fail2ban. -- Per Jessen, Zürich (5.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland.