Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.

Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.

Rolled back to the backup before I made it public and now I have a security checklist.

  • satans_methpipe@lemmy.world
    7·
    11 hours ago

    On a new linux install or image I will always:

    • Make new users(s)
    • Setup new user to sudo
    • Change ssh port
    • Change new user to authenticate ssh via key+password
    • Disable root ssh login
    • njordomir@lemmy.world
      2·
      5 hours ago

      That’s more or less the advice I’ve gotten as well. I’ve also read good things about fail2ban which tries to ban sources of repeated authentication failures to prevent brute force password attempts. I’ve used it, but the only person who has managed to get banned is myself! I did get back in after the delay, but I’m happy to know it works.

    • stebator@lemmy.world
      1·
      5 hours ago
      • Setup new user to sudo

      I hope it is not a passwordless sudo, it is basically the same as root.

  • frezik@midwest.social
    10·
    17 hours ago

    I’m having the opposite problem right now. Tightend a VM down so hard that now I can’t get into it.

  • gerryflap@feddit.nl
    8·
    20 hours ago

    I’ve been quite stupid with this but never really had issues. Ever since I changed the open ssh port from 22 to something else, my server is basically ignored by botnets. These days I obviously also have some other tricks like fail2ban, but it was funny how effective that was.

    • kureta@lemmy.ml
      5·
      18 hours ago

      Almost the same here. I also change some ssh settings: disable root login, disable password, allow only public key login. That’s about it. I never had any problems.

  • potentiallynotfelix@lemmy.fish
    8·
    21 hours ago

    Weird. My last setup had a NAT with a few VMs hosting a few different services. For example, Jellyfin, a web server, and novnc/vm. That turned out perfectly fine and it was exposed to the web. You must have had a vulnerable version of whatever web host you were using, or maybe if you had SSH open without rate limits.

  • Fair Fairy@thelemmy.club
    27·
    1 day ago

    I’m confused. I never disable root user and never got hacked.

    Is the issue that the app is coded in a shitty way maybe ?

    • Xanza@lemm.eeEnglish
      21·
      1 day ago

      You can’t really disable the root user. You can make it so they can’t login remotely, which is highly suggested.

        • Xanza@lemm.eeEnglish
          7·
          22 hours ago

          There’s no real advantage to disable the root user, and I really don’t recommend it. You can disable SSH root login, and as long as you ensure root has a secure password that’s different than your own account your system is just as safe with the added advantage of having the root account incase something happens.

          • Possibly linux@lemmy.zipEnglish
            2·
            21 hours ago

            That wouldn’t be defense in depth. You want to limit anything that’s not necessary as it can become a source of attack. There is no reason root should be enabled.

            • Faresh@lemmy.mlEnglish
              5·
              19 hours ago

              I don’t understand. You will still need to do administrative tasks once in a while so it isn’t really unnecessary, and if root can’t be logged in, that will mean you will have to use sudo instead, which could be an attack vector just as su.

            • Xanza@lemm.eeEnglish
              4·
              20 hours ago

              Why do like, houses have doors man. You gotta eliminate all points of egress for security, maaaan. /s

              There’s no particular reason to disable root, and with a hardened system, it’s not even a problem you need to worry about…

      • MehBlah@lemmy.worldEnglish
        1·
        1 day ago

        Another thing you can do under certain circumstances which I’m sure someone on here will point out is depreciated is use TCP Wrappers. If you are only connecting to ssh from known IP addresses or IP address ranges then you can effectively block the rest of the world from accessing you. I used a combination of ipset list, fail2ban and tcp wrappers along with my firewall which like is also something old called iptables-persistent. I’ve also moved my ssh port up high and created several other fake ports that keep anyone port scanning my IP guessing.

        These days I have all ports closed except for my wireguard port and access all of my hosted services through it.

    • cley_faye@lemmy.world
      3·
      1 day ago

      You can’t really disable it anyway.

      Hardening is mostly prevent root login from outside in case every other layer of authentication and access control broke, do not allow regular user to su/sudo into it for free, and have a tight grip on anything that’s executable and have a setuid bit set. I did not install a system from scratch in a long time but I believe this would be the default on most things that are not geared toward end-user devices, too.

  • recklessengagement@lemmy.world
    24·
    1 day ago

    This sounds like something everyone should go through at least once, to underscore the importance of hardening that can be easily taken for granted

  • ohshit604@sh.itjust.worksEnglish
    23·
    1 day ago

    I can’t even figure out how to expose my services to the internet, honestly it’s probably for the best Wireguard gets the job done in the end.

    • Valmond@lemmy.world
      3·
      1 day ago

      I’m interested, how do you expose your services (on your PC I assume) to the internet through wireguard? Is it theough some VPN?

      • BCsven@lemmy.ca
        1·
        17 hours ago

        Just a note, while wireguard makes its own VPN tunnel, it differs slightly in that it isn’t the typical VPN server with vpn connecting clients, it is more akin to a peer network. Each peer device gets it’s own “server” and “client” config section in the setup file. And you share the public keys between each peer before hand, and set the IPs to use.

      • Zanathos@lemmy.world
        7·
        1 day ago

        Wireguard IS a VPN. He has somehow through his challenges of exposing services to the internet, exposed wireguard from his home to the internet for him to connect to. Then he can connect to his internal services from there.

        It’s honestly the best option and how I operate as well. I only have a handful of items exposed and even those flow through a DMZ proxy before hitting their destination servers.

      • ohshit604@sh.itjust.worksEnglish
        3·
        1 day ago

        VPN’s are neat, besides the fact they’re capable of masking your IP & DNS they’re also capable of providing resources to devices outside a network.

        A good example is the server at my work is only accessible on my works network, to access the server remotely without exposing it directly to the internet would be to use a VPN tunnel.

  • Hozerkiller@lemmy.caEnglish
    41·
    2 days ago

    I’ve gotta say this post made me appreciate switching to lemmy. This post is actually helpful for the poor sap that didn’t know better, instead of pure salt like another site I won’t mention.

    • Tablaste@linux.communityOPEnglish
      28·
      2 days ago

      I shared it because, out there, there is a junior engineer experiencing severe imposter syndrome. And here I am, someone who has successfully delivered applications with millions of users and advanced to leadership roles within the tech industry, who overlook basic security principles.

      We all make mistakes!

      • LordCrom@lemmy.world
        14·
        2 days ago

        There’s a 40 year I.T. veteran here that still suffers imposter syndrome. It’s a real thing I’ve never been able to shake off

        • pulsewidth@lemmy.world
          7·
          1 day ago

          Just look at who is in the White House, mate - and not just the president, but basically you can pick anyone he’s hand-picked for his staff.

          Surely that’s an instant cure for any qualified person feeling imposter syndrome in their job.

  • DaCrazyJamez@sh.itjust.works
    31·
    2 days ago

    As a linux n00b who just recently took the plunge and set up a public site (tho really just for my own / selfhosting),

    Can anyone recommend a good guide or starting place for how to harden the setup? Im running mint on my former gaming rig, site is set up LAMP

  • Punkie@lemmy.world
    167·
    2 days ago

    Basic setup for me is scripted on a new system. In regards to ssh, I make sure:

    • Root account is disabled, sudo only
    • ssh only by keys
    • sshd blocks all users but a few, via AllowUsers
    • All ‘default usernames’ are removed, like ec2-user or ubuntu for AWS ec2 systems
    • The default ssh port moved if ssh has to be exposed to the Internet. No, this doesn’t make it “more secure” but damn, it reduces the script denials in my system logs, fight me.
    • Services are only allowed connections by an allow list of IPs or subnets. Internal, when possible.

    My systems are not “unhackable” but not low-hanging fruit, either. I assume everything I have out there can be hacked by someone SUPER determined, and have a vector of protection to mitigate backwash in case they gain full access.

  • nonentity@sh.itjust.works
    21·
    1 day ago

    Permitting inbound SSH attempts, but disallowing actual logins, is an effective strategy to identify compromised hosts in real-time.

    The origin address of any login attempt is betraying it shouldn’t be trusted, and be fed into tarpits and block lists.

    • DefederateLemmyMl@feddit.nl
      3·
      1 day ago

      Do not allow username/password login for ssh

      This is disabled by default for the root user.

      $ man sshd_config

...
       PermitRootLogin
               Specifies whether root  can  log  in  using  ssh(1).   The  argument  must  be  yes,  prohibit-password,
               forced-commands-only, or no.  The default is prohibit-password.
...
    • LordCrom@lemmy.world
      10·
      2 days ago

      If it’s public facing, how about dont turn on ssh to the public, open it to select ips or ranges. Use a non standard port, use a cert or even a radius with TOTP like privacyIdea. How about a port knocker to open the non standard port as well. Autoban to lock out source ips.

      That’s just off the top of my head.

      There’s a lot you can do to harden a host.

      • Faresh@lemmy.mlEnglish
        1·
        19 hours ago

        dont turn on ssh to the public, open it to select ips or ranges

        What if you don’t have a static IP, do you ask your ISP in what range their public addresses fall?

  • kibiz0r@midwest.socialEnglish
    74·
    2 days ago

    One time, I didn’t realize I had allowed all users to log in via ssh, and I had a user “steam” whose password was just “steam”.

    “Hey, why is this Valheim server running like shit?”

    “Wtf is xrx?”

    “Oh, it looks like it’s mining crypto. Cool. Welp, gotta nuke this whole box now.”

    So anyway, now I use NixOS.

    • pageflight@lemmy.worldEnglish
      15·
      2 days ago

      Good point about a default deny approach to users and ssh, so random services don’t add insecure logins.