115
linuxxx
7y

Funny story about the first time two of my servers got hacked. The fun part is how I noticed it.
So I purchased two new vps's for proxy server goals and thought like 'I can setup fail2ban tomorrow, I'll be fine.'

Next day I wanted to install NginX so I ran the command and it said that port 80 was already in use!

I was sitting there like no that's not possible I didn't install any server software yet. So I thought 'this can't be possible' but I ran 'pidof apache2' just to confirm. It actually returned a PID! It was a barebones Debian install so I was sure it was not installed yet by ME. Checked the auth logs and noticed that an IP address had done a huge brute force attack and managed to gain root access. Simply reinstalled debian and I put fail2ban on it RIGHT AWAY.

Checked about two seconds later if anyone tried to login again (iptables -L and keep in mind that fail2ban's default config needs six failed attempts within I think five minutes to ban an ip) and I already saw that around 8-10 addresses were banned.

Was pretty shaken up but damn I learned my lesson!

Comments
  • 10
    This is why I'm glad for cloud-init and the widespread ability to provision VMs with key auth only by default. Probably still wise to set up fail2ban, but at least you can start secure from the get go.
  • 2
    I can set it up later, no need a configtest, enough iptables for the moment, default hot words in spam filter is OK, no need of any other logs than systemctl's...
  • 1
    You should also allow ssh only from your ip. If you are using control panel of a sort, aws/cloud you should have some security group settings where you can add your ip.
  • 3
    What did the installed page say?
  • 3
    @sinisas True but i login from multiple ip's including VPNs so yeah :/
  • 3
    I once saw some outgoing connection to an ip in china from my vps, the pid using it was the sshd process. That was at about 2 am. Activated the provider firewall, restarted a few times, installed fail2ban, installed logwatch and disabled ssh root logins (yeah ik i was stupid back then). Now when somebody logs in to the server, a web request gets sent immediately which sends a push notification to my phone. Secure now. I still get a few thousand failed logins per day. And no, this server isn't big or something, it's just a private dev server...
  • 1
    And here i was saying I'll set up a VPS just to get some practice working with them and nobody's gonna bother my negligible corner of the world wide web.
  • 3
    Changed to key only authentication on my server and changed the SSH port..my logs are silent since then...might add port knocking for extra security...
Add Comment