Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.

Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.

Rolled back to the backup before I made it public and now I have a security checklist.

  • @FedegenerateEnglish
    26 hours ago

    I don’t think I’m ever opening up anything to the internet. It’s scary out there.

    I don’t trust my competence, and if I did, I dont trust my attention to detail. That’s why I outsource my security: pihole+firebog for links, ISP for my firewall, and Tailscale for tunnels. I’m not claiming any of them are the best, but they’re all better than me.

  • @[email protected]
    1417 hours ago

    I’m having the opposite problem right now. Tightend a VM down so hard that now I can’t get into it.

  • @[email protected]
    1221 hours ago

    I’ve been quite stupid with this but never really had issues. Ever since I changed the open ssh port from 22 to something else, my server is basically ignored by botnets. These days I obviously also have some other tricks like fail2ban, but it was funny how effective that was.

    • @[email protected]
      426 minutes ago

      We’re not really supposed to expose the ssh port to the internet at all. Better to hide it behind a vpn.

      But it’s too damn convenient for so many use cases. Fuck it. Fail2Ban works fine.

      You can also set up an ssh tarpit on port 22, which will tie up the bot’s resources and get them stuck in a loop for a while. But I didn’t think it was worth attracting extra attention from the bot admins to satisfy my pettiness.

    • @[email protected]
      918 hours ago

      Almost the same here. I also change some ssh settings: disable root login, disable password, allow only public key login. That’s about it. I never had any problems.

  • @[email protected]
    922 hours ago

    Weird. My last setup had a NAT with a few VMs hosting a few different services. For example, Jellyfin, a web server, and novnc/vm. That turned out perfectly fine and it was exposed to the web. You must have had a vulnerable version of whatever web host you were using, or maybe if you had SSH open without rate limits.

  • Fair Fairy
    291 day ago

    I’m confused. I never disable root user and never got hacked.

    Is the issue that the app is coded in a shitty way maybe ?

    • @[email protected]English
      241 day ago

      You can’t really disable the root user. You can make it so they can’t login remotely, which is highly suggested.

        • @[email protected]English
          1123 hours ago

          There’s no real advantage to disable the root user, and I really don’t recommend it. You can disable SSH root login, and as long as you ensure root has a secure password that’s different than your own account your system is just as safe with the added advantage of having the root account incase something happens.

          • Possibly linuxEnglish
            222 hours ago

            That wouldn’t be defense in depth. You want to limit anything that’s not necessary as it can become a source of attack. There is no reason root should be enabled.

            • @[email protected]English
              620 hours ago

              I don’t understand. You will still need to do administrative tasks once in a while so it isn’t really unnecessary, and if root can’t be logged in, that will mean you will have to use sudo instead, which could be an attack vector just as su.

            • @[email protected]English
              421 hours ago

              Why do like, houses have doors man. You gotta eliminate all points of egress for security, maaaan. /s

              There’s no particular reason to disable root, and with a hardened system, it’s not even a problem you need to worry about…

      • @[email protected]English
        11 day ago

        Another thing you can do under certain circumstances which I’m sure someone on here will point out is depreciated is use TCP Wrappers. If you are only connecting to ssh from known IP addresses or IP address ranges then you can effectively block the rest of the world from accessing you. I used a combination of ipset list, fail2ban and tcp wrappers along with my firewall which like is also something old called iptables-persistent. I’ve also moved my ssh port up high and created several other fake ports that keep anyone port scanning my IP guessing.

        These days I have all ports closed except for my wireguard port and access all of my hosted services through it.

    • @[email protected]
      31 day ago

      You can’t really disable it anyway.

      Hardening is mostly prevent root login from outside in case every other layer of authentication and access control broke, do not allow regular user to su/sudo into it for free, and have a tight grip on anything that’s executable and have a setuid bit set. I did not install a system from scratch in a long time but I believe this would be the default on most things that are not geared toward end-user devices, too.

  • @[email protected]
    241 day ago

    This sounds like something everyone should go through at least once, to underscore the importance of hardening that can be easily taken for granted

  • @[email protected]English
    241 day ago

    I can’t even figure out how to expose my services to the internet, honestly it’s probably for the best Wireguard gets the job done in the end.

    • @[email protected]
      31 day ago

      I’m interested, how do you expose your services (on your PC I assume) to the internet through wireguard? Is it theough some VPN?

      • @[email protected]
        118 hours ago

        Just a note, while wireguard makes its own VPN tunnel, it differs slightly in that it isn’t the typical VPN server with vpn connecting clients, it is more akin to a peer network. Each peer device gets it’s own “server” and “client” config section in the setup file. And you share the public keys between each peer before hand, and set the IPs to use.

      • @[email protected]
        81 day ago

        Wireguard IS a VPN. He has somehow through his challenges of exposing services to the internet, exposed wireguard from his home to the internet for him to connect to. Then he can connect to his internal services from there.

        It’s honestly the best option and how I operate as well. I only have a handful of items exposed and even those flow through a DMZ proxy before hitting their destination servers.

      • @[email protected]English
        31 day ago

        VPN’s are neat, besides the fact they’re capable of masking your IP & DNS they’re also capable of providing resources to devices outside a network.

        A good example is the server at my work is only accessible on my works network, to access the server remotely without exposing it directly to the internet would be to use a VPN tunnel.

  • @[email protected]English
    452 days ago

    I’ve gotta say this post made me appreciate switching to lemmy. This post is actually helpful for the poor sap that didn’t know better, instead of pure salt like another site I won’t mention.

    • @[email protected]OPEnglish
      302 days ago

      I shared it because, out there, there is a junior engineer experiencing severe imposter syndrome. And here I am, someone who has successfully delivered applications with millions of users and advanced to leadership roles within the tech industry, who overlook basic security principles.

      We all make mistakes!

      • @[email protected]
        152 days ago

        There’s a 40 year I.T. veteran here that still suffers imposter syndrome. It’s a real thing I’ve never been able to shake off

        • @[email protected]
          91 day ago

          Just look at who is in the White House, mate - and not just the president, but basically you can pick anyone he’s hand-picked for his staff.

          Surely that’s an instant cure for any qualified person feeling imposter syndrome in their job.

  • Punkie
    1722 days ago

    Basic setup for me is scripted on a new system. In regards to ssh, I make sure:

    • Root account is disabled, sudo only
    • ssh only by keys
    • sshd blocks all users but a few, via AllowUsers
    • All ‘default usernames’ are removed, like ec2-user or ubuntu for AWS ec2 systems
    • The default ssh port moved if ssh has to be exposed to the Internet. No, this doesn’t make it “more secure” but damn, it reduces the script denials in my system logs, fight me.
    • Services are only allowed connections by an allow list of IPs or subnets. Internal, when possible.

    My systems are not “unhackable” but not low-hanging fruit, either. I assume everything I have out there can be hacked by someone SUPER determined, and have a vector of protection to mitigate backwash in case they gain full access.

    • @[email protected]
      712 days ago
      • The default ssh port moved if ssh has to be exposed to the Internet. No, this doesn’t make it “more secure” but damn, it reduces the script denials in my system logs, fight me.

      Gosh I get unreasonably frustrated when someone says yeah but that’s just security through obscurity. Like yeah, we all know what nmap is, a persistent threat will just look at all 65535 and figure out where ssh is listening… But if you change your threat model and talk about bots? Logs are much cleaner and moving ports gets rid of a lot of traffic. Obviously so does enabling keys only.

      Also does anyone still port knock these days?

        • @[email protected]
          72 days ago

          I didn’t see anything about port knocking there, it rather looks like it has the opposite focus - a quote from that page is “features that support widespread scanning of many machines are supported, while in-depth scanning of single machines aren’t.”

          • @[email protected]
            42 days ago

            Sure yeah it’s a discovery tool OOTB, but I’ve used it to perform specific packet sequences as well.

      • @[email protected]
        42 days ago

        Literally the only time I got somewhat hacked was when I left the default port of the service. Obscurity is reasonable, combined with other things like the ones mentioned here make you pretty much invulnerable to casuals. Somebody needs to target you to get anything.

      • Punkie
        32 days ago

        Also does anyone still port knock these days?

        If they did, would we know?

  • @[email protected]
    322 days ago

    As a linux n00b who just recently took the plunge and set up a public site (tho really just for my own / selfhosting),

    Can anyone recommend a good guide or starting place for how to harden the setup? Im running mint on my former gaming rig, site is set up LAMP

  • @[email protected]
    211 day ago

    Permitting inbound SSH attempts, but disallowing actual logins, is an effective strategy to identify compromised hosts in real-time.

    The origin address of any login attempt is betraying it shouldn’t be trusted, and be fed into tarpits and block lists.

    • DefederateLemmyMl
      31 day ago

      Do not allow username/password login for ssh

      This is disabled by default for the root user.

      $ man sshd_config

...
       PermitRootLogin
               Specifies whether root  can  log  in  using  ssh(1).   The  argument  must  be  yes,  prohibit-password,
               forced-commands-only, or no.  The default is prohibit-password.
...
    • @[email protected]
      112 days ago

      If it’s public facing, how about dont turn on ssh to the public, open it to select ips or ranges. Use a non standard port, use a cert or even a radius with TOTP like privacyIdea. How about a port knocker to open the non standard port as well. Autoban to lock out source ips.

      That’s just off the top of my head.

      There’s a lot you can do to harden a host.

      • @[email protected]English
        219 hours ago

        dont turn on ssh to the public, open it to select ips or ranges

        What if you don’t have a static IP, do you ask your ISP in what range their public addresses fall?

    • Fair Fairy
      11 day ago

      Why though? If u have a strong password, it will take eternity to brute force