I am paranoid?

Alex Sage

I am bringing up a new CentOS 7 box over on OVH.

First thing I did was change the root password and enable the firewall.

Then I created created a new user, added it to wheel, and got off of root.

Then installed fail2ban, htop, epel, sysstat, etc.

Reboot and logged back in to see over 1000 failed logged in attempts.

This took me no more then 5 minutes.

How do I know no one got in before I got everything secured?

Part of me wants to wipe the whole thing and start over, but it will just happen again right?

Alex Sage

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     216
|  `- File list:        /var/log/secure
`- Actions
|- Currently banned: 1
|- Total banned:     1
`- Banned IP list:   183.3.202.170

DustinB3403

Odds are it was a Google crawler or similar trying to access the system. Over 1000 attempts in under 5 minutes... seems fishy.

Change all of the user accounts from a secure connection and let it run. Your being paranoid.

Jason

@DustinB3403 said in I am paranoid?:

Odds are it was a Google crawler

Um.. No. Google crawler or anything like that does not try to login via SSH or anything..

Likely a botnet trying to break in the system they are non stop checking for standard ports to hack (SSH, RDP etc).

Alex Sage

@Jason said:

Likely a botnet trying to break in the system they are non stop checking for standard ports to hack (SSH, RDP etc).

The root password that was auto set was like this: RGh*55z7

According to https://howsecureismypassword.net/ that would take 9 hours to crack so I guess I am good? : - /

BRRABill

@aaronstuder said

According to https://howsecureismypassword.net/ that would take 9 hours to crack so I guess I am good? : - /

As long as they didn't randomly get it the first time.

travisdh1

@aaronstuder said in I am paranoid?:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     216
|  `- File list:        /var/log/secure
`- Actions
|- Currently banned: 1
|- Total banned:     1
`- Banned IP list:   183.3.202.170

That looks like fail2ban worked as intended. Carry on....

"Carry on my wayward son
There'll be peeace when you are done
Lay your weary head to rest
Don't you cry no more"

Must be bedtime, my ADD is kicking in hard.

tonyshowoff

I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.

scottalanmiller

@DustinB3403 said in I am paranoid?:

Odds are it was a Google crawler or similar trying to access the system. Over 1000 attempts in under 5 minutes... seems fishy.

Actually it is quite standard.

scottalanmiller

@tonyshowoff said in I am paranoid?:

I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.

Less obvious is the singular goal of security through obscurity That's just rewording it.

Logs cleaner makes sense.

scottalanmiller

@aaronstuder said in I am paranoid?:

@Jason said:

Likely a botnet trying to break in the system they are non stop checking for standard ports to hack (SSH, RDP etc).

The root password that was auto set was like this: RGh*55z7

According to https://howsecureismypassword.net/ that would take 9 hours to crack so I guess I am good? : - /

9 hours average, not 9 hours total.

HOWEVER, that's hitting an in memory system at CPU speeds. That's millions of attempts per second NOT thousands in five minutes. You cannot attack your server at the speed that they are using to calculate because your CPU and NIC and network connection are not fast enough. It would take vastly longer to do this over SSH. How Secure is your password is if they had a copy of the hash of your password and were attacking that as fast as they could test it in memory.

scottalanmiller

@aaronstuder said in I am paranoid?:

How do I know no one got in before I got everything secured?

Same way that you know that they didn't get in after you installed everything... you don't. However, there is no indicator that anything bad happened. You look in last and see that there was no logon. You have no fishy behaviour. You have no cause for concern. It isn't that your server was not secured, it was that it wasn't as secured. It is all shades of grey. Everything that you did was good and you should have done it, I'm not suggesting otherwise. All I'm saying is that out of the box your VM was decently secure. Firewalld not there, but no services listening other than SSHD so the need for the firewall is actually pretty tiny on a minimal install until you do something with the system. Root password was short, but random. Very difficult to breach in that time period, like billions to one chance there. The system successfully blocked a thousand or more attempts, that's normal and expected. You have a public IP address on a public host so it is a high target for SSH. People know that SSH has to be enabled there, so automated attacks are common.

Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.

tonyshowoff

@scottalanmiller said in I am paranoid?:

Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.

We use digital ocean for our staging, they do use root passwords. The first things we do after spinning up an instance is creating a new user, changing sshd_config to be only SSH2, disable root login, and set the port really high to avoid bombardment. On our actual network it's much more secure, and/or possibly elaborate, than that, but this is staging.

scottalanmiller

@tonyshowoff said in I am paranoid?:

@scottalanmiller said in I am paranoid?:

Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.

We use digital ocean for our staging, they do use root passwords. The first things we do after spinning up an instance is creating a new user, changing sshd_config to be only SSH2, disable root login, and set the port really high to avoid bombardment. On our actual network it's much more secure, and/or possibly elaborate, than that, but this is staging.

They will let you use root passwords, yes. But we just use SSH keys. Easier and faster.

StrongBad

I think that this sounds normal and you are just worried, doesn't sound like there is any reason to suspect that anyone has gotten into your system.

tonyshowoff

@scottalanmiller said in I am paranoid?:

@tonyshowoff said in I am paranoid?:

@scottalanmiller said in I am paranoid?:

Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.

We use digital ocean for our staging, they do use root passwords. The first things we do after spinning up an instance is creating a new user, changing sshd_config to be only SSH2, disable root login, and set the port really high to avoid bombardment. On our actual network it's much more secure, and/or possibly elaborate, than that, but this is staging.

They will let you use root passwords, yes. But we just use SSH keys. Easier and faster.

Most definitely, we use SSH keys in production. We could use them for both, but to be honest, I can't tell you why we don't, we just don't, ... lol what a terrible reason.

scottalanmiller

I find them so much more convenient. I build a new box (I do all of the new box builds now after some disasters with that getting spread around) and I don't have to track logins. I just log in automatically from the Jump Box (which is whose key is there) and I can instantly run our script that creates all of the standard access for everyone. Never have to type in or write down passwords.

Dashrender

@scottalanmiller said in I am paranoid?:

@tonyshowoff said in I am paranoid?:

I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.

Less obvious is the singular goal of security through obscurity That's just rewording it.

Logs cleaner makes sense.

And are the cleaner logs worth the hassle of remembering that the port has been changed?

tonyshowoff

@Dashrender said in I am paranoid?:

@scottalanmiller said in I am paranoid?:

@tonyshowoff said in I am paranoid?:

I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.

Less obvious is the singular goal of security through obscurity That's just rewording it.

Logs cleaner makes sense.

And are the cleaner logs worth the hassle of remembering that the port has been changed?

It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.

Changing the SSH port is pretty common, and yes, it's worth the hassle of remembering something like making it 1122, especially because it doesn't run as root out of the box, as everything running ports <= 1024 do. It's safer, cleaner, etc.

In other words, I suggest a common standard for your company/your setups, rather than picking a random one like MSSQL likes to depending on configuration.

Dashrender

@tonyshowoff said in I am paranoid?:

@Dashrender said in I am paranoid?:

@scottalanmiller said in I am paranoid?:

@tonyshowoff said in I am paranoid?:

I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.

Less obvious is the singular goal of security through obscurity That's just rewording it.

Logs cleaner makes sense.

And are the cleaner logs worth the hassle of remembering that the port has been changed?

It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.

No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.