I am paranoid?
-
@aaronstuder said in I am paranoid?:
@Jason said:
Likely a botnet trying to break in the system they are non stop checking for standard ports to hack (SSH, RDP etc).
The root password that was auto set was like this: RGh*55z7
According to https://howsecureismypassword.net/ that would take 9 hours to crack so I guess I am good? : - /
9 hours average, not 9 hours total.
HOWEVER, that's hitting an in memory system at CPU speeds. That's millions of attempts per second NOT thousands in five minutes. You cannot attack your server at the speed that they are using to calculate because your CPU and NIC and network connection are not fast enough. It would take vastly longer to do this over SSH. How Secure is your password is if they had a copy of the hash of your password and were attacking that as fast as they could test it in memory.
-
@aaronstuder said in I am paranoid?:
How do I know no one got in before I got everything secured?
Same way that you know that they didn't get in after you installed everything... you don't. However, there is no indicator that anything bad happened. You look in last and see that there was no logon. You have no fishy behaviour. You have no cause for concern. It isn't that your server was not secured, it was that it wasn't as secured. It is all shades of grey. Everything that you did was good and you should have done it, I'm not suggesting otherwise. All I'm saying is that out of the box your VM was decently secure. Firewalld not there, but no services listening other than SSHD so the need for the firewall is actually pretty tiny on a minimal install until you do something with the system. Root password was short, but random. Very difficult to breach in that time period, like billions to one chance there. The system successfully blocked a thousand or more attempts, that's normal and expected. You have a public IP address on a public host so it is a high target for SSH. People know that SSH has to be enabled there, so automated attacks are common.
Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.
-
@scottalanmiller said in I am paranoid?:
Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.
We use digital ocean for our staging, they do use root passwords. The first things we do after spinning up an instance is creating a new user, changing sshd_config to be only SSH2, disable root login, and set the port really high to avoid bombardment. On our actual network it's much more secure, and/or possibly elaborate, than that, but this is staging.
-
@tonyshowoff said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.
We use digital ocean for our staging, they do use root passwords. The first things we do after spinning up an instance is creating a new user, changing sshd_config to be only SSH2, disable root login, and set the port really high to avoid bombardment. On our actual network it's much more secure, and/or possibly elaborate, than that, but this is staging.
They will let you use root passwords, yes. But we just use SSH keys. Easier and faster.
-
I think that this sounds normal and you are just worried, doesn't sound like there is any reason to suspect that anyone has gotten into your system.
-
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.
We use digital ocean for our staging, they do use root passwords. The first things we do after spinning up an instance is creating a new user, changing sshd_config to be only SSH2, disable root login, and set the port really high to avoid bombardment. On our actual network it's much more secure, and/or possibly elaborate, than that, but this is staging.
They will let you use root passwords, yes. But we just use SSH keys. Easier and faster.
Most definitely, we use SSH keys in production. We could use them for both, but to be honest, I can't tell you why we don't, we just don't, ... lol what a terrible reason.
-
I find them so much more convenient. I build a new box (I do all of the new box builds now after some disasters with that getting spread around) and I don't have to track logins. I just log in automatically from the Jump Box (which is whose key is there) and I can instantly run our script that creates all of the standard access for everyone. Never have to type in or write down passwords.
-
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
-
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
Changing the SSH port is pretty common, and yes, it's worth the hassle of remembering something like making it 1122, especially because it doesn't run as root out of the box, as everything running ports <= 1024 do. It's safer, cleaner, etc.
In other words, I suggest a common standard for your company/your setups, rather than picking a random one like MSSQL likes to depending on configuration.
-
@tonyshowoff said in I am paranoid?:
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.
-
@Dashrender said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.
That's what documentation is for. That's why we don't have all the same root password or whatever.
-
@Dashrender said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.
If you are hiring a consultant, you should be providing documentation on how to connect. I don't come into a place and just try to randomly connect to something. I connect to what the client tells me to connect to, how they tell me to connect.
I might also have an opinion about why something is non-standard, but I would not mouth it off, because, you know, I like to get paid.
-
@JaredBusch said in I am paranoid?:
@Dashrender said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.
If you are hiring a consultant, you should be providing documentation on how to connect. I don't come into a place and just try to randomly connect to something. I connect to what the client tells me to connect to, how they tell me to connect.
I might also have an opinion about why something is non-standard, but I would not mouth it off, because, you know, I like to get paid.
LOL - most of that was internal though processes, not verbal ones...
-
-
@BRRABill nice!