On 23/06/2021 17:03, Saint Michael wrote:> I got hacked in 72 servers this week, they installed Bitcoin miners.Are you saying this happened through opensshd? What specifically was the cause: do you allow password authentication for example? You can control this by IP address with "Match" clauses in sshd_config.? For example: PasswordAuthentication no Match Address 10.0.0.0/8,fc00::/7 PasswordAuthentication yes This will allow passwords only from the 10.0.0.0/8 and fc00::/7 networks, forcing connections from the Internet to use a proper authentication mechanism (e.g. keys)
I use iptables, but all my servers have public IPs, for we do telecommunications. If my firewall is down for any reason and I don't catch it, they will hack me. I don't know how they do it, for I have password authentication disabled, but they hack me and it's always via Centos 7 machines. But Openssh in Centos 7 is so old that cannot communicate with newer machines, they cannot agree on protocols and ciphers, etc. So I am trying to compile openssh latest in Centos 7, but no libwrap support. The perfect storm. They have been installing Bitcoin miners right and left. I think that they penetrate a single box that is left with password authentication =yes, and do a lateral infection. The only failsafe solution is to use hosts.allow. They can take down a powerplant with this technique. To remove libwrap was a completely irresponsible move. On Wed, Jun 23, 2021 at 12:19 PM Brian Candler <b.candler at pobox.com> wrote:> On 23/06/2021 17:03, Saint Michael wrote: > > I got hacked in 72 servers this week, they installed Bitcoin miners. > > Are you saying this happened through opensshd? > > What specifically was the cause: do you allow password authentication > for example? > > You can control this by IP address with "Match" clauses in sshd_config. > For example: > > PasswordAuthentication no > > Match Address 10.0.0.0/8,fc00::/7 > PasswordAuthentication yes > > This will allow passwords only from the 10.0.0.0/8 and fc00::/7 > networks, forcing connections from the Internet to use a proper > authentication mechanism (e.g. keys) > >
> On Jun 23, 2021, at 12:19 PM, Brian Candler <b.candler at pobox.com> wrote: > > On 23/06/2021 17:03, Saint Michael wrote: >> I got hacked in 72 servers this week, they installed Bitcoin miners. > > Are you saying this happened through opensshd? > > What specifically was the cause: do you allow password authentication for example? > > You can control this by IP address with "Match" clauses in sshd_config. For example: > > PasswordAuthentication no > > Match Address 10.0.0.0/8,fc00::/7 > PasswordAuthentication yes > > This will allow passwords only from the 10.0.0.0/8 and fc00::/7 networks, forcing connections from the Internet to use a proper authentication mechanism (e.g. keys) > >Another option would be to setup 2FA through a third party service with OpenSSH. I?ve got duo setup for OpenSSH connections on critical MidnightBSD systems for this reason. Lucas Holt Luke at FoolishGames.com ________________________________________________________ MidnightBSD.org (Free OS) JustJournal.com (Free blogging)