I use a non-standard port and they apparently broke a server in an
external datacenter, analyzed history, used the same ssh command with
ad-hoc port number. The box was connected paswordlessly to all my important
boxes and Zas!, Bitcoin miners all over the company.
On Wed, Jun 23, 2021 at 2:02 PM Jochen Bern <Jochen.Bern at binect.de>
wrote:
> On 23.06.21 18:27, Saint Michael wrote:
> > I use iptables, but all my servers have public IPs, for we do
> > telecommunications. If my firewall is down for any reason and I
don't
> catch
> > it, they will hack me.
>
> 1. You want to start doing that thing called "monitoring".
>
> 2. If by "firewall", you mean a unit *other* than the target
machines,
> from the moment it is "down", it should *NOT* allow any through
traffic
> to the targets (unless necessary to let an admin remote in to fix the
> firewall problem).
>
> 3. Otherwise, i.e., all you have is the iptables on the target machines
> themselves, you IMHO want to
> -- have the sshd listen on a nonstandard port,
> -- make the iptables, *if they are up and working*, NAT connection
> attempts to port 22 to the real port, and
> -- hand a "port cheat sheet" to the admins so that *they* can
remote
> into some machine to fix the iptables being "down".
>
> I shall stop here with the details, though, because if you don't know
> how you get (re)hacked, you don't know whether it's done *through
SSH*
> in the first place, either (and, if so, whether it's by weak passwords,
> an authorized key hidden someplace during the first hack, etc. etc.).
>
> > But Openssh in Centos 7 is so old that cannot communicate with
> > newer machines, they cannot agree on protocols and ciphers, etc.
>
> ... out of interest, what's your reference standard there, since it
> apparently surpasses even hardening guides like
> https://www.ssh-audit.com/hardening_guides.html#rhel7 ... ?
>
> Regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>