2

My server has been infiltrated by an outsider using my root user qualifications.

With the root password changed, I'm trying to find extra strategies for securing the server.

Using the /etc/hosts.allow and /etc/hosts.deny seems like a viable solution to manage access by IP-Address but I have a potential problem.

I want to specify my work IP in the hosts.allow file. The issue however is that the IP-Address can be changed by the service provider. If that happens I'll be locked out of my server. Our server is self managed.

Can anyone enlighten me on how to prevent or overcome this scenario, please?

sisko
  • 155
  • 1
  • 8
  • I've already answered but disabling root ssh is in the [sshd_config](http://www.openssh.org/cgi-bin/man.cgi?query=sshd_config), set it to no and restart the service. – MDMoore313 Dec 19 '13 at 18:09

5 Answers5

4

Buy a static IP from provider.

Kazimieras Aliulis
  • 2,324
  • 2
  • 26
  • 45
2

In addition to @Kazimieras' answer you can also use a system such as dyndns and add your new hostname to etc/hosts.allow.

MDMoore313
  • 5,531
  • 6
  • 34
  • 73
2

Use certificates

Instead of using IP based restrictions you could set up passwordless login via certificates.

You will need to put you public certificate on the server you are accessing. You will need to ensure that the permissions on the required files in the ~/.ssh directory are correct for this to work.

Community
  • 1
Deesbek
  • 210
  • 3
  • 12
0

Maybe you can setup a vpn connection between your server and your office network

Danielle
  • 76
  • 1
0

I took several steps in securing my servers:

The first is the obvious one:

Don't run ssh on a standard port gets you rid of the usual skript kiddies attacks.

The second one is also state - of -art:

Use a knock - daemon. A knock - daemon first awaits a sequence of hits on specific ports and protocols before opening the port for the ssh - connection on the server. So the ssh - server is invisible to any attackers until they hit the right port sequence with a knock client. Most knock - daemon - implementations provide a mechanism for integrating transactional sequences, so the knocking sequence is changed after every successful login.

With this standard setup you are provided with a bit more of a security layer.

Using encrypted usernames and passwords and restricting ssh - login to a specific (non - root) user is also recommended. You can then switch to the root user on the server when executing root tasks.

Installing a monitoring system like nagios also provides more security to you and your environment, it's easy to configure and also provided through the ubuntu packaging system. You can configure it to send you emails when someone is logging into your server via ssh, so at least you will get the information you need to take some further investigations.

But, to be honest: If someone accessed your server as root, you should do a complete re-installation of everything. There could be replacements of binaries which are not easy to detect, introducing backdoors. Imagine you run a simple command like useradd and the binaries have been replaced so that while executing the command a tcp connection is opened and user credentials are send to your intruder. Or, worse: The ssh - server binary has been replaced with a customized version which allows access via a certain user - pass - combination.

Deesbek
  • 210
  • 3
  • 12
Peter
  • 126
  • 5