[stevendgarcia]

Solid advice. I had fail2ban installed and enabled. SSHD Root/password login turned off and only ssh key had access. My firewall was also airtight, or so I thought. Clearly I mucked up a config or setting somewhere because the odds of someone getting past all that are extremely low. One thing I had not prepared for was IP spoofing which I learned can be prevented with a few net.ipv4.conf tweaks. I also just purchased a static IP from my provider so I can lock down ssh access even further. Here's hoping I never have to deal with this headache again! fingers crossed

[xorcist]

You don't generally "get past" your firewall rules and into your box unless you have accounts that are not password protected.

If you really had password logins turned off, you need to identify and isolate how they gained access before you put that box online again. Never "hope" or "cross fingers" that it doesn't happen again. Unless you are an interesting target for some reason, chances are that these attacks are automated and you are running some insecure software somewhere.

Start by taking a snapshot of the machine before you do anything else. Go through the logs. Are there any unwanted processes? How were they started? Are there any unwanted binaries in the filesystem? How were they uploaded? Try to find IP addresses that that be tied to any unwanted login, and see search your logs for any previous occurrences.

Pay special attention to any web-reachable software you have installed.

[acegopher]

What was the vector by which they gained access? I have fail2ban, password login turned off, key access, airtight firewall, etc. and now am worried.

[steve19]

If they exploited a service or Web app they might have gotten shell access. The chance of gaining access through ssh with fail2ban is extremely unlikely, unless fail2ban was badly configured.

[cbluth]

Me too

[pfundstein]

How did you discover the breach, and did you determine the vector? My guess is that it was a pivoted breach from another system on the LAN such as your PC.

[stevendgarcia]

I'm still picking up the pieces but from my logs I can see that hundreds of successive login attempts were made from different IPs, effectively circumventing fail2ban with what I can only assume is some form of automated IP spoofing. I'm hoping that strict ipv4 settings and ssh ip range restrictions will mitigate this in the future. I also used this python script to harden my SSH security with better algorithms. https://github.com/arthepsy/ssh-audit

[nickphx]

No, you were not seeing spoofed traffic. There are that many compromised machines actively scanning.

[stevendgarcia]

It's scary to admit this but you are probably right. The first thing these bots do is use server resources to scan ports and brute force their way into other machines. I don't want to think about how many machines are pwned like this. Very sobering!

[snazz]

This is also perfectly normal for the Internet, yes? If you have a server with an IPv4 address, expect many attempts per day.

[OJFord]

> One thing I had not prepared for was IP spoofing which I learned can be prevented with a few net.ipv4.conf tweaks.

Do you have a handy link for more info about that?

`rp_filter`? https://www.slashroot.in/linux-kernel-rpfilter-settings-reve...

[ghostpepper]

Did you have password login disabled for all accounts or just the root account?