Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What will happen if someone gets unauthorized access to your server?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What will happen if someone gets unauthorized access to your server?

So I've seen when I logged into my VPS that there are 8k-ish failed logins (https://imgur.com/YVNHlc0). What could happen if they get access to my server? They'll probably use it in a botnet I guess? There's a low chance they might brute force in, what would the provider do in this case? Suspend my service even though it wasn't me? For example Hetzner or other providers that do require an ID photo for verification, would they report me?
And no, I don't want to use my VPS for DDoSing even if it may sound like I want to.
I already installed Fail2Ban, generated an SSH key and created another user with sudo access so I guess I'll be fine but I'm still curious.

Comments

  • Most likely, damage data etc - Endless possibilites what they'll do if they get in.

    Have you changed SSH port as well?

  • vovlervovler Member
    edited July 2020

    Mail spam, Botnet for ddos, mining crypto, encrypt all your files and ask for money (ransomeware), if you are running a web server some malicious javascript to steal CC details, deface the website, sell it's database online, blackmail you into reporting you to GDPR authorities

  • @WSCallum said:
    Most likely, damage data etc - Endless possibilites what they'll do if they get in.

    Have you changed SSH port as well?

    Not yet, I'll change it as well, thanks :smile:

  • PwnerPwner Member

    The internet police will knock on your door, and when you answer then they'll walk into your living room, rip your modem out from ISP line, and revoke your internet privileges for allowing yourself to be compromised.

    In all seriousness though, if someone gets unauthorized access to your server then it's safe to assume that anything in it has been compromised and backdoored, and you'll most likely need to wipe it clean and restore data from a backup while learning how to better harden your server in the future. Any and all repercussions of being compromised (DDoS participation, leaked client data, etc.) will also be your responsibility since the service is under your name and account.

    Thanked by 2Bogddan Hetzner_OL
  • RedSoxRedSox Member
    edited July 2020

    Still can't get it why people stay on the default port... There is no need to install fail2ban in most cases, just change the port and no one will be knocking on your door, especially if your sites use Cloudflare.

    Thanked by 1Bogddan
  • cochoncochon Member

    @RedSox said:
    just change the port and no one will be knocking on your door

    That's not true at all. I shift ports, not for obscure security reasons, but because I want to run SFTP on the familiar port 22 separate from SSH. I still gets lots of SSH attempts on the new port once they've scanned for it.

    Bottom line is to use public keys, AND disable password logins, then forget about it.

    Fail2ban isn't much use anyway these days as the attempts are more often 'low and slow' scans from many IPs which won't trigger or be bothered by a ban. It's been a while since I've seen a server degraded by a 'fast and furious' password brute force in SSH.

    Thanked by 1skorous
  • Nothing harmful, just treat it like a VPN and watch someone do horrible shit.

    Thanked by 2imok Bogddan
  • stefemanstefeman Member
    edited July 2020

    He would probly glance your data, laugh a little bit and then install his own services/backdoor and clear /var/log and let the server run silently.

    DDoS, further cracking, or reverse proxy for illegal stuff like hacking is the most common use case for "rooted servers" as the criminals call them.

    You could even sell it forward on various cybercrime forums. The price usually depends on port speed and server specs.

    Malware hosting is also popular.. It wouldnt be used for C&C or sending commands to the botnets, but it would be a wonderful spreading server for any crook thats into IoT devices.

    TL:DR, just secure your server. avoid shit passwords and install fail2ban or change ssh port and youre mostly safe. if you want to be 100% secure, use keyfile instead of a password for the SSH.

  • @cochon said:

    @RedSox said:
    just change the port and no one will be knocking on your door

    That's not true at all. I shift ports, not for obscure security reasons, but because I want to run SFTP on the familiar port 22 separate from SSH. I still gets lots of SSH attempts on the new port once they've scanned for it.

    Bottom line is to use public keys, AND disable password logins, then forget about it.

    Fail2ban isn't much use anyway these days as the attempts are more often 'low and slow' scans from many IPs which won't trigger or be bothered by a ban. It's been a while since I've seen a server degraded by a 'fast and furious' password brute force in SSH.

    How to separate SFTP and SSH?

  • cochoncochon Member

    @chocolateshirt said:
    How to separate SFTP and SSH?

    ProFTPD, though I'm sure there are others. We disable FTP and insist on clients using SFTP, but don't want them having any opportunity to login, tunnel or run remote commands.

    The mod_sftp module implements the SSH2 protocol and its SFTP subsystem, for secure file transfer over an SSH2 connection. The mod_sftp module supports:

    Public key authentication
    Password authentication (e.g. user authentication via mod_sql, mod_ldap, mod_auth_file, mod_auth_unix, mod_auth_pam)
    SCP support
    Quotas (via the mod_quotatab module)
    FIPS support (see Usage section)
    Throttled transfers (via TransferRate, and/or the mod_shaper module)
    Blacklisted public keys
    Configurable traffic analysis protection
    Passphrase-protected host keys
    SFTP extensions

    This module supports the SFTP and SCP file transfer protocols; it does not support shell access.

  • RedSoxRedSox Member
    edited July 2020

    @cochon said:

    @RedSox said:
    just change the port and no one will be knocking on your door

    That's not true at all. I shift ports, not for obscure security reasons, but because I want to run SFTP on the familiar port 22 separate from SSH. I still gets lots of SSH attempts on the new port once they've scanned for it.

    Why so? I use a Hetzner VPS and after switching from port 22 to 4434 I have no ssh attempts, only my attempts :) And Hetzner is very popular. its IP range knows every ssh bot! So imagine how many people want to have access to Hetzner VPSes, dedis and so on. So you belive or not but my auth.log filled only with my attemtps.

    I just belive that those people who want to hack someone's VPS, they just go by the easiest way - 22 port. it is always the best decision to follow a well-trodden path and they follow it.

  • cochoncochon Member

    @RedSox said:
    So you belive or not but my auth.log filled only with my attemtps.

    I just belive that those people who want to hack someone's VPS, they just go by the easiest way - 22 port.

    Reflecting on your comment, I think your experience is probably becoming more normal, and my experience more exceptional, it does take a while for SSH attempts to start.

    As cloud based computing gets cheaper, the number of simple vanilla installs with SSH on port 22 must be growing at a huge rate. As you suggest, with such a large growing pool there's probably less and less motivation to go looking for other avenues.

    Still doesn't alter my (and others) main thrust - don't rely on obscurity, use keys, disable passwords completely.

    Thanked by 1skorous
  • ssh failed attempts are the least of your troubles. Most servers are hacked through other services provided on the server (web/php/mail). The key thing is to understand the vulnerabilities of your server and automatic early detection.

    Want a bullet proof SSH service? Run it over Wireguard. Otherwise, put up some firewall rules to auto blocking failed login attempts. Fail2ban and PSAD are helpful if you can't do that with your firewall.

  • Attacker's eyes get cancer.

    Thanked by 1Bogddan
Sign In or Register to comment.