Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.

Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.

Rolled back to the backup before I made it public and now I have a security checklist.

  • Xanza@lemm.eeEnglish
    15·
    8 hours ago

    You can’t really disable the root user. You can make it so they can’t login remotely, which is highly suggested.

      • Xanza@lemm.eeEnglish
        2·
        4 hours ago

        There’s no real advantage to disable the root user, and I really don’t recommend it. You can disable SSH root login, and as long as you ensure root has a secure password that’s different than your own account your system is just as safe with the added advantage of having the root account incase something happens.

        • Possibly linux@lemmy.zipEnglish
          2·
          3 hours ago

          That wouldn’t be defense in depth. You want to limit anything that’s not necessary as it can become a source of attack. There is no reason root should be enabled.

          • Faresh@lemmy.mlEnglish
            1·
            42 minutes ago

            I don’t understand. You will still need to do administrative tasks once in a while so it isn’t really unnecessary, and if root can’t be logged in, that will mean you will have to use sudo instead, which could be an attack vector just as su.

          • Xanza@lemm.eeEnglish
            21·
            2 hours ago

            Why do like, houses have doors man. You gotta eliminate all points of egress for security, maaaan. /s

            There’s no particular reason to disable root, and with a hardened system, it’s not even a problem you need to worry about…

    • MehBlah@lemmy.worldEnglish
      1·
      7 hours ago

      Another thing you can do under certain circumstances which I’m sure someone on here will point out is depreciated is use TCP Wrappers. If you are only connecting to ssh from known IP addresses or IP address ranges then you can effectively block the rest of the world from accessing you. I used a combination of ipset list, fail2ban and tcp wrappers along with my firewall which like is also something old called iptables-persistent. I’ve also moved my ssh port up high and created several other fake ports that keep anyone port scanning my IP guessing.

      These days I have all ports closed except for my wireguard port and access all of my hosted services through it.