So my droplet was hacked twice. And the third version is up. Fingers crossed.
The mistake I made in the first two was that I had root + password login enabled. I’ve learned since that there are brute-force bots out there that keep trying passwords until they get through. So I’m going the private SSH key route this time, no password.
What I learned in the process: By default Ubuntu Linux doesn’t limit password attempts in any way. You can keep trying different passwords forever. Shiver.
I have several questions about the logic of disabling root login:
Would it still be possible for the non-root user to use “su” to become root? If yes, then how many password attempts are allowed (i.e., is this too a situation where by default there’s no limit to password attempts?).
One would still need “root-like” access to the server once in a while, e.g., to give new users “sudo” privileges, etc. Presumably one would have a non-root user account with “sudo” privileges so that one can have such “root-like” access. Why is that not as big of a security threat as having root login enabled?
Do experienced Linux server admins typically set up a non-root user such that one would need a private SSH key AND a password? This seems to me to be the safest option.
Note: I realize that the root username is an issue here. But given infinite free attempts, bruteforcing any username + password combination is just a matter of time.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Yup SSH keys are the way to go - my SSH config has root login disabled completely and only permits a single username to login with SSH keys.
username / password logins are just too open to abuse.
Click below to sign up and get $100 of credit to try our products over 60 days!
Why don’t you use SSH keys? Also, install fail2ban.