some one just hacked my proxmox box

[Goddard]

My proxmox box was just hacked and some one easily got root access. Can some one help me debug?

 

[marsian]

How do you know it has been hackend? It would be helpful if you could write a little bit about your environment, WAN access etc.?

 

[Goddard]

It was hacked by some one that wanted to mine monero. I found a modification in the crontab file. It had a pfsense vm that handled all traffic.

 

[Sharan H]

/etc/ssh/sshd_config
PermitRootLogin no

I honestly don't know why this isn't on by default.

Also, fail2ban will prevent these attacks too. If you look in the logs, there are constant SSH attacks, especially from China/Asia.

 

[czechsys]

/etc/ssh/sshd_config
PermitRootLogin no

I honestly don't know why this isn't on by default.

Because proxmox need work as root with cluster services.

 

[Sharan H]

Fair enough, however you can use the following, which will still allow key-based authentication:
PermitRootLogin without-password

 

[fabian]

Fair enough, however you can use the following, which will still allow key-based authentication:
PermitRootLogin without-password

the initial joining of a cluster node uses SSH with password (currently, there are plans to change this). AFAIK there is nothing else that needs password-based access, so after you have joined all your nodes to the cluster, disabling it should not break anything.

that being said, disabling public access to your hypervisor nodes (e.g., by putting SSH and the web interface behind a VPN or a jump host) is recommended in any case.

 

[Sharan H]

"PermitRootLogin without-password" is actually the default setting for Debian, fyi. Yes, would definitely make sense to do it another way, perhaps using a REST API or something simple. At the very least, add a warning to the console.

Permitting root login exposed is a seriously bad idea, but I agree that exposing proxmox on the internet is also a bad idea.