In retrospect I was an idiot to even leave my ssh password access enabled. I’ve now set it to “without-password” as I’ve found ssh key auth pretty reliable, which should help at least a little bit.
I had to reflash my firmware the manual way and found a pile of crap in my home directory along with linux_exploit_suggester.
as far as I can tell nothing was horribly damaged, perhaps stolen though.
As I’m not a linux pro, when it comes to vulnerabilities, is there anything I should do to further lock down my Drobo?
Move it off the default port 22. Any port will do, as long as it is not 22. I recommend picking something higher than 1024.
Remove password authentication. Allow only pubkey authentication.
[WARNING: From here on you have a very good chance of locking yourself out if you don’t know what you are doing, in particular after a firmware upgrade]
Forbid root login
Configure sudo to allow only a specific account to do superuser tasks.
Generate a strong root password, using something like “openssl rand -base64 15”
Furthermore, not on the Drobo but on some Linux servers that I manage which are internet-exposed:
Thanks a million for this. Ultimately when it comes to locking myself out, wouldn’t it just be a matter of reinstalling openssh manually in the DroboApps share? Or does that network share need to be locked down as well?
What I meant by “locking yourself out” is that the right combination of:
reducing access to root,
accounts and groups being reset after a firmware update,
sudo not properly configured to be update/reboot resilient
…could leave you without root access anymore.
With that being said, I think you are probably right. It seems that you could always get out of trouble by reflashing the firmware, deleting openssh, and reinstalling it.
HI, Looks like I have managed to “lock myself out” when I tried to install OpenSSH.
Now when I try to log in I get:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**.
Please contact your system administrator.
Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/username/.ssh/known_hosts:2
RSA host key for ***.***.***.*** has changed and you have requested strict checking.
Host key verification failed.
Can anyone help at all? Im am a bit of a noob with Linux commands
Edit: my apologies. Abit more googling found this for me:
$ ssh-keygen -R server.example.com which worked perfectly. Didn’t realise it meant on my machine… I feel pretty foolish
