So I was hacked

In retrospect I was an idiot to even leave my ssh password access enabled. I’ve now set it to “without-password” as I’ve found ssh key auth pretty reliable, which should help at least a little bit.

I had to reflash my firmware the manual way and found a pile of crap in my home directory along with linux_exploit_suggester.

as far as I can tell nothing was horribly damaged, perhaps stolen though.

As I’m not a linux pro, when it comes to vulnerabilities, is there anything I should do to further lock down my Drobo?

Here’s what I did with mine:

  1. Move it off the default port 22. Any port will do, as long as it is not 22. I recommend picking something higher than 1024.
  2. Remove password authentication. Allow only pubkey authentication.
    [WARNING: From here on you have a very good chance of locking yourself out if you don’t know what you are doing, in particular after a firmware upgrade]
  3. Forbid root login
  4. Configure sudo to allow only a specific account to do superuser tasks.
  5. Generate a strong root password, using something like “openssl rand -base64 15”

Furthermore, not on the Drobo but on some Linux servers that I manage which are internet-exposed:

  1. Install logwatch.
  2. Install fail2ban.

There is much more that can be done. I suggest googling for “ssh hardening” or “ssh best practices” to find other things that can be done. For example:

Thanks a million for this. Ultimately when it comes to locking myself out, wouldn’t it just be a matter of reinstalling openssh manually in the DroboApps share? Or does that network share need to be locked down as well?

What I meant by “locking yourself out” is that the right combination of:

  • reducing access to root,
  • accounts and groups being reset after a firmware update,
  • sudo not properly configured to be update/reboot resilient

…could leave you without root access anymore.

With that being said, I think you are probably right. It seems that you could always get out of trouble by reflashing the firmware, deleting openssh, and reinstalling it.

HI, Looks like I have managed to “lock myself out” when I tried to install OpenSSH.
Now when I try to log in I get:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**. Please contact your system administrator. Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message. Offending RSA key in /Users/username/.ssh/known_hosts:2 RSA host key for ***.***.***.*** has changed and you have requested strict checking. Host key verification failed.

Can anyone help at all? Im am a bit of a noob with Linux commands

Edit: my apologies. Abit more googling found this for me:

$ ssh-keygen -R which worked perfectly. Didn’t realise it meant on my machine… I feel pretty foolish :stuck_out_tongue: