Hello. I have been experiencing a repeated security breach on my Linux VPS server. The first time, it seems that the Multios.Coinminer was launched and it overloaded my processor. I realized that my weak passwords for test users were to blame for the breach, so I promptly corrected it.

After the initial attack, I took several measures to enhance security:
- Changed all passwords to highly complex ones.
- Removed the detected virus.
- Implemented fail2ban to limit login attempts.
- Denied ROOT access via SSH and created a separate user with super privileges.
- Denied ROOT access via RDP and now use another user with super privileges.
- Ran apt-get update.

In addition to these actions, what else do I plan to do?
- Enable two-factor authentication (2FA).
- Configure logging to monitor login activities.
- Possibly disable SSH access or change the port if they continue to exploit it. However, I would prefer not to completely close SSH access since it sometimes proves more convenient than using RDP.

Now, here's my question: If someone is still able to log in via SSH, closing the access may be a logical step. But how are they managing to breach my system? Brute forcing seems unlikely. Is there a possibility of a backdoor on the server? I've found some articles that offer potential detection methods, but I would appreciate any practical advice from anyone who has experienced a similar situation.

It's unfortunate to hear that you're experiencing repeated security breaches on your Linux VPS server. It seems like you've taken several important steps to enhance security already, such as changing passwords, implementing fail2ban, and disabling ROOT access. However, it's possible that there may still be vulnerabilities or backdoors on your system that are allowing unauthorized access.

In addition to the measures you mentioned, here are a few more suggestions to further strengthen your server's security:

1. Regularly update your server's software and operating system: Keeping your server up to date with the latest security patches is crucial in preventing known vulnerabilities from being exploited.

2. Use a firewall: Configure a firewall to restrict incoming and outgoing network traffic to only necessary services. This can help prevent unauthorized access to your server.

3. Monitor server logs: Implement centralized logging and regularly review server logs to identify any suspicious activities or anomalies. This can help you detect potential security breaches and take timely action.

4. Check for suspicious processes: Periodically monitor running processes on your server and investigate any unusual or unknown processes. Malicious actors sometimes gain access to servers by disguising their activities as legitimate processes.

5. Enable Intrusion Detection/Prevention Systems (IDS/IPS): These systems can help detect and prevent unauthorized access attempts, as well as potentially detect and block malicious activity on your server.

6. Set up periodic security audits: Conduct regular security audits of your server to identify any existing vulnerabilities or misconfigurations. This can help you proactively plug any security holes.

7. Limit user privileges: Follow the principle of least privilege by ensuring that each user has only the necessary permissions required to perform their tasks. This way, if one account is compromised, the attacker's access will be limited.

8. Consider using port knocking: Port knocking is a technique that involves opening specific ports in a particular sequence as a form of authentication before gaining access. This can add an extra layer of security to your server.

Overall, it's essential to maintain a proactive approach to server security. Regularly update and monitor your system, stay informed about the latest security best practices, and be vigilant for any signs of unauthorized access. If despite taking these measures, the breaches continue, it may be wise to seek assistance from a professional security expert to help identify and resolve the issue.

Besides SSH, what other functionalities does RDP serve on the server?

1) It allows the redefinition of the SSH port.
2) It enables key access.

3) Root access is only available via sudo.
4) Unnecessary services are disabled.

5) The server runs everything in containers, with access to them through Nginx or HAProxy.

6) The server has a firewall in place and outgoing connections are closed.

In conclusion, implementing these measures could lead to increased security and improved efficiency for the server.

Can we change the default port for SSH to confuse attackers, making them think the door is closed and eventually give up? They won't bother going through all the ports, will they?

It's an interesting concept to add an extra layer of security by modifying the standard port for SSH. By doing so, we can potentially deter attackers and make it harder for them to gain unauthorized access to our systems. It's important, however, to remember that this technique is just one part of a comprehensive security strategy, and it should always be combined with other best practices such as strong passwords, regular patching, and monitoring for any suspicious activities.

Enabling two-factor authentication (2FA) is an excellent decision. This adds an extra layer of security, requiring not only a password but also a unique code generated on a trusted device.
In addition to logging login activities, I would recommend implementing intrusion detection systems (IDS) or intrusion prevention systems (IPS) to monitor and analyze the traffic on your server. These systems can help detect and block any suspicious behavior or unauthorized access attempts.

Regarding the possibility of a backdoor on the server, it's essential to conduct a thorough security audit. This should involve scanning the system for any signs of malicious software, checking the integrity of system files, and examining any unusual network connections.

Since brute forcing seems unlikely, it's worth investigating the possibility of compromised credentials. There have been cases where attackers obtained login details from data breaches or through phishing attacks. Therefore, it might be beneficial to review the security practices of any third-party services or applications connected to your server.

Considering the potential access via SSH, changing the port can obscure it from standard scans but may not provide strong security by itself. It's important to complement this with other security measures, such as the ones mentioned above.
Addressing security incidents requires a multi-faceted approach. By combining the steps you've already taken with additional measures like 2FA, robust monitoring, and thorough security audits, you can strengthen the security posture of your Linux VPS server and minimize the risk of future breaches. If you require further assistance, I'm here to provide support and guidance throughout this process.