Post-mortem and remediations for Apr 11 security incident | Matrix.org blog

An analyses of the big matrix hack (the default home server, the privacytools.io matrix instance was not affected.)

2 Likes

thanks for linking this, was curious about this one

We also didn’t spend much time hardening the default Debian installations - for instance, the default image allows root access via SSH and allows SSH agent forwarding, and the config wasn’t tweaked.

I find it intersting how they don’t mention that sshd_config allows logging in with passwords by default and they don’t mention PasswordAuthentication no on their hardening steps and no word on stopping bruteforce attacks through SSH (SSHGuard?).

Do they not consider password authentication an issue or are they going to allow it and what about bruteforcing if it succeeded? Or someone got MITMed and compromised their password that way?

They shouldnt allow ssh traffic at all with a server like this…

How would you maintain a VPS without SSH?

Local access, or atleast make the ssh only reachable via an v3 .onion with client authentication, so your ssh port can still be closed on your firewall.

2 Likes

or as they stated in the article, using a VPN to tunnel.