I had a server that used password authentication for the root user (on the standard port). After a few months of uptime it was hacked.
I suppose even minimal extra security would've helped (no root user, only allow x login attempts in y time, changing the port for ssh), but I was still surprised someone got in so soon by simply guessing a 20+ string of gibberish (I still wonder if maybe something else happened).
All that said, I've had servers running for years without any successful hack, and in all those cases using ssh keys instead of password logins probably made all the difference.
It was something else. Nothing or no one brute-forced a 20+ random string pass. More likely some service (Wordpress, phpbb etc) got owned. I’ve had multiple servers running for years with < 15 char non random root pass (stupid as it is to do so) with no problems.
I'd be inclined to think the same, if not for the fact that this server wasn't running anything particularly 'ownable' that I can think of.
The only alternative that I can think of is that one of the two other users' machines was compromised, but AFAIK I didn't give them root access. Plus, the logs show an extreme number of login attempts (tens of thousands of entries in auth.log) with an eventually successful root login.
Any other ideas of what might've been an alternative cause?
From the logs it sounds like maybe the password was in some lookup file or something. i.e. somehow that password was leaked and added to some list somehow.
it's maddening that I can't tell for sure, but I'll agree that I find it still somewhat hard to believe that a 20-character random root password was brute-forced.
EDIT: to be clear, I am pretty sure was the only person who used the root password to log in, and the single other user used a similarly long and random password with a different username. if I'd been compromised my problems would be quite a bit bigger. All I know is that right before the 'fatal' root login, there are 40.000+ lines of login attempts from ip's that originated from shady places (at least based on entering them in various GeoIP sites).
I suppose even minimal extra security would've helped (no root user, only allow x login attempts in y time, changing the port for ssh), but I was still surprised someone got in so soon by simply guessing a 20+ string of gibberish (I still wonder if maybe something else happened).
All that said, I've had servers running for years without any successful hack, and in all those cases using ssh keys instead of password logins probably made all the difference.