Seeing that OpenBSD comes secure out of the Box the most likely thing is that you yourself compromised your System through 3rd party software. If it even is the case. I think the best course of action would be to go for a forensic approach. Google how to log ssh traffic and where to find the logs. Then confirm your remote access actually happens. If so you should determine what software exposed you. VPN, Some Web Service, Your own stupidity? If you really use ssh keys instead of password login then someone had to be able to access those, usually outside of transfer. So most likely your work device is compromised and your OpenBSD server is just a casualty.
> On 4 Apr 2019, at 11:57, Cord <openbs...@protonmail.com> wrote: > > Hi, my english seems very bad because my problem is not to make secure the > ssh key. My problem is how do not be hacked. > I have talked about the ssh key stealing to show signs that my pc was been > compromised. > I can for sure make secure my ssh key but how to make secure my the pc ? > If I have a rootkit that steal the ssh key the problem is the rootkit. You > know keylogger that steal password ? or cookie stealing ? > > > > Sent with ProtonMail Secure Email. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Thursday, April 4, 2019 10:19 AM, Tor Houghton <t...@bogus.net> wrote: > >> Hi, >> >> Difficult to make any recommendations based on this information, but once >> you've recovered, enforce ssh key-based logins only. >> >> Given that your client might be compromised, you probably want to look into >> that as well. >> >> To limit the possibilities that someone gets access to your >> ssh private key's keyphrase, store it off-client -- for example using your >> mobile phone (e.g. Kryptonite -- https://krypt.co; do read caveat regarding >> Android crypto). >> >> Good luck. >> >> On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote: >> >>> Hi, >>> I have some heavy suspect that my openbsd box was been hacked for the >>> second time in few weeks. The first time was been some weeks ago, I have >>> got some suspects and after few checks I have found that someone was been >>> connected to my vps via ssh on a non-standard port using my ssh key. The >>> connection came from a tor exit node. There were been 2 connections and up >>> since 5 days. Now I have some other new suspects because some private email >>> seems knew from others. Also I have found other open sessions on the web >>> gui of my email provider, but I am abolutely sure I have done the logout >>> always. >>> I am using just chrome+unveil and I haven't used any other script or opened >>> pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used >>> epiphany only to open the webmail because chrome crash. My email provider >>> support html (obviously) but generally photo are not loaded. Ofcourse I >>> have pf enable and few service. >>> I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 >>> website just to read news. Sometimes I search things about openbsd. >>> Anyone could help me ? >>> Cord. > >
