Hi, Difficult to make any recommendations based on this information, but once you've recovered, enforce ssh key-based logins only.
Given that your client might be compromised, you probably want to look into that as well. To limit the possibilities that someone gets access to your ssh private key's keyphrase, store it off-client -- for example using your mobile phone (e.g. Kryptonite -- https://krypt.co; do read caveat regarding Android crypto). Good luck. On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote: > Hi, > I have some heavy suspect that my openbsd box was been hacked for the second > time in few weeks. The first time was been some weeks ago, I have got some > suspects and after few checks I have found that someone was been connected to > my vps via ssh on a non-standard port using my ssh key. The connection came > from a tor exit node. There were been 2 connections and up since 5 days. Now > I have some other new suspects because some private email seems knew from > others. Also I have found other open sessions on the web gui of my email > provider, but I am abolutely sure I have done the logout always. > I am using just chrome+unveil and I haven't used any other script or opened > pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used > epiphany *only* to open the webmail because chrome crash. My email provider > support html (obviously) but generally photo are not loaded. Ofcourse I have > pf enable and few service. > I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 > website just to read news. Sometimes I search things about openbsd. > Anyone could help me ? > Cord. > > >
