One of my boxes got hacked. Ugh. Fortunately it was a jump server that had no data.
I have 2 servers exposed to the Internet, a jump server and a reverse proxy. The reverse proxy provides access to the web applications that I run. The jump server I use for SSH access into my network from remote locations.
They never got full root access to the box, they didn’t modify the firewall configs and no additional processes were spawned. What they did do was mess up the logging facility.
After rebuilding the box from scratch I’ve made authentication to be public key only. I’m thinking of implementing a port knocking feature so that the pot does show up on a port scan.