If your ever able to log into a router and see the log of ip’s that are continuously trying to hit our ports, it’s very scary. Quite eye opening , and makes you tighten security down on anything. And I’ve always found the VoIP stuff just gets hit harder.
Mike,
The easiest way, unfortunately, is to re-image the machine.
After rebuilding the box, please consider installing Fail2Ban. Fail2Ban is an intrusion detection system that helps to prevent brute force attackers from gaining access to your machine. To learn more about Fail2Ban, see https://github.com/fail2ban/fail2ban/.
If you need/want help installing Fail2Ban, please let me know.
I had something similar happen (I think - no way to know for sure of course) to my HamVOIP system. My approach - in addition to using a 5-digit port number - was to add an additional user with sudoer privileges. If you are lucky and the only thing the bad guy does is change your root password, you have a second chance to get in. Time will tell I guess.
A couple of things I do on any computer running the SSH daemon is to set up a public key for authentication and when that is working I disable password authentication in /etc/ssh/sshd_config. I also do not install a key for root, only a normal user and then either use su -l or sudo to perform root tasks and make sure it has a strong password.
Changing the port more or less only thwarts the script kiddies. Anyone with nmap and a bit of patience will find any open port.
in fact, I suspect the problem was that (somehow) disabling password authentication is what happened. You only need to remove one “#” symbol to make it impossible to do a remote root log-in ever again. That is why a second user id is a really good idea. The second user ID is not part of either of the repeater control packages …