0

So today my Server got hacked. But just a non sudoer user. 

Nov 26 10:44:18 Ubuntu-1604-xenial-64-minimal sshd[27188]: Accepted publickey for ... from hackerIP port 26394 ssh2: RSA SHA256:...

He started a screen and scanned networks nothing more. History is empty. He connected with some publickey tho I never added any keys. I know I should use ssh-keys instead of password. But my root never got compromised. What I noticed in auth.log is this

Nov 26 19:01:01 Ubuntu-1604-xenial-64-minimal CRON[12360]: pam_unix(cron:session): session opened for user ... by (uid=0)
Nov 26 19:01:01 Ubuntu-1604-xenial-64-minimal CRON[12360]: pam_unix(cron:session): session closed for user ...
Nov 26 19:02:01 Ubuntu-1604-xenial-64-minimal CRON[12368]: pam_unix(cron:session): session opened for user ... by (uid=0)
Nov 26 19:02:01 Ubuntu-1604-xenial-64-minimal CRON[12368]: pam_unix(cron:session): session closed for user ...

I do not know if I am posting it in the wrong section to be honest. I basically just want to know where to find the ssh-keys because my key folder is empty. How to disable remote login for that specific user (so that I only can connect over root and use 'su' command to login). And what to do with pam_unix.

Edit: Firtsly thanks for the huge help. I could undone everything the attacker did. And I disabled ssh-key login in sshd config so only passwords are valid. Failed2Ban is running as well and I am managing auth.log everyday manually.

Tom-Oliver Heidel
  • 101

3 Answers3

3

If you want to disable a user from being able to remote into SSH, you have a couple configuration options directly from /etc/ssh/sshd_config.

I personally favor using whitelists instead of blacklists for user accounts. Here is why, using a whitelist only allows the explicit users to login where a blacklist, only prevents those users. The whitelist is more complete in my opinion.

If you wanted admin, joe, and sally to remotely connect using SSH, the following directive added to /etc/ssh/sshd_config would work.

AllowUsers admin joe sally

If you simply wanted to block baduser from connecting, use the following.

DenyUsers baduser

Either option, you need to sudo service ssh restart for the changes to take affect.

1

Authorized keys are almost always in ~/.ssh/authorized_keys for the particular user. You can find their home directory by doing the command cd ~username The authorized keys file location can be changed in the /etc/ssh/sshd_config with a line like with AuthorizedKeysFile /some/path/to/authorized_keys_file so I would check both places.

You can disable login to that user by adding something like the following to your /etc/ssh/sshd_config:

AllowUsers root user

to only allow specific users or

DenyUsers user1 user2

to deny specific users. There's a lot of other cool stuff like this, just read the sshd_config man page.

Usually root is not the account you want to ssh into because if it get's compromised, they can do anything.

Lastly, about the pam_unix thing, it's a cronjob. You can find cronjobs in:

/var/spool/cron/crontabs
/etc/crontab
/etc/cron.d
/etc/cron.hourly
/etc/cron.daily
/etc/cron.weekly
/etc/cron.monthly
Bryce Larson
  • 539
0

To harden your sshd config,

Disable login/passwd login : in /etc/ssh/sshd_config

ChallengeResponseAuthentication no
UsePAM no

And you should disable root login (use sudo)

PermitRootLogin no

Ans as said by Bryce, use AllowUsers (but not root ;-)

There are some config you can do.

f35
  • 944