
VPS, hack, SSH & JetBackup
On short: I have an VPS which I play with, where I learn some server related things and linux, where I install my projects and make tests.
In order to have an backup method, at least for important data, like many shared hosting packages have JetBackup included in price or optional, I chosen many years ago to buy myself my own JetBackup license. This way I feel a little more safer in case of an server crash. Why I mention about JetBackup ? Continue reading.
I hardened the server as much as I can find info on internet, one of this being restricted the root login only by certificate authentication (so, no password). Of course, I keep the private key into a safe place ๐ And anyway, is password-protected ๐ Overall, since my first VPS purchase which was in 2014 no one gained root access, so I think I learned enough about server defending.
I have received an email alert that CPhulk identified an succesful root login, via SSH. Usually this kind of email I receive after each time when I connect to server via through SSH, but this time an strange IP draw my attention. Immediately I look on server logs and I saw that indeed, was an succesful login, the firewall (CSF/LFD) log confirmed too. I was a little shocked because the root cannot login without private key authentication, and that key is stored on my PC. But the email alert and server logs shows that someone logged in as root and using SSH key !!!
Moreover, the regular ssh port was changed by me even from the moment of server set-up, so no one who don’t know that port cannot log-in ! Very obfuscated.
From pictures above can be seen that someone from France, who have an IP assigned by OVH, had succesfully logged into my VPS as root through SSH, authenticating with an public key.
And in picture #3, another email, this time sent by firewall, confirmed the successful login
Immediately I “ssh-ed” to server and look for what keys I have installed. But at first, I looked into server by giving “last -10 root” to see last 10 logins:
strange, the login from 2 days ago was not displayed … As can be seen there is the one from today (3 April) and next one is from 29 March, but the one from 1 April (the one who came from France and used pubic key auth) is not listed there.
For root account I have found that there are 2 keys, one is a pair public/private, which is the one defined by me for authentication purposes, and second one only a public key which was asked by JetBackup support team 3 months ago. I wasn’t sure at that moment if the successful login which scared me was using that public key needed by jet backup team. But on email received from firewall (LFD) it says:
“Accepted publickey for root from 145.239.254.30 port 37780 ssh2: RSA SHA256:v3bdwtXL7GNVDp1GKVmkBAJ
0NxVacSvjvV56HEbejxU”
so the 44 characters after SHA256: are an good clue. Googling (link here, on serverfault.com) I have found that “It shows the kew fingerprint as a SHA256 hash in base64”. On the same page bellow I read that
“ssh-keygen -lf .ssh/name_of_key.pub
”
Will show me that SHA256 hash. And INDEED, the result from command prompt/putty was the same 44 characters string, as the one specified in email sent by firewall ! se bellow picture:
Wow ! Untilย here I have found that someone get root into my server, using an approved auth public key and knowing the ssh port (different than 22, standard one). Also I found that the auth key I created myself in order to give to JetBackup support team access to my server in order to solve some issues with their app, around 3 months ago. So, the conclusions can be:
- some guy inside Jet Backup (or an automatic script) tried to see if the root access for tem is still opened ๐
- someone get access to support tickets of JetBackup and took from there the info needed to login into my server
- someone hacked their email address used for communication with me and extracted from there the info about IP & ssh port
Looking for history of root activities after log-in, into: /root/.bash_history I cound’t find any suspicious commands (I know, if other person than me get root access can hide somehow his actions) but adding the fact that the command “last -10 root” didn’t listed “that” suspicious login, probably was an very quick log-in/log-out and nothing bad happened.
I don’t know too much about SSH public keys and their private conterparts. But if JetBackup guys asked me to install their public key, I guess that they need an private key in order to log in, right ? If yes, I can assume then it was someone inside their team…
One more thing: everytime when Jet backup support guys want to log in to my server claimed that they are rejected, which was correct because I have firewall and was necessary to add their 6 IP’s in exception list. But now, the connection came from an IP which is NOT from that 6 IP’s from exclusion list of my firewall. Again, strange.
Anyway, if you EVER need to give access to your server / VPS by help of an public key (like a support team), pay attention after he/they finish the job to “de-authorize” that key ! That way cannot be used for authentication unless you authorize-it again.
Some useful links: check user login history linux