SSH access of my VPS server

by Kartick Paul   Last Updated September 11, 2019 23:00 PM

I am using a VPS ubuntu server where I have installed fail2ban. I disabled root login and disabled access by password. Today having seen my auth.log and fail2ban status, I am worried if somebody got access to my system.

I have also seen my ssh connection to get disconnected telling that port reset by SOME_IP. One more thing that I have observed is my working directory path changes from [email protected]:/home/dadu# to [email protected]:/home/dadu# (i.,e. twice) when I enter clear command.

I am new to ubuntu.Please tell me whether or not somebody got access to my system.

|- Filter
|  |- Currently failed: 0
|  |- Total failed:     119
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   185.43.209.173


[email protected]:/home/dadu# sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd


[email protected]:/home/dadu# sudo tail /var/log/auth.log
Sep 10 20:13:24 ubuntu-1 systemd: pam_unix(systemd-user:session): session opened for user dadu by (uid=0)
Sep 10 20:13:24 ubuntu-1 systemd-logind[895]: New session 94 of user dadu.
Sep 10 20:13:45 ubuntu-1 sudo:     dadu : TTY=pts/0 ; PWD=/home/dadu ; USER=root ; COMMAND=/bin/su
Sep 10 20:13:45 ubuntu-1 sudo: pam_unix(sudo:session): session opened for user root by dadu(uid=0)
Sep 10 20:13:45 ubuntu-1 su[9436]: Successful su for root by root
Sep 10 20:13:45 ubuntu-1 su[9436]: + /dev/pts/0 root:root
Sep 10 20:13:45 ubuntu-1 su[9436]: pam_unix(su:session): session opened for user root by dadu(uid=0)
Sep 10 20:13:45 ubuntu-1 su[9436]: pam_systemd(su:session): Cannot create session: Already running in a session
Sep 10 20:15:19 ubuntu-1 sudo:     root : TTY=pts/0 ; PWD=/home/dadu ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log
Sep 10 20:15:19 ubuntu-1 sudo: pam_unix(sudo:session): session opened for user root by dadu(uid=0)
Sep 10 20:25:05 ubuntu-1 sshd[9899]: Disconnecting authenticating user root 112.123.58.229 port 59061: Too many authentication failures [preauth]
Sep 10 20:29:13 ubuntu-1 sshd[22499]: Received disconnect from 218.98.26.181 port 31528:11:  [preauth]
Sep 10 20:29:13 ubuntu-1 sshd[22499]: Disconnected from authenticating user root 218.98.26.181 port 31528 [preauth]
Sep 10 20:30:12 ubuntu-1 sudo:     root : TTY=pts/0 ; PWD=/home/dadu ; USER=root ; COMMAND=/usr/bin/fail2ban-client status sshd
Sep 10 20:30:12 ubuntu-1 sudo: pam_unix(sudo:session): session opened for user root by dadu(uid=0)
Sep 10 20:30:12 ubuntu-1 sudo: pam_unix(sudo:session): session closed for user root
Sep 10 20:32:38 ubuntu-1 sshd[22552]: Received disconnect from 218.98.40.139 port 35499:11:  [preauth]
Sep 10 20:32:38 ubuntu-1 sshd[22552]: Disconnected from 218.98.40.139 port 35499 [preauth]
Sep 10 20:34:22 ubuntu-1 sudo:     root : TTY=pts/0 ; PWD=/home/dadu ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log
Sep 10 20:34:22 ubuntu-1 sudo: pam_unix(sudo:session): session opened for user root by dadu(uid=0)```
Tags : ubuntu-18.04


Answers 1


You have not provided evidence (or reason to believe) your system has been hacked. When you disable ssh as root, you are preventing people from logging in to SSH using a root account.

What has happened here is someone - dadu (which I gather is you) has escalated their privileges to root in order to do some things - this is not an abnormal thing to do. If you have used any commands/scripts which use "su" and "sudo ..." then this is you. If you are sure that neither you, nor anyone you have authorised has issued a command then your system is likely compromised. Of-course, fail2ban needs to run as root, so if you installed that (or did any system-wide software upgrade or the like) that is a likely explanation.

[email protected]:/home/dadu# appearing multiple times is not indicative of a compromise, rather a bug/trivially wrong configuration setting in your windowing/bash environment, and not worth worrying about.

davidgo
davidgo
September 11, 2019 22:21 PM

Related Questions


Unbuntu KVM Bridged DHCP nothing works

Updated March 26, 2018 04:00 AM

Linux config synchronization using cloud

Updated June 19, 2018 09:00 AM