All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Rsync cron works well, just today at 00:01 looks thats happend with ssh!!!
Cloudflare blocked my post so here it is - http://pastebin.com/raw/x6ENpyZf
Heeelp
Log is full of
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 247
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 248
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 249
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 250
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 251
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 252
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 253
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 254
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 255
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 256
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 257
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 258
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 259
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 260
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 261
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 262
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 263
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 264
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 265
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 266
Feb 5 07:07:01 sd-47323 sshd[28803]: error: Bad prime description in line 267
Comments
What are permissions on sshd_config? Anything different?
When i login i do not see anymore ubuntu welcome and how much space i have on /home ...
cloudflare blocked angain my bad sry - http://pastebin.com/raw/gy0VNFTR
when i do command who id does not print root ??
Yes, it's fucking annoying. What's your sshd look like remotely? Also, can you post your sshd_config on pastebin or elsewhere?
a u n a m e -a would be good to have as well.
Here - http://pastebin.com/raw/YM6wBcPK
I've never seen an sshd with everything commented out but the scp service before. I'm kind of stumped, because I have no idea what it'll actually do when setup like that.
What's a telnet to port 22 show for version, by chance?
From the timestamp of the files it looks like someone or something messed around with ssh. Probably the bin got replaced and the config had been edited to not stand in the way... (that's also why you don't see your motd anymore)
My guess would be the system has been compromised. Have you read the logfiles for that time and after?
Boot in rescue mode mount the drives and search for files with that timestamp and newer to see what else differs and maybe work from there.
Also you might try to force reinstall of openssh including overwrite of configs and such... but in the end might need to prepare for a reinstall of the system.
Nothing special, this is how it works. It's specified in the file.
Do you remember if PermitRootLogin is allowed by default under 7.2/Ubuntian? I don't. That's my point. There are defaults, and there are defaults that have been changed, which is very common for Debian based systems. I'm too damn lazy to do a source unpack and look right now, but I might in a couple hours after a nap.
The one thing that looks off here is that DebianBanner (Ubuntu) is not showing, and that is usually enabled by default:
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
Also rsync couldn't connect to that server because the hostkey changed. That has to be related to the changes done to the sshd_config. So if OP didn't touch that at 00:01 someone else did. Supposed he is the only one using root or sudo...
If it should have been cron the question is what job ran at that time that messes with ssh and their config? Any kind of upgrade? Should definitely not replace any configfiles esp. when unattended...
I'm going to say "Your ssh is not what is standardly installed", myself, with no further information. Look for modifications in your /root/.ssh/* files, and work from there.
There are not too many changes that will fuck up the host key, except for a skr1ptkiddy or a forced installation.. it's easier for them to just replace the binaries and leave the rest alone. So, unless this is a semi-managed host, I'd be concerned with anything/everything on there being compromised.
That's what I wrote in my first comment, which you might have overlooked ;-)
No, I didn't overlook it- I didn't consider it at all. I was doing my own assessment from the limited information I asked for and was given. It's a force of habit.
It all started 00:01 and see n sbin folder
Hmmm ??
I had a similar situation a few months back when a server automatically upgraded
cloud-init
, which in turn regenerated SSH host keys.So before you suspect a compromised system, just check for any upgrade logs
in logs:
after all, something changed the ssh binary and the config. after that it obviously failed to restart maybe because it didn't stop properly or some other process hooked up on that port...
yes I agree any (broken) update could cause such a mess, mentioned that earlier already... yet I do find it very... strange.
First of all I would check the system's uptime to see if the machine has been rebooted.
Check who has been connecting via ssh with
last
or
journalctl /usr/sbin/sshd|grep Accepted
Check logs in /var/log/apt to see what has the package manager last done before the issue appeared.
I removed the bins and installed new openssh-server so i dont have that in Accepted but in apt log see
which ended before ssh was modified. did you install sendmail? if not I'd say this hardens the believe someone messed around with your server and probably installed sendmail to be able to run his spam-scripts or whatever... after that he also might have messed around with ssh for giving the bot control access - however your ssh has been configured before.
it's about 12 hours after your first post... have you watched closely what processes are running and the network etc.? or is that box still in rescue mode? otherwise it may have send millions of spam mails already. lookup your IP in blacklist to see the outcome...
a) the offending line is "walking"/INC'd by 1 each time.
b) please provide output of
ssh -vv [username]@[your_server]
i have not intalled it thats a problem, i firewalled now everything even port 22, in netstat -tupen i only have 3 port opens i know about them and all firewalled, i reinstalled all bins but before i removed all ssh and sendmail anything with mail in bin sbin dirs so lets see
You either left away most of the output (what you show is just the start) or you fucked up your setup big time.
I'm particularly missing the KEX lines.
I had enabled firewall probably thats why, with disabled firewall its like this ->
Let me guess: You have configured the server sshd with key only authentication, right?
Have a look into your local .ssh directory.
So, again, as many have problems with that:
First, while sshd_config is still default (and normal password login is enabled)
scp .ssh/some_key**.pub** [user]@[server]:/home/[user]
(with "some_key" standing for whatever you choose, say "id_rsa.pub")Then, on the server as that user (not as root unless your want to enable it for root access):
In case .ssh already exists, don't care about any warning. In case .ssh/authorized_keys already exists, instead of mv ... you use
cat [some_key.pub] >> .ssh/authorized_keys
and then, if it works well,rm [some_key.pub]
Ops forgot to say i have it like this:
iptables -> DROP others ALLOW only ME -> host.allow only me and host.deny all others -> user ssh password -> 2Factor Auth -> logged in as user