Join Log in
Score:3
avatar Server

Unexpected entries in authorized_keys - is my server compromised?

cn flag
waffl

I’ve recently deployed a fresh cloud server and installed dokku. I’ve set up two simple apps, a PHP and Vue/static app and the plugin for letsencrypt.

Everything was fine but two days later I noticed three unusual entries in the authorized_keys file for the dokku user. I’m wondering if my server was somehow compromised or if I am overreacting:

Keys have been redacted:

command="FINGERPRINT=SHA256:<redacted> NAME=\"admin1\" `cat /home/dokku/.sshcommand` $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa <redacted pub key>
command="FINGERPRINT=SHA256:<redacted> NAME=\"web-admin1\" `cat /home/dokku/.sshcommand` $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa <redacted pub key>
command="FINGERPRINT=SHA256:<redacted> NAME=\"web-admin2\" `cat /home/dokku/.sshcommand` $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa <redacted pub key> jondo@debian

Dokku has an sshcommand feature (link)but I never used it.

Looking at last and .bash_history reveals nothing unusual and /var/log/auth.log reveals the endless brute force attempts that I imagine all public servers face, but no unusual logins.

111
1 + 4
pl flag
Moshe Katz
The dokku documentation says: ”Warning: If you don't complete setup via the web installer (even if you set up SSH keys and virtual hosts otherwise) your Dokku installation will remain vulnerable to anyone finding the setup page and inserting their key." Could this be your issue?
2
Reply
A.B avatar
cl flag
A.B
So what's the current content of `~dokku/.sshcommand`?
0
Reply
cn flag
waffl
@MosheKatz - you are exactly correct, that was precisely the problem - after installing I simply went ahead and did everything through the commandline and failed to close the web install process. This is indeed mentioned in the documentation (granted below the fold) and one can check if the installer is still running via `ps auxf | grep dokku-installer` - Perhaps you want to submit this as an answer and I can mark it as solved. @A.B there was no `.sshcommand` file present.
1
Reply
A.B avatar
cl flag
A.B
@waffl there could have been one that was erased. You should consult this Q/A about compromised systems: https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server
0
Reply
Score:2
avatar Server
pl flag
Moshe Katz

The dokku documentation says:

Warning: If you don't complete setup via the web installer (even if you set up SSH keys and virtual hosts otherwise) your Dokku installation will remain vulnerable to anyone finding the setup page and inserting their key.

If you did not do this, someone (probably using an automated scanner) found this link and put in their own keys.

Unfortunately, I do not know enough about dokku to tell you if this definitely means your system is compromised, but I would definitely be very suspicious that this is the case.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.