I have deployed my public key on to authorized keys.
All was fine till a couple of hours ago, when Logging in via SSH with RSA PK Auth
started prompting for a sudo password.
I checked Auth.log , and it says
Public Key Accepted.
One weird thing I noticed was, There were Millions of entries that logged
Opened a session for root
Immediately after It said
Public key accepted
Probably because it prompted me for a sudo password?
There are also millions of entries logging
Maximum login attempts reached for root @ port 472 from an IP I dont recognise
which were all blocked thanks to the firewall.
Also weird is, Once I do login,
When I run
ps -aux | grep ssh
I get a long list of root logins on the SSH process
I kill them, and they create a new one.
Why?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
I Found the culprit!
It was a process called
and it was doing
on startup.
Gave it out
This, was running a shell script , to disable thp (Transparent huge page) on startup.
Like so:
This was one of the tweaks to memalloc for the Redis server on the VPS
** Solution : **
@jtittle
thanks for pointing me to this :
@SchrodingersCat
When it comes to SSH and PubKey Authentication, it’s best to keep it as simple as possible unless you have a reason to drift from the norm. I can only speak from MacOS and Windows 10 at the moment as I don’t have a Linux box setup locally right now – only the remote Droplets.
I use Terminal on MacOS and PuTTy on Windows 10.
The
known_hosts
file on MacOS does store basic information and that, of course, prevents having to confirm the host that I’m connecting to. Beyond that, the key itself is not cached on either system, so to login, the passphrase for the key must still be used unless there’s no passphrase setup for the key.I personally wouldn’t use anything that caches the passphrase of my keys, even on my own systems as that is substantially less secure and allows anyone that can gain access the ability to login.
That being said, it’s hard to tell what’s going on. It looks like something is being executed after login (authentication) and it’s attempting to run something that would require
root
orsudo
, thus you’re being prompted to authenticate before whatever command is running tries to execute.…
Using the details I provided above, your scenario is definitely not normal and shouldn’t happen unless you do have something that is set to run or execute after authentication, in which case, you’d need to find out what that is. It’s hard to tell when you’re just being prompted as it doesn’t provide any actual details on what’s going on.
In any normal circumstance, you’d run:
or
Confirm (if it’s the first connection), or enter your passphrase (if one is set), and you’re in.
I can’t think of anything off the top of my heard that would log you in and then immediately attempt to get you to authenticate your
sudo
user unless you’ve somehow been hacked and something is running in an attempt to gain yoursudo
password, thus allowing an attacker to get what they’re after.That’s just a guess, not a claim, and is only based on the information you’re providing.
To test, I would setup a simple 512MB Droplet and run though the configuration I provided. With it, you should confirm once, authenticate with or without a passphrase, and either login and be denied (if the details are not correct).
@SchrodingersCat
If you’re logged in as
root
and usingsudo
, i.e.… then you shouldn’t be prompted for a password as you’re already running as
root
, thus there’s no higher escalation.If you’re logged in a as a non-
root
user and prefixing commands withsudo
, then you’ll be asked to confirm that users password before the command executes – that’s by design. Without prompting for the users password, you’re effectively running asroot
and that defeats the purpose of asudo
user.…
Public Key authentication has nothing to do with anything other than initial authentication between your computer and the server (or between two servers). If you’re being prompted at initial login, that’s because you’ve most likely put a passphrase on your key (which is ideal), but that’s as far as that goes.
…
As for the failed logins, seeing failures is normal as the IP of your Droplet is public and most likely belonged to a user before you had it. It’s common to see attempts to break in, and what this boils down to is security and properly securing your server.
Ideally, you should:
1). Create a
sudo
user; 2). Setup SSH keys for that user (with a passphrase on the key); 3). Set a password for thesudo
user that differs from your passphrass; 4). Confirm that you’re able to login as thesudo
user using the key. 5). Confirm that you’re able to runsudo [command]
as the user, and it works; 6). Lock theroot
account so that it can’t be used to login.