Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

/home/user directory was deleted, possible attack, best security practice

by |Published

I’m trying to setup my first server, I have been doing some actions on it that I will summarize, and when i came back later there has been some changes, I don’t know if it was caused by me by accident, or the result of an attack :

  1. this is a dedicated server
  2. it has been installed with debian 10
  3. I connected with ssh to the default-user, set up by my hosting provider
  4. I changed the default-user and root-user password, the same for both
  5. I created a new-user, same password, gave it sudo access by adding it to the sudo group
  6. I used ssh-copy-id to copy the public key on the server and connect without entering passwd on this new-user
  7. I changed the shell of the default-user to /usr/nologin with sudo usermod --shell /usr/nologin username

when i connected again later in the day I noticed strange things :

  1. the home directory of the new-user was deleted
  2. the new-user itself still exists, its password has not change, nor any users password (root and default-user)
  3. after some minutes without doing anything on the server the ssh session is deconnected with this message : client_loop: send disconnect: Broken pipe
  4. if i inspect the systemd journal with journalctl I can see a lots of connection failure from different usernames, it looks like that, repeated thousands of times with some variations of names and messages, all along the day, several by minutes :
Oct 16 19:53:07 PAR-539852 sshd[20738]: Invalid user nagios from 148.72.209.121 port 59358
Oct 16 19:53:07 PAR-539852 sshd[20738]: pam_unix(sshd:auth): check pass; user unknown
Oct 16 19:53:07 PAR-539852 sshd[20738]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=148.72.209.121
Oct 16 19:53:09 PAR-539852 sshd[20738]: Failed password for invalid user nagios from 148.72.209.121 port 59358 ssh2
Oct 16 19:53:11 PAR-539852 sshd[20738]: Received disconnect from 148.72.209.121 port 59358:11: Bye Bye [preauth]
Oct 16 19:53:11 PAR-539852 sshd[20738]: Disconnected from invalid user nagios 148.72.209.121 port 59358 [preauth]

so I have multiple questions :

  1. can it be some attack attempt ?
  2. is it possible that someone can delete the /home/user directory, or is it more likely that i did it myself accidentally ? (how ??)
  3. and most of all, how can i prevent that from happening in the future (the continuous failed login attempts, the deletion of the /home/user directory if it was not by accident, and any sort of attacks) ? for the moment it’s not critical, since i didn’t do anything on the server yet

You may also like