Hi,
I have no idea what happen to our server..
I tried to login to our backup server for the first time in 6 weeks to find out that I couldn't login via ssh...
I managed to login via the server terminal (not ssh) to find out that the home directory was messed up..
I have 2 users gkontos and safetynet.. when I ran
Inside both home directory, I lost my .ssh directory that allowed me to connect via ssh ..
I have now renamed the home directory back to its values and created the .ssh directories again and I can ssh to the server.
I just added a new user (updraftplus) and at first it all seemed ok but i just realised that the new user home directory hasn't been created...despite existing in /etc/passwd
Security wise, I have the following /etc/pf rules
/etc/ssh/sshd_config
I am also unable to delete the account:
Could anyone please help me understand? Have I been hack?
Thank you
I have no idea what happen to our server..
I tried to login to our backup server for the first time in 6 weeks to find out that I couldn't login via ssh...
I managed to login via the server terminal (not ssh) to find out that the home directory was messed up..
I have 2 users gkontos and safetynet.. when I ran
ll /home
, I ended up with this:
Code:
drwxr-xr-x 2 gkontos gkontos 12 Apr 11 12:11 fred/
drwxr-xr-x 4 safetynet safetynet 15 Sep 28 13:29 gkontos/
I have now renamed the home directory back to its values and created the .ssh directories again and I can ssh to the server.
I just added a new user (updraftplus) and at first it all seemed ok but i just realised that the new user home directory hasn't been created...despite existing in /etc/passwd
cat /etc/passwd
Code:
# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:kryten:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
safetynet:*:1001:1001:First Last:/home/safetynet:/bin/csh
gkontos:*:1002:1002:First Last:/home/gkontos:/bin/csh
updraftplus:*:1003:1003:updraftplus backup:/home/updraftplus:/usr/local/bin/scponly
Code:
ext_if = "bge0"
IPv4_icmp_types="echoreq"
MYNETS = "{192.168.xx.0/24, 192.168.xx.0/24, 91.203.72.xxx/29, 194.12.13.xxx/29}"
### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble
### set a default deny everything policy.
block log all
### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet
### keep state on any outbound IPv4 tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out log on $ext_if inet proto { tcp, udp, icmp } from any to any modulate state
####Managment
pass in quick log on $ext_if proto tcp from $MYNETS to any port 22 keep state
### pass icmp echo
pass in log on $ext_if inet proto icmp all icmp-type $IPv4_icmp_types
Code:
[...]
AllowUsers safetynet gkontos root
ChallengeResponseAuthentication no
PasswordAuthentication no
[...]
rmuser updraftplus
Code:
rmuser: user (updraftplus) does not exist in the password database.
Thank you