Authorized_key

deck · 25 February 2020 13:44

Hi there,
I just find out that there is already a key in my /home/osmc/.ssh/authorized_key file.
If I remove this key and reboot my device, this key is automaticaly replace in the file.
Any idea?
thx

fzinken · 25 February 2020 13:48

You got hacked!
Did you changed the original password? Did you port forward SSH or are you directly connected to the internet?
Which device you are running OSMC on?
What is the content of authorized_key?

deck · 27 February 2020 20:22

Arf!
I’ve forward ssh through another port. Can’t remember if I changed the original password but in sshd_config I’ve set PermitRootLogin to no and configured a key for the ssh connexion. OSMC running on a pi.
My key was replace in authorized_key by the other one.

Tom_Doyle · 27 February 2020 21:00

Hi,

I suggest you remove the port forward. Reinstall your device. Before reinstating the port forward, change the default password. Also if you are using key, disable password logins in /etc/ssh/sshd_config:

PasswordAuthentication no

Also if possible on your firewall/router lockdown the IPs allowed to access your osmc device via ssh.

Also if you paranoid like me, consider fail2ban as well.

Thanks Tom.

deck · 27 February 2020 21:51

Thanks for the answer.
I’ve removed the port forwarding when I see that the key was not mine.
I’ll start a fresh install soon.
Do you know if there is any ssh log?

Tom_Doyle · 27 February 2020 22:03

Hi,

If your are looking for successful ssh logins, the last command will show these. Easiest way to read them is piping to less:

last | less

You can review logins a line a at time with enter key or space moves a page at a time.

Thanks Tom.

deck · 3 March 2020 07:46

Hi,
I’ve reinstall everything before checking the log… But my IP address has been ban from cloudfare…
" This IP address has been reported a total of 41 times from 22 distinct sources."

Tom_Doyle · 3 March 2020 08:42

Hi,

If its dynamic, try turning your router off overnight; ISP should issue a new IP. Please be advised you may need to leave your router off for longer, can take some ISPs 24hours+ of outage to issue a new IP.

If a Static IP, you may be able to to request a new IP from your ISP.

Failing that it will drop from the list eventually or you could try contacting cloudflare support and explain whats happened and that its resolved, but I suspect you will have do this from a different IP.

Thanks Tom.

deck · 23 March 2020 16:22

I’ve got a static IP, but finally I’ve been unblocked from cloufare.
thx