You are not logged in.
- Topics: Active | Unanswered
#1 2020-06-07 09:36:53
- diederick76
- Member
- Registered: 2010-02-14
- Posts: 157
Server compromised via docker container?
Hi,
I am using a headless server with Arch with five docker instances and some software installed directly. I do administration over ssh using key authentication. This morning I saw this in my logs:
jun 06 09:00:03 host sshd[133534]: Accepted publickey for myuser from a.b.c.d port 48008 ssh2: ECDSA SHA256:<hash>a.b.c.d is the ip address of the container that runs my externally facing photo publication site (PiWiGo). Traffic is routed there using nginx. PiWiGo allows users to upload content (images) but only after logging in, and the only users that can do that are myself and my significant other.
The container does not have an ssh client. The hash corresponds to the key that I use to identify ssh sessions on Android (using JuiceSSH). I always connect to my server over VPN. Sshd istself is not externally facing, but I also did not deny ssh connections from the docker containers (I do now).
Why would the logs contain a public key authentication line from a docker container? Is there a way I find this line in the log without someone having gained access to the container, putting ssh on it and connecting to my host using a key that was obtained from my phone?
Last edited by diederick76 (2020-06-07 11:46:56)
Offline