3

I’ve recently deployed a fresh cloud server and installed dokku. I’ve set up two simple apps, a PHP and Vue/static app and the plugin for letsencrypt.

Everything was fine but two days later I noticed three unusual entries in the authorized_keys file for the dokku user. I’m wondering if my server was somehow compromised or if I am overreacting:

Keys have been redacted:

command="FINGERPRINT=SHA256:<redacted> NAME=\"admin1\" `cat /home/dokku/.sshcommand` $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa <redacted pub key>
command="FINGERPRINT=SHA256:<redacted> NAME=\"web-admin1\" `cat /home/dokku/.sshcommand` $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa <redacted pub key>
command="FINGERPRINT=SHA256:<redacted> NAME=\"web-admin2\" `cat /home/dokku/.sshcommand` $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa <redacted pub key> jondo@debian

Dokku has an sshcommand feature (link)but I never used it.

Looking at last and .bash_history reveals nothing unusual and /var/log/auth.log reveals the endless brute force attempts that I imagine all public servers face, but no unusual logins.

waffl
  • 143
  • 1
  • 5
  • 2
    The dokku documentation says: ”Warning: If you don't complete setup via the web installer (even if you set up SSH keys and virtual hosts otherwise) your Dokku installation will remain vulnerable to anyone finding the setup page and inserting their key." Could this be your issue? – Moshe Katz Jul 29 '21 at 22:53
  • So what's the current content of `~dokku/.sshcommand`? – A.B Jul 30 '21 at 06:29
  • 1
    @MosheKatz - you are exactly correct, that was precisely the problem - after installing I simply went ahead and did everything through the commandline and failed to close the web install process. This is indeed mentioned in the documentation (granted below the fold) and one can check if the installer is still running via `ps auxf | grep dokku-installer` - Perhaps you want to submit this as an answer and I can mark it as solved. @A.B there was no `.sshcommand` file present. – waffl Aug 01 '21 at 09:16
  • @waffl there could have been one that was erased. You should consult this Q/A about compromised systems: https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – A.B Aug 01 '21 at 10:03

1 Answers1

2

The dokku documentation says:

Warning: If you don't complete setup via the web installer (even if you set up SSH keys and virtual hosts otherwise) your Dokku installation will remain vulnerable to anyone finding the setup page and inserting their key.

If you did not do this, someone (probably using an automated scanner) found this link and put in their own keys.

Unfortunately, I do not know enough about dokku to tell you if this definitely means your system is compromised, but I would definitely be very suspicious that this is the case.

Moshe Katz
  • 3,112
  • 5
  • 28
  • 43