Javier Núñez Fernández Full Stack Web Engineer

Security ProblemCase : Hacker removes /var/www folder. What to do?

If you have a web server on an Ubuntu machine, you may want to protect it and secure it. If you take a look on your /var/log/auth logging file you will see that you are having some attacks from people trying to login on your site.

On our site http://www.valortop.com we had a security problem. A hacker logged in as root into our server, removed the /var/www folder so we lost all our website installation. Of course, we had a backup with all the files, DB and source code, but we lost some money and time because the site was offline for a while.

Then we thought: "Ok, let's change the root password and the hacker won't go into our server again". We changed the root password, reinstall all the website, database,... and then suddenly, 10 hours later, the website was offline again. We check the /var/log/auth.log file to see what root sessions do we find there. Then we found this (I have replaced the real hacker ip with label HACKER_IP):


Mar 14 02:19:59 valortop sshd[7410]: Accepted publickey for root from HACKER_IP port 32905 ssh2: RSA **:**:**:**:**:**:**:**:**:**:**:**:**
Mar 14 02:19:59 valortop sshd[7410]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 14 02:19:59 valortop systemd-logind[877]: New session 59 of user root.
Mar 14 02:20:01 valortop CRON[7429]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 14 02:20:01 valortop CRON[7431]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 14 02:20:01 valortop CRON[7432]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 14 02:20:01 valortop CRON[7430]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 14 02:20:01 valortop CRON[7431]: pam_unix(cron:session): session closed for user root
Mar 14 02:20:01 valortop CRON[7432]: pam_unix(cron:session): session closed for user root
Mar 14 02:20:01 valortop CRON[7430]: pam_unix(cron:session): session closed for user root
Mar 14 02:20:34 valortop sshd[7410]: Received disconnect from HACKER_IP: 11: disconnected by user

As you can see, there was an access by an SSH key on our server, he spent 30 seconds on our server, then remove the /var/www folder and then leave. Then we realize:

  1. The hacker had logged in the previous day breaking the root password.
  2. He had installed a public key, so, although we changed the root password, he was able to login through its private key.

So what we do? We started to think about it and read some docs about how to avoid this, and what we did is the following:

  1. CREATE A NEW USER AND DISALLOW ROOT LOGIN Most automated attacks will try to login with the most common user names, like root, so better we create our own user with root privileges and disallow users to access with root user.
  2. CREATE SSH KEY PAIR TO ACCESS THE SERVER With SSH you can access the server entering password or having an authorized SSH KEY that allows you to enter the server. We created a new SSH key to access this way.
  3. DISALLOW PASSWORD LOGIN As we have already allowed access with our private key, then it's better to disallow