What is this doing?

andrewnewby · September 12, 2023, 10:08pm

Hi,

What is this in the authorized_keys file for a user?

from=“127.0.0.1”,command=“internal-sftp”,restrict ssh-rsa dddd9laI1+7s5dikq8azAXg6Gq0x/hSHe4NO6q/btJkPQ== [email protected] TS:1694555655 filemanager.ssh.key

I’m getting notified of SSH logins via a user - and I think its coming from this, as I’m seeing this in authlog:


Sep 12 21:29:09 east sshd[125115]: Accepted publickey for bhccwga from 127.0.0.1 port 55098 ssh2: RSA SHA256:fuKT5WidrF9H9vRlaARyGi/BlD1GPICxZ19jOte/FXw

Is this just the file manager running? (just making sure its nota hacker!)

Cheers

Andy

eris · September 12, 2023, 10:29pm

Yes filemanger…

andrewnewby · September 13, 2023, 6:17am

Cool thanks. I was panicking things someone had got into the server (we were recently hacked via SSH keys). I’ve got a load of extra checks in place that alert me to anyone using SSH now (other than myself and allowed IPs), and this started pinging up on my phone. I’ve added it to the whitelist, now I’m happy its just local traffic and not a hacker

system · October 13, 2023, 6:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.