I'm doing dev work for a client who leases a dedicated server from a hosting provider, and he recently had a tech from the hosting provider set up a KVM virtual machine on the server with a "fresh" install of Ubuntu 14.04 and a dedicated IP address. I've been developing on my own box the last few weeks, and just logged into the virtual machine for the first time today after my client sent me the login credentials.
I'm no guru, but I do have a few years of experience with Linux servers, and one of the first things I went to do was change some of the OpenSSH config settings to make things a bit more secure (like disallow root user from logging in via SSH, change the port number, yada yada). For some reason (curiosity maybe?) I checked out the /var/log/auth.log file, and that's where things got a little weird:
The /var/log/auth.log file shows logins from as far back as last September. It includes things like root password getting changed around, users being added and removed from different groups, and a lot of similar actions...
Every time after I've done a fresh Ubuntu install on a new server or virtual machine, after a day or so I've inevitably peeked at the /var/log/auth.log file at some point and have never seen anything like this.
Does anyone know what might be going on? Is it possible the tech from the hosting provider reused an existing snapshot/image, and if so would you trust that this environment is secure?
[link] [comments]