How to check Ubuntu server for suspicious activity?

P

Pavel2015-12-11 11:03:03

linux

Pavel, 2015-12-11 11:03:03

The problem is that when I tried to go to one information site, I got 403. I called my provider, they said that they say they don’t have blocking and most likely the site banned my ip. I have an external ip connected and I have an Ubuntu server On an old laptop with a couple, three, five services on it, which are viewed on the open Internet. Therefore, I had a suspicion that perhaps my server had become a node of some kind of net bot, but I don’t even know, tell me, what are the means for checking? What logs can I get into there?
Add. info:
SSH port to connect to the server is open, but authorization is possible only by key, without login password.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey, 2015-12-11
@rusbaron

First check if the site is blocked for you or for everyone. Try it on one of the sites:
downforeveryoneorjustme.com
cameleo.ru
Then you should check the system with various rootkit scanners and antiviruses:
chkrootkit
rootcheck
rkhunter
clamav
see if there are any open ports in the system:
netstat -anltp | grep "LISTEN"
I also once wrote my own bash script that allows you to monitor level b, monitor ports, new users, new packages:
https://github.com/ADMINICANA/ubuntu-server-daily-...
It would be nice to just see the traffic by doing a tcpdump, what activity is going on, if it should not be there - beware. View different logs, user history.