V
V
Vadim Timoshenko2019-01-14 10:30:37
*nix-like systems
Vadim Timoshenko, 2019-01-14 10:30:37

How to deny outgoing connections with iptables?

Malicious activity is coming from my server.
I can't catch the process, because it starts randomly all the time. Mostly at night. And the hoster turns off the server.
I want to block outgoing connections. But to make the site work. I use NGINX+PHP-FPM+MySQL. Is it possible? What rule should I write for iptables?
Here is the outgoing activity log:

Jan 11 01:18:31 shared03 sshd[17228]: Invalid user ts3 from 185.178.46.241
Jan 11 01:18:31 shared03 sshd[17228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.241
Jan 11 01:18:33 shared03 sshd[17228]: Failed password for invalid user ts3 from 185.178.46.241 port 44084 ssh2
Jan 11 01:18:33 shared03 sshd[17228]: Received disconnect from 185.178.46.241 port 44084:11: Bye Bye [preauth]
Jan 11 01:18:33 shared03 sshd[17228]: Disconnected from 185.178.46.241 port 44084 [preauth]
Jan 11 01:34:34 shared03 sshd[20438]: Invalid user support from 185.178.46.241
Jan 11 01:34:34 shared03 sshd[20438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.241
Jan 11 01:34:36 shared03 sshd[20438]: Failed password for invalid user support from 185.178.46.241 port 50100 ssh2
Jan 11 01:34:36 shared03 sshd[20438]: Received disconnect from 185.178.46.241 port 50100:11: Bye Bye [preauth]
Jan 11 01:34:36 shared03 sshd[20438]: Disconnected from 185.178.46.241 port 50100 [preauth]
Jan 13 19:37:41 shared03 sshd[25092]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.241 user=bin
Jan 13 19:37:44 shared03 sshd[25092]: Failed password for bin from 185.178.46.241 port 53658 ssh2
Jan 13 19:37:44 shared03 sshd[25092]: Received disconnect from 185.178.46.241 port 53658:11: Bye Bye [preauth]
Jan 13 19:37:44 shared03 sshd[25092]: Disconnected from 185.178.46.241 port 53658 [preauth]
Jan 13 19:42:19 shared03 sshd[26181]: Invalid user zachary from 185.178.46.241
Jan 13 19:42:19 shared03 sshd[26181]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.241
Jan 13 19:42:21 shared03 sshd[26181]: Failed password for invalid user zachary from 185.178.46.241 port 54196 ssh2
Jan 13 19:42:21 shared03 sshd[26181]: Received disconnect from 185.178.46.241 port 54196:11: Bye Bye [preauth]
Jan 13 19:42:21 shared03 sshd[26181]: Disconnected from 185.178.46.241 port 54196 [preauth]

Answer the question

In order to leave comments, you need to log in

1 answer(s)
P
PniReset, 2019-01-14
@PbI6A_KuT

Gotta figure out what it is. Password brute force is still childish pranks.
Deny outgoing to ssh
iptables -I OUTPUT -p TCP --dport 22 -j DROP

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question