Answer the question
In order to leave comments, you need to log in
M
M
mrmourax2022-02-06 22:52:43
mrmourax, 2022-02-06 22:52:43
How to find a backdoor on a Linux server?
Hello. There is a VPS server on Linux, the second time in a week someone breaks me.
The first time they launched Multios.Coinminer.Miner, which apparently loaded the processor and an abuse flew at me. I realized my mistake, because I made very weak passwords for test users and I was most likely stupidly screwed up. Corrected.
Yesterday a friend of an abuser flew in, as if other machines of this hosting were attacked from my server.
What was done after the first attack?
- passwords were changed to very complex ones
- the virus itself, which was detected, was removed
- fail2ban was set for 5 attempts
- access via ROOT via SSH was denied - created a separate user with super-privileges
- access via ROOT via RDP was denied - I log in using another user with super privileges
- apt-get update
What else do I plan to do?
- Enable 2FA
- Set up logging to understand who is logging in and how
- perhaps disable SSH access if you log in via it, or at least change the port (it is unlikely to help much). But I would not want to close full access via SSH, sometimes it's easier for me to log in via it than via RDP
Question.
If the problem is that someone still logs in via SSH - it's easier (I'll try to block access. But again, the question is how they break me? Brute force is unrealistic)
If there is some kind of backdoor on the server - the question is how to detect it? I found a couple of articles - I will try. But can anyone give me practical advice?
Thanks
7 answer(s)
@mrmourax
@leahch
@EmperorXizzle
@dronmaxman
@Drno
S
Sergey Karbivnichy, 2022-02-06 @mrmourax
1) Reinstall the server;
2) Allow access to the server via ssh only by key.
How to find a backdoor on a Linux server?There is no 100% variant. It is possible to create certainly one more precisely such server to create. Take a list of files from it (along with its hash) and compare it with the list of the infected one. But it's not worth it, better reinstall.
A
Alexey Cheremisin, 2022-02-06 @leahch
And what, besides ssh on the server, does rdp also do?!
1) redefine the ssh port
2) access by key
3) root only through sudo
4) disable unnecessary services
5) everything in containers, and access to them through nginx or haproxy
6) firewall and close outgoing from the
Profit server.
E
Emperor Zizzle, 2022-02-06 @EmperorXizzle
Isn't it possible to change the standard port for SSH, so that when trying to authorize /an attacker/ rests against a wall of misunderstanding of what they want from him and thinking that the door is closed, he goes away? It won't do ports. Will they not?
A
Andrey Barbolin, 2022-02-06 @dronmaxman
You can look for a long time where you made a hole)))) But, the most correct option is to reinstall the server!!! Yes, I don’t feel like it, but for a long time, but I feel sorry for my work - but !!! this is an experience of how not to do it, and in the total time reinstallation can be spent less than searching for a hole)
There is a cool article on the kharek.ru website on how to make a backdoor in SSH)) And you no longer have fail2ban, changing passwords, and other crutches - won't help.
D
Drno, 2022-02-06 @Drno
Allow access to ssh only from certain IPs. And that's all.
Unless, of course, this is a server with a bunch of users who need ssh
. Then you can raise the vpn...
Similar questions
E
A
A
P
V
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question