Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Vadim Timoshenko2019-01-11 10:40:23
linux
Vadim Timoshenko, 2019-01-11 10:40:23

How to find the source of malicious activity on the server?

I use VPS. The hoster restricted my server based on the fact that it has a source of malicious activity. Here is the log:

Note: Local timezone is +0100 (CET)
Jan 11 01:18:31 shared03 sshd[17228]: Invalid user ts3 from 185.178.46.241
Jan 11 01:18:31 shared03 sshd[17228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.241
Jan 11 01:18:33 shared03 sshd[17228]: Failed password for invalid user ts3 from 185.178.46.241 port 44084 ssh2
Jan 11 01:18:33 shared03 sshd[17228]: Received disconnect from 185.178.46.241 port 44084:11: Bye Bye [preauth]
Jan 11 01:18:33 shared03 sshd[17228]: Disconnected from 185.178.46.241 port 44084 [preauth]

How to find the source of the problem?
I used Rkhunter antivirus ( https://losst.ru/proverka-linux-na-virusy). Here is what the log showed:
[11:19:29]   Checking if SSH root access is allowed          [ Warning ]
[11:19:30] Warning: The SSH and rkhunter configuration options should be the same:
[11:19:30] SSH configuration option 'PermitRootLogin': yes
[11:19:30] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

Went to /etc/ssh/sshd_config and changed PermitRootLogin to no .

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
A
Alexey Cheremisin, 2019-01-11
@PbI6A_KuT

1) Start with a list of processes on your server and network connections.
2) Check if you have a rootkit or system file substitution (checking through the package manager will help)
https://blog.sleeplessbeastie.eu/2015/03/02/how-to...
and
https://bencane. com/2013/12/23/yum-plugins-verifyi...
3) Deny all outgoing connections from the server (via iptables/firewalld/ufw or whatever you have), and put them in the drop state (but not reject! ), then at least you can see by netstat which process is trying to knock on other people's servers via ssh
4) find the culprit and shoot him
5) by the type of attack, find out how the bastard got into the system and eliminate the hole
For further
- access via ssh by keys
- disabling outgoing connections through the firewall
- all according to their user-roles, only the necessary services live under the root
- it is advisable to limit connections not on the server, but on a separate router
- run services in containers or virtual machines (if barebone)
- system monitoring
- logs on the external server

Report
S
Sergey Sashkin, 2019-01-11
@LexPex

I would install snort-ng

Report
S
Sergey, 2019-01-11
@feanor7

Don't worry, switch from the standard port to an arbitrary one, change all passwords and install fail2ban.

Report
R
Roman Mirilaczvili, 2019-01-11
@2ord

You need to disable ssh authentication by password and instead by key, so that the root password is not guessed.

Similar questions
A
Alexander Semenenko2018-03-14 17:52:16
Why lsof | wc -l shows 800t open files, and sysctl.conf has the maximum value fs.file-max = 600t? 1Reply
S
speedvm2015-11-06 20:12:27
How to restore linux console login? 2Reply
I
Igor Kolontenko2015-11-07 03:02:01
Taking notes in Linux? 1Reply
D
digam2015-11-07 10:30:21
How to make lighttpd start manually on Ubuntu 15.04? 2Reply
S
Sergey Karbivnichy2020-05-08 12:42:18
Is it possible to check gmail mail from bash? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question