Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Vadim Timoshenko2019-01-11 10:40:23
linux
Vadim Timoshenko, 2019-01-11 10:40:23

How to find the source of malicious activity on the server?

I use VPS. The hoster restricted my server based on the fact that it has a source of malicious activity. Here is the log:

Note: Local timezone is +0100 (CET)
Jan 11 01:18:31 shared03 sshd[17228]: Invalid user ts3 from 185.178.46.241
Jan 11 01:18:31 shared03 sshd[17228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.241
Jan 11 01:18:33 shared03 sshd[17228]: Failed password for invalid user ts3 from 185.178.46.241 port 44084 ssh2
Jan 11 01:18:33 shared03 sshd[17228]: Received disconnect from 185.178.46.241 port 44084:11: Bye Bye [preauth]
Jan 11 01:18:33 shared03 sshd[17228]: Disconnected from 185.178.46.241 port 44084 [preauth]

How to find the source of the problem?
I used Rkhunter antivirus ( https://losst.ru/proverka-linux-na-virusy). Here is what the log showed:
[11:19:29]   Checking if SSH root access is allowed          [ Warning ]
[11:19:30] Warning: The SSH and rkhunter configuration options should be the same:
[11:19:30] SSH configuration option 'PermitRootLogin': yes
[11:19:30] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

Went to /etc/ssh/sshd_config and changed PermitRootLogin to no .

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
A
Alexey Cheremisin, 2019-01-11
@PbI6A_KuT

1) Start with a list of processes on your server and network connections.
2) Check if you have a rootkit or system file substitution (checking through the package manager will help)
https://blog.sleeplessbeastie.eu/2015/03/02/how-to...
and
https://bencane. com/2013/12/23/yum-plugins-verifyi...
3) Deny all outgoing connections from the server (via iptables/firewalld/ufw or whatever you have), and put them in the drop state (but not reject! ), then at least you can see by netstat which process is trying to knock on other people's servers via ssh
4) find the culprit and shoot him
5) by the type of attack, find out how the bastard got into the system and eliminate the hole
For further
- access via ssh by keys
- disabling outgoing connections through the firewall
- all according to their user-roles, only the necessary services live under the root
- it is advisable to limit connections not on the server, but on a separate router
- run services in containers or virtual machines (if barebone)
- system monitoring
- logs on the external server

Report
S
Sergey Sashkin, 2019-01-11
@LexPex

I would install snort-ng

Report
S
Sergey, 2019-01-11
@feanor7

Don't worry, switch from the standard port to an arbitrary one, change all passwords and install fail2ban.

Report
R
Roman Mirilaczvili, 2019-01-11
@2ord

You need to disable ssh authentication by password and instead by key, so that the root password is not guessed.

Similar questions
W
wolfak2017-08-25 11:29:18
How to destroy side menu before transition (Swift)? 1Reply
P
Prosto_ya822017-06-26 12:37:53
The server ran out of free inodes. How to solve the problem? 1Reply
F
freeSTUD2019-11-24 21:56:39
What is the best Linux certification to get? 5Reply
X
xaoma_ziz2019-11-25 02:38:11
How to organize two disk arrays on two raid1 + raid0 disks? And how will it affect work? 2Reply
O
Optimus2015-07-18 23:01:24
Blocking download and modification of files on the server? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question