Hello Everyone , Someone caught me slipping , and exposed my noobness to the world and used my VPS for spamming. My question is this , how do I go about finding out how they got in. I checked my auth.log and nothing seemed strange , except for something about a PAM/dlopen not being able to complete. The only ports open are http,ssh,mysql (local only) and glassfish ( running as glassfish user ). Thanks P.S Don't smack me too hard
Out of curiosity, how do you know it was used for spamming?
I got a message from my VPS provider that my server had been reported for spamming =(
First you should ask your VPS provider for details. If they are confident you were compromised they should share what they know. Of those services my guess would be they got in via ssh. Since you are new to all this I suggest you first read the security sticky. Then back up your VPS data and re-install your VPS. In the future, if you run ssh, use keys, disable passwords, and use a service such as denyhosts or fail2ban. If you are interested you could image your VPS and try to run forensics.
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface
I always run SSH on a non-default port. I suggest everyone do the same.
Originally Posted by Ryan Dwyer I always run SSH on a non-default port. I suggest everyone do the same. That does not help much, the non-default port is easily discovered (so take care). You need to user strong passwords (at a minimum), although I prefer keys only. In addition consider denyhosts or fail2ban or a few rules in iptables. If your ssh server is secure, the port does not matter, although you get more noise in the logs with a port of 22. My point is, just changing the port is insufficient to secure ssh.
+1 to bodhi.zazen. I recently switched from running SSH on a non default port to port 22. Mine is using keys only, and I don't have DenyHosts or Fail2Ban installed - however, I have locked SSH down to accept connections from only a couple IP addresses, so that's pretty much as secure as it's going to get.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide Tomorrow's an illusion and yesterday's a dream, today is a solution...
By using tools such as fail2ban, you potentially implement a DOS vulnerability on your server.
17e0622bbe9bb1f8a5cc231ed260447a
Originally Posted by ld.4lpha By using tools such as fail2ban, you potentially implement a DOS vulnerability on your server. Explain?
If someone spoofs your IP and throws a bunch of bogus login attempts at your server, it would add deny rules on your firewall for (or otherwise blackhole) your IP. This is true unless, of course, fail2ban provides some kind of "whitelist" functionality to prevent this from happening (which it very well may...I'm not certain, as I don't use the tool). So I guess I should have stated: "By using tools such as fail2ban, you potentially implement a DOS vulnerability on your server unless you take care to configure some form of 'whitelist' capability."
View Tag Cloud
Ubuntu Forums Code of Conduct