No - hacking servers! Tips for verification and protection
Suspect Linux server hacked? We are sure that everything is in order, but just in case you want to increase the level of security? If so - here are some simple tips that will help check the system for hacking and better protect it.
In order to find out if your server has been hacked, say, running Ubuntu, there is something worth checking out.
Find out the details of the last login. This is done using the lastlog command.
')
Take a look at the history of the teams, find out exactly when they were entered:
If the list of commands is displayed without a date, set the appropriate parameters of the history utility.
The next verification method is to view the /var/log/auth.log file. For example, using this command:
Here you can find a list of everyone who tried to connect to the server via SSH.
In order to find out the IP addresses from which you connected to the server, use the following command:
Check the Apache logs:
If you are sure that the server is hacked, find out the process of the attacker. For example, a list of all processes can be obtained with the following command:
Analyzing the server for hacking, it will be useful to check the list of cron jobs to which an attacker could easily add something of his own.
Regardless of whether a check of a hacking attempt is revealed, there is not much security. So here are some tips on how to protect the server.
Recommendations on server protection mainly concern tracking and blocking suspicious activity, as well as regular software updates.
To increase the server’s security level, it is necessary to prohibit root-user access via SSH.
Enable automatic security updates using the unattended-upgrades package. First you need to install it:
The next step is to configure:
You can also call the package yourself:
Install the fail2ban package. In order to block suspicious SSH users with it, use this guide, in the field of which you can configure the reporting system.
To find out how many times fail2ban has blocked an IP address, use this command:
To view the entire fail2ban log file, enter the following:
To search for problem subnets, the following command is suitable:
If the analysis of log files shows that attacks from a certain subnet occur regularly, it can be permanently blocked. Before this, however, it is worth checking which country the subnet belongs to.
For example, here's how to block connections to the sshd port from the subnet 221.229. *. *:
In order to find out what exactly was blocked by iptables rules, you can use the following command:
To keep iptables rules after server restart, install iptables-persistent in Ubuntu.
If you edited the iptables rules, use the following command:
The file with the rules is not recommended to be edited manually, since its format is important for everything to work as it should.
We talked about how to check Linux servers for hacking and how to improve their protection. We hope our advice will help you improve the information security of your systems.
Check
In order to find out if your server has been hacked, say, running Ubuntu, there is something worth checking out.
Last login data
Find out the details of the last login. This is done using the lastlog command.
')
$>lastlog Team History
Take a look at the history of the teams, find out exactly when they were entered:
$>history If the list of commands is displayed without a date, set the appropriate parameters of the history utility.
â–Ť Journal auth.log
The next verification method is to view the /var/log/auth.log file. For example, using this command:
$>sudo vi /var/log/auth.log Here you can find a list of everyone who tried to connect to the server via SSH.
â–ŤIP addresses
In order to find out the IP addresses from which you connected to the server, use the following command:
$>zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/\1/' | sort –u Ap Apache Logs
Check the Apache logs:
$>sudo vi /var/log/apache2/access.log $>sudo vi /var/log/apache2/error.log â–Ť Search for suspicious processes
If you are sure that the server is hacked, find out the process of the attacker. For example, a list of all processes can be obtained with the following command:
$>ps aux | less â–Ť cron job list
Analyzing the server for hacking, it will be useful to check the list of cron jobs to which an attacker could easily add something of his own.
$>crontab -l | grep -v '^#' Regardless of whether a check of a hacking attempt is revealed, there is not much security. So here are some tips on how to protect the server.
Protection
Recommendations on server protection mainly concern tracking and blocking suspicious activity, as well as regular software updates.
â–ŤDo not allow root users to log in via SSH
To increase the server’s security level, it is necessary to prohibit root-user access via SSH.
$>sudo vi /etc/ssh/sshd_config PermitRootLogin no â–ŤAutomatic updates
Enable automatic security updates using the unattended-upgrades package. First you need to install it:
$>sudo apt-get install unattended-upgrades The next step is to configure:
$>sudo dpkg-reconfigure -plow unattended-upgrades You can also call the package yourself:
$>sudo unattended-upgrade â–ŤSetting locks
Install the fail2ban package. In order to block suspicious SSH users with it, use this guide, in the field of which you can configure the reporting system.
To find out how many times fail2ban has blocked an IP address, use this command:
$>sudo awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort –n To view the entire fail2ban log file, enter the following:
$>sudo zgrep -h "Ban "/var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq –c To search for problem subnets, the following command is suitable:
$>sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c | sort -n | tail If the analysis of log files shows that attacks from a certain subnet occur regularly, it can be permanently blocked. Before this, however, it is worth checking which country the subnet belongs to.
For example, here's how to block connections to the sshd port from the subnet 221.229. *. *:
$>sudo iptables -I INPUT -p tcp -s 221.229.0.0/255.255.0.0 --dport ssh -j REJECT --reject-with tcp-reset In order to find out what exactly was blocked by iptables rules, you can use the following command:
$>sudo iptables -vnL INPUT --line-numbers To keep iptables rules after server restart, install iptables-persistent in Ubuntu.
$>sudo apt-get install iptables-persistent $>cat /etc/iptables/rules.v4 If you edited the iptables rules, use the following command:
$>sudo bash -c "iptables-save > /etc/iptables/rules.v4" The file with the rules is not recommended to be edited manually, since its format is important for everything to work as it should.
Results
We talked about how to check Linux servers for hacking and how to improve their protection. We hope our advice will help you improve the information security of your systems.
Source: https://habr.com/ru/post/314166/
All Articles