*Btw, you didn't answer all of my previous questions. If you don't know how to, just say so, else please provide the info cuz it could have been usefull for *this* post instead of being a waste of energy and time for me.
I think I am now reasonably secure
There is no "thinking" involved. It either is secure or it ain't.
having followed much advice from the BB and other sources.
Telling us *exactly what* you did would make it easier.
However, I don't know how secure my server was for that first week or so. I have no reason to suspect anything is wrong but I just wanted to carry out whatever check would be sensible in this situation to reassure myself.
Since you have no idea of the state the system was in in the first place, this will not produce results that can be fully trusted.
For instance, if a cracker did set up a kernel module (LKM) chances are processes are hidden and system calls rerouted. You will not find any evidence of those unless you unfortunately stumble on something like
this or are able to have someone perform checks using a bootable cd.
Since this is a dedicated remote server, your only means of access is using SSH as you stated. If you log in directly as root, add an unprivileged user, set up the ssh keys and sudo and never login as root directly again. Login with your unprivileged user, sudo to root.
If you don't have the discipline to keep an admin logfile (you should), make your shell's .login file use "script <unique filename>" to record anything you do on the system.
I. Set up network access and local restrictions. See
this post.
Be warned it doesn't handle specific server measures, just the essentials.
II. Check system authentication for anomalies: inspect your /etc/{passwd,group,gshadow,shadow} files. If any service on the box uses external (PAM) flatfiles or databases for authentication, inspect those too.
III. Check system access restriction files and network daemon configs for anomalies: basically anything with "allow" or "deny" or "conf" in the filename in applications configuration directories like /etc, /etc/xinet.d.
IV. Check your system logs in /var/log.
Info in the last and wtmp files can be accessed using "last": use "last -aix". Info in lastb can be accessed using "lastb" with the same flags as "last". Other anomalies in the login records can be accessed using "ac" like in "ac --complain --tw-leniency 60 --tw-suspicious 120 -y". Extract the info and inspect it for anything out of the ordinary, including root logins when you are sure you couldn't have logged in. If you see the remote address 193.132.4.8, think nothing of it, its an annoying bug in Red Hat.
Dont forget to check the plaintext logfiles as well.
V. Use the rpm database to check the status of any installed rpm. Note this doesn't give you a scope on the files NOT introduced by rpm. "rpm -Va 2>&1|tee /tmp/rpmverify.log" will show you the results and save it.
VI. Run some system checker like Tiger and run Chkrootkit.
Tiger will run a lot of checks, it really comes in handy checking suid and sgid bits, dotfiles etc etc.
*This list isn't final, but it should get you going. If you want to be thorough, report back any details. One explicit exception: if it's too large but you still want me to review it, roll a bzipped tarball and if its size is not in excess of 500K, then you're invited to mail it to me. Else mail me a link where I can download it.
I don't think the situation warrants a restore/re-install.
Think about the reasons *why* you're saying this. Reasons in the "that's nice, but it's WRONG" category would be "because I put a lot of work in it already" or "because I need it to work *now*" or "because I don't want to waste time reading and fiddling with arcane and obscure things". Now tell me how you came to your conclusion...
I have installed Tripwire but not set it up yet as I want to try and ensure my server is clean.
You should have asked for the server to be delivered with tripwire (or Aide or Samhain) installed and ready, or set it up once you took control of it.
Any advice? Remember, I'm very new so you will have to spell it out for me.
Read the sticky "FAQ: Security references" thread, at least post #1. Check, implement. Increase your mana and ask specific questions.
HTH