Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It shows up dozens of times. Should I be worried? Could I have a bot on the server?
I have csf/lfd installed on my server - I also have owncloud, apache, mysql, phpmyadmin, an unsecured vsftpd server, mail (postfix, dovecot, amavis, spamassassin, openvpn, ssh - 3 bad logins block the ip permanently, named server).
This type of connection to port 2703 seems to be the only connection being blocked by iptables coming from my own server.
You certainly could have a bot on your server, but it's also possible that this is just innocuous traffic, Investigation is warranted. Have you looked at what process ID 25064 actually is (if it's a long running process)? Likewise who UID 989 is (is this a human user of the system, or a system account)? According to /etc/services on my machine, port 2703 is used by the sms-chat service. I'm not familiar with this, but is it something you would expect to have connections being made to? If not, you're going to have to dig down and figure out what the process(es) that are making this connection are actually doing and if it's potentially malicious. If it's lots of different processes, you'll need to see what's launching them (possibly use process accounting, if you have it enabled).
Also, you need to review tyour iptables configuration. Did you make it yourself or use something "pre-rolled" by your distro? It's possible that you're not seeing any other traffic being blocked because iptables is not configured to block it or not configured to report said block in the logs.
One other note here - you seem to have a bunch of services running on one system. If this is in any way possible, you should try to split them up between multiple systems (use VMs if possible). That way, problems with one service cannot affect other services, and it makes it much easier to track down potential incidents like this (since fewer things are running).
It didn't even cross my mind to check the UID and GID. Hadn't seen it in dmesg. Thank you for pointing it out. UID 989 and GID 985 are amavis' So I suppose it is related to "Vipul's Razor distributed, collaborative, spam-detection-and-filtering network uses port 2703 (TCP)." (according to speedguide.net)
I configured the firewall myself, using csf, but csf comes with some predefined rules too, such as syn flood protection, etc. which I'm quite certain they're fine. But I opened some ports, used portflood for ssh and so on.
I know running too many services isn't recommended. Unfortunately I cannot afford other vps for now. I'll probably try to buy myself a server later on which is capable of virtualization and so on.
If you could point me to some resources where I can search deeper for malware, that would be helpful. Or you could also suggest I should be searching for further in this particular case, even if I identified the 'culprit'. How could I have made a connection between dubious processes and the dubious network traffic?
Do you think I should just open port 2703? I'm thinking amavis is trying to download new information (spam lists, whatever).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.