Hello Everyone,

Configuration 1: CSF/LFD (ConfigServer Security and Firewall with Integrated Logon Failure Daemon)

Configuration 2 (Alt Config): (IPTables and Fail2Ban)

I have a Linux server that I use primarily for a variety of uses such as X11 Forwarding, Gaming, and others. Recently, my family got a new modem router that didn't work well with my firewall on the LAN side while I am hosting gaming servers, and I had to implement a simpler solution to as a result (Note Config 2 Above). In the process, I have discovered that my logs were empty (primarily in /var/log/auth.log), a strange previous login from an unidentified IP Address, and rkhunter was spitting out nonstop warnings of just about everything on the system (I am not sure if these are false positives or not). Chkrootkit has picked up a possible unidentified Trojan (LKM Trojan). I have changed the authentication method to require two public keys to authenticate with my other server and range banned the subnet while I get the first one sorted out (With CSF and LFD enabled).

Server 1 (Possibly Compromised Machine):

Pentium 4 Processor: 3.00E GHz Dual Core
Matrox GPU
Ubuntu (Mainly Kubuntu) w/ Ubuntu Server and many Desktop Environments

I could use some help in securing my system and removing the possible trojan.

All help will be greatly appreciated.

P.S.: If all else fails, I guess I might back up my home directory and rebuild my server from scratch.

Sincerely,

d3h

https://help.ubuntu.com/community/RKhunter instructs you on how to deal with those warnings.
So does /etc/fail2ban/jail.conf BUT that's scary, to some, I guess.

Sorry that's all I can help with.

Sorry to hear things went belly up. But if 0) your logs were cleaned out, 1) logins from unknown IP Addresses occurred, 2) rkhunter questions the integrity of about everything on the system and 3) you have a possible LKM then there is nothing to "clean up". Also I do hope there was no personally identifiable information or clear text credentials on the server?.. Do mark past backups as "tainted, don't use", have every user change pass phrases, consider isolating disposable games servers in a DMZ and keeping your family data in the LAN, do consider separately encryption truly valuable data and do read up on securing servers. *If you need pointers to documentation outside of what Ubuntu and the "Securing Debian" bible offer let us know, OK?

Hello everyone,

Thank you all for the replies. I am not exactly sure what is going on, but I checked a few times over and chkrootkit is actually showing nothing at this point except for a false positive. As for rkhunter, the results are questionable. It took a while for everything to show up in my logs, but they finally did. On the other hand, I think I would be better off hosting game servers from a Virtual Machine. ;-)

Any recommendations to make security certain? (Intrusion Detection anyone?)

Sincerely,

donald3.heckel

...but still there is nothing to "clean up".
Plus you haven't posted any details that would help us help you.


Start afresh. Do mark past backups as "tainted, don't use", have every user change pass phrases, consider isolating disposable games servers in a DMZ and keeping your family data in the LAN, do consider separately encryption truly valuable data and do read up on securing servers and if you need pointers after reading the Ubuntu (security) documentation and the "Securing Debian" bible let us know, OK? (IDS is nice but it's no replacement for a properly maintained and hardened setup.)

Hello unSpawn,

Thank you for your reply.

I was wondering if any of you would recommend any intrusion detection systems. At this point, I am curious on how to address the rkhunter warnings. I will also consider hosting game servers from VMs as an extra safety/security precaution. ;-)
I might've been thrown off by the delay in the machine logging the activity, but I am not entirely sure.

ADDITION: Agreed. Do you know of any resources on how to better harden my system? I usually keep it well maintained. I am curious about using SELinux as an option.

Sincerely,

donald3.heckel

If you're hosting some sort of servers on-premise, you better dedicate a DMZ for those external services. And separate your LAN to begin with. Also, if the external facing services are known for security issues (or run as root) then, it has a wider attack surface.

If you enable SSH, accept only certificate-based auth.

SELinux can mitigate exploits and is another component of security layer (though comes with additional complexity, unfortunately). I'd say, forget this for now. Start with the basics. Proper permission, updates, network isolation, cert auth etc.