Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think my VPS server running Debian 9.0 is compromised. Its a new setup with few basic applications installed, as of now only SSH and fail2ban are running on the system.
As soon as the server was up I did below changes.
1. generated a new ssh key and disabled password authentication.
2, installed and configured fail2ban for ssh
3. createad a firewall rule to block all ports except ssh
I was under the impression that I got the server fully secured, I saw that fail2ban blocked few IPs after they attempted a brute force attack or scan. Then I did a check on outgoing connections using below command.
This returned an unfamiliar ip, the connect was there only for few seconds. Later I saw another ip using the same command. Further googling led me to NetHogs and I can see that there are quite few ips trying making connections.
There aren't any processes pertaining to those IPs
Code:
# netstat -atnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 27435/sshd
tcp 0 404 xxx.xx.xxx.xx:22 yyy.y.yy.yyy:1727 ESTABLISHED 30137/sshd: wally [
There aren't any processes pertaining to those IPs
Code:
# netstat -atnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 27435/sshd
tcp 0 404 xxx.xx.xxx.xx:22 yyy.y.yy.yyy:1727 ESTABLISHED 30137/sshd: wally [
The process is sshd in both cases...the second entry shows an established ssh connection from the yyy.y.yy.yyy IP address...user is wally
will display information about the IP address...in that case, it's a "Dynamic private network" of an ISP (Bahnhof) in Sweden.
I think the other one is showing you that you are connected to a foreign webpage...the IP resolves to a hosting company in San Francisco ...did you have a browser running?
Again... Add the -p to see the process, and maybe stop tweaking the output of netstat...it's pretty clear as it stands, and there's more information (other than the Foreign IP) than you're sharing that helps understanding what you're seeing.
will display information about the IP address...in that case, it's a "Dynamic private network" of an ISP (Bahnhof) in Sweden.
I think the other one is showing you that you are connected to a foreign webpage...the IP resolves to a hosting company in San Francisco ...did you have a browser running?
Again... Add the -p to see the process, and maybe stop tweaking the output of netstat...it's pretty clear as it stands, and there's more information (other than the Foreign IP) than you're sharing that helps understanding what you're seeing.
I monitored the connection randomly for few days and didn't find anymore suspicions connections. I used the connection to browse the web and seems like these were the IPs from that connection. May be I got bit paranoid :-)
Quote:
and there's more information (other than the Foreign IP) than you're sharing that helps understanding what you're seeing
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 27435/sshd
tcp 0 404 xxx.xx.xxx.xx:22 yyy.y.yy.yyy:1727 ESTABLISHED 30137/sshd: wally [
As the header line says, the Local IP and port, the Foreign IP and Port, the State (very useful see man netstat) and the PID and Program name...your logic is hiding all that from you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.