Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I like everyone else here have experienced numerous ssh brute force attempts.
What worries me is as follows:
1. I noticed it occurring this morning and when I ran netstat is showed my local server was established via ssh to another foreign IP.
2. When I run finger it displayed root with three sessions: (*.0, pts/1, pts/2)
I was worried that a rootkit was installed however, I downloaded and ran chkrootkit and it did not find anything infected.
I ran nmap against the foreign ip and it had a tone of open ports.
I have numerous ip’s form several different origins of where the brute force was conducted.
Any ideas as to what I should look for to confirm if the system was or was not compromised? I have run finger on all of my users, looked at numerous files that were recently modified, searched for rootkit’s, etc.
I am going to revamp my security on the network and look at possibly implementing private key authentication. Actually with security in mind, I would like to setup private key authentication with hardware of software based tokens, if possible.
If anyone has any insight I would greatly appreciate it.
Having an established connection in netstat output doesn't necessarily indicate that a compromise or successfull bruteforce attack has occured. All it indicates is that there is an ongoing tcp connection. So running a bruteforce attack would appear as "established" regardless of whether any passwords have been successfully guessed.
That being said, I'd recommend running rkhunter as well just to be sure. Also take a look at the output of the 'last' command and look for any successfull logins that coincide with the time when the bruteforce was run. Also take a look in /tmp for anything abnormal. Unless you have very poor passwords, then the standard sshbrute attack is unlikely to be successfull (it uses a very limited set of username/pasword combos like test/test or root/root.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.