Home » How do I determine if my Linux box has been infiltrated?

How do I determine if my Linux box has been infiltrated?

Solutons:


A lot of people seem to suggest DenyHosts, but I’ve seen a lot of success with Fail2Ban on my systems. It watches for a (configurable) number of failures, and then performs an action – on my servers, that action is to use iptables to drop all traffic from the host. After 10 login failures, they get banned and that’s the end of it.

I use that in combination with Logcheck, so that I always know what’s going on on my servers.

If you have any evidence that someone has actually broken into your systems (the logs you have posted are not evidence of this), then your only solution is to back up all the data you need to keep, wipe the machine, reinstall, and restore from backups. Otherwise, there’s no way to be sure.

Valid login attempts are logged in as well, so if you see a brute force attempt followed by a success, that’s a good indication something bad has happened.

I use DenyHosts to monitor my logs for suspicious SSH traffic, and I have it configured to automatically firewall off hosts at a certain point.

Note there are a variety of other ways you’d want to monitor your machine to see if it’s compromised, including load patterns, login activity, periodic traffic sniffing, monitoring running processes and open ports, and ensuring file integrity with a tool like tripwire.

If you’re only going to do one, monitoring system load is a very effective way of detecting compromise, because most machines when compromised are used to do things like send massive amounts of spam or otherwise receive a lot of traffic. Perhaps not useful if you’re a high-value target and people may be trying to specifically break into you for reasons other than to turn your host into a zombie, but valuable nonetheless. Plus monitoring load is needed for profiling and to figure out when you need to invest in more hardware or better software.

You should also do comprehensive log analysis, looking at auth.log and others for things that are unexpected. Log file analysis is a competitive market and the problem isn’t yet solved, but there are free tools like logwatch which can be configured to send you summaries daily.

Security through layers!

Forget Tripwire, its quite expensive. Use AIDE instead. Its free, easy to setup (though it takes a little while to decide which temp directories to exclude, and otherwise configure).

you run it, it builds a database of all files. Run it again and it’ll tell you which files have changed.

One other thing to do is install CSF, which has a denyhost type blocker, as people fail repeatedly to login, it’ll add them to your firewall rules. You can also require SSH logins to have a public key as well, the script kiddies can attempt as many logins as they like then.

Related Solutions

Why not drop the “auto” keyword? [duplicate]

Your proposal would be rejected on the basis of backward compatibility alone. But let's say for the sake of argument that the standards committee like your idea. You don't take into account the numerous ways you can initialize a variable widget w; // (a) widget...

Recursive to iterative using a systematic method [closed]

So, to restate the question. We have a function f, in our case fac. def fac(n): if n==0: return 1 else: return n*fac(n-1) It is implemented recursively. We want to implement a function facOpt that does the same thing but iteratively. fac is written almost in...

How can I match values in one file to ranges from another?

if the data file sizes are not huge, there is a simpler way $ join input1 input2 | awk '$5<$4 && $3<$5 {print $2, $5-$3+1}' B100002 32 B100043 15 B123465 3 This Perl code seems to solve your problem It is a common idiom: to load the entire...

Javascript difference between “=” and “===” [duplicate]

You need to use == or === for equality checking. = is the assignment operator. You can read about assignment operators here on MDN. As a quick reference as you are learning JS: = assignment operator == equal to === equal value and equal type != not equal !==...

Compiler complains about misplaced else [closed]

Your compiler complains about an misplaced else because, well, there is an else without a preceding if: // ... for (j=1; j<n-i; j++) { if(a[j]<=a[j+1]) { // ... } // END OF IF } // END OF FOR else { continue; } // ... The else in your code does not follow...

Bootstrap – custom alerts with progress bar

/* !important are just used to overide the bootstrap css in the snippet */ .alertContainer { border-radius: 0 !important; border-width: 0 !important; padding: 0 !important; height: auto !important; position: absolute !important; bottom: 15px !important; left:...

How to Garbage Collect an external Javascript load?

Yes, s.onload = null is useful and will garbage collect! As of 2019, it is not possible to explicitly or programmatically trigger garbage collection in JavaScript. That means it collects when it wants. Although there is cases where setting to null may do a GC...

Math programming with python

At first, what you are looking for is the modulo operator and the function math.floor() Modulo from wikipedia: In computing, the modulo operation finds the remainder after division of one number by another (sometimes called modulus). for example: 12%12=0...

Android slide over letters to create a word [closed]

Here some advice you can use: First for each cell you can create an object that represents the state of that cell: class Cell { char mChar; int row,column; boolean isSelected; } then you can create a 2D array of your cells Cell[][] mTable = ... For views you...

Sum two integers in Java

You reused the x and y variable names (hence the variable x is already defined in method main error), and forgot to assign the ints read from the Scanner to the x and y variables. Besides, there's no need to create two Scanner objects. public static void...

Extend three classes that implements an interface in Java

Using this simplified implementation of the library, using method() instead of M(): interface IFC { void method(); } class A implements IFC { public void method() { System.out.println("method in A"); }; } As akuzminykh mentions in their comment You'd write a...

How to set the stream content in PHPExcel? [closed]

Okey, First thing first PHPExcel_Worksheet_MemoryDrawing() can't solve your problem if you insist to use stream content and pass that to your worksheet your PDF will not render your image. But you can use `PHPExcel_Worksheet_Drawing()' if you want to render...

How to remove all files from a directory?

Linux does not use extensions. It is up to the creator of the file to decide whether the name should have an extension. Linux looks at the first few bytes to figure out what kind of file it is dealing with. To remove all non-hidden files* in a directory use: rm...

Hacker used picture upload to get PHP code into my site

Client side validation The validation code you have provided is in JavaScript. That suggests it is code that you use to do the validation on the client. Rule number one of securing webapps is to never trust the client. The client is under the full control of...

First Time HTML5/CSS Site

Semantically, I would suggest using HTML5 elements more. For example, instead of... <div id="header"> <div id="logo"></div> </div> Use instead: (the ID can stay if you want it to) <header> <div id="logo"></div>...