Hacked/Intrusion - what to look for ?
What should I look for and do, if osreload is not an option, if I suspect someone have had root access to a server - with password ?
I have run chkrootkit, rkhunter, changed pass, hash and I also
run clamdscan on /home, /root, /tmp.
Checked some dirs with eyes (dev/shm, tmp, apache dirs) ...
Looked in some logs but any tips here on what to look for and where would be great.
Which logs have you check? Have you checked the CPanel and access logs?
Cpanel logs:- /var/cpanel/logs
Access logs:- /var/messages
Its very hard to detect intrusions. what i would suggest is increase your security.
A good start is here
This is free software and is designed for the whm.
running rkhunter is your best bet to see if you have been rooted i guess scanning any strange php pages is also a good start scan them with any normal AV like NOD32 etc, they will pick up any c99 shells.
Also in your security center (whm) there is a section which allows you to lock down services specific to a IP or IP range for example.
Only i can ssh to my server either from work or at home, only customers can FTP to the server if they have a dynamic IP thats fine as ive added the IP range.
If you would like any help send me a message and ill add you to MSN and talk you through various security messures you can take.
Hi, thanks for your reply!
2fast - How do I lock SSH to only 2-3 IP addresses ?
I read about it a little but cant find a step by step kind of post.
Also, it should be possible to only block root access to one IP while
client SSH access can be done from anywhere. Know anything about that ?
I'll try to find info, but if you have the time, I'd appreciate any help.
Thanks!
sorry for the late reply..
If you are not familiar with IPtables then you can do it through your WHM.
Click on Security > the Security Center > Host Access Control (block IP access) >
there you will have a new page with daemon access controls.
Add the IP's you want to add like this....i have take a screenshot as an example for you..then at the very end of the allow list for sshd you need the deny.
the ip address is just an example, add any ip address you want to allow ssh access above the deny.
Hope this helps.. if you need any more help just let me know
You shouldnt really ever login over ssh as root, you should really su once you are in.
.... here is a quick step by step...
this should work on move linux distros...
Step 1 -this will make a copy of the file your going to edit just in caseCode:cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
Ok so now edit the file, in Vi, Nano, Pico which ever you want
Step 2 - look for Protocol 2,1 change this to
Step 3 - look for the line that should look likeCode:Protocol 2
# PermitRootLogin yes
change that to
dont forget to remove the #Code:PermitRootLogin no
======================================
then you need to create a user that is allowed to use the SU command so first it might be an idea to create a user for arguments sake ill call the user Bob.
this add bob to the wheel group, which is allow to use the SU command to prevent any other users from using the SU command do the following.Code:usermod -G wheel Bob
Open
in a editor i prefer vi and remove the hash (#) from this lineCode:/etc/pam.d/su
=========================================================Code:auth required /lib/security/pam_wheel.so use_uid
Now you can do this 2nd section first it is up to you. But make sure once you have done it make sure it works... don't close the session you already have open. open a new session and try it
You shouldnt need to restart the sshd daemon for this to work, This is my way of doing it im sure someone will come up with another way that they do it as usual for these types of forum.. my way may not be the best way but it works
Last edited by 2fast; 08-26-2008 at 05:24 PM.
Hi,Originally Posted by 2fast
sorry for the late reply..
If you are not familiar with IPtables then you can do it through your WHM.
Click on Security > the Security Center > Host Access Control (block IP access) >
there you will have a new page with daemon access controls.
Add the IP's you want to add like this....i have take a screenshot as an example for you..then at the very end of the allow list for sshd you need the deny.
the ip address is just an example, add any ip address you want to allow ssh access above the deny.
Hope this helps.. if you need any more help just let me know
You shouldnt really ever login over ssh as root, you should really su once you are in.
.... here is a quick step by step...
this should work on move linux distros...
Step 1 -this will make a copy of the file your going to edit just in caseCode:cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
Ok so now edit the file, in Vi, Nano, Pico which ever you want
Step 2 - look for Protocol 2,1 change this to
Step 3 - look for the line that should look likeCode:Protocol 2
# PermitRootLogin yes
change that to
dont forget to remove the #Code:PermitRootLogin no
======================================
then you need to create a user that is allowed to use the SU command so first it might be an idea to create a user for arguments sake ill call the user Bob.
this add bob to the wheel group, which is allow to use the SU command to prevent any other users from using the SU command do the following.Code:usermod -G wheel Bob
Open
in a editor i prefer vi and remove the hash (#) from this lineCode:/etc/pam.d/su
=========================================================Code:auth required /lib/security/pam_wheel.so use_uid
Now you can do this 2nd section first it is up to you. But make sure once you have done it make sure it works... don't close the session you already have open. open a new session and try it
You shouldnt need to restart the sshd daemon for this to work, This is my way of doing it im sure someone will come up with another way that they do it as usual for these types of forum.. my way may not be the best way but it works
How can i block root user to access WHM panel ?
LinkBack URL
About LinkBacks
Reply With Quote