Commit 749a1e
2025-09-03 14:26:53 admin: added original dokuwiki page| /dev/null .. security.md | |
| @@ 0,0 1,242 @@ | |
| + | # Security |
| + | |
| + | ## Check up of a Server breach of security |
| + | |
| + | > [!WARNING] |
| + | > From Chat GPT and Llama |
| + | |
| + | To check if your OVH VPS running Ubuntu with Mailu (in Docker) accessed |
| + | via SSH has not been breached, follow these steps: 1. Check for |
| + | Unauthorized Logins SSH Logs: |
| + | |
| + | Run the following to check for unauthorized access: |
| + | |
| + | grep "sshd" /var/log/auth.log | grep "Accepted" grep "sshd" |
| + | /var/log/auth.log | grep "Failed" |
| + | |
| + | Look for any unusual IP addresses or login attempts. Use last -a to |
| + | check recent logins: |
| + | |
| + | ``` bash |
| + | last -a |
| + | last -a | head -n 20 |
| + | lastlog |
| + | ``` |
| + | |
| + | Suspicious IPs: |
| + | |
| + | ``` bash |
| + | netstat -tnpa | grep 'ESTABLISHED.*sshd' |
| + | ``` |
| + | |
| + | Verify if any unknown connections exist. |
| + | |
| + | 2. Check Running Processes |
| + | |
| + | Run: |
| + | |
| + | ``` bash |
| + | ps aux --sort=-%cpu | head -20 |
| + | ``` |
| + | |
| + | Look for unknown or high CPU usage processes. |
| + | |
| + | Check Docker containers: |
| + | |
| + | ``` bash |
| + | docker ps -a |
| + | ``` |
| + | |
| + | Ensure only your Mailu containers are running. |
| + | |
| + | 3. Check Open Ports |
| + | |
| + | ``` bash |
| + | ss -tulnp |
| + | ``` |
| + | |
| + | Ensure only expected services are running. |
| + | |
| + | 4. Check for New Users |
| + | |
| + | cut -d: -f1 /etc/passwd |
| + | |
| + | Look for unknown accounts. |
| + | |
| + | Check sudo users: |
| + | |
| + | cat /etc/sudoers cat /etc/group | grep sudo |
| + | |
| + | 5. Check File System for Altered Files |
| + | |
| + | Look for recent modifications: |
| + | |
| + | find /etc /var /home -mtime -7 |
| + | |
| + | If unexpected changes are found, investigate. |
| + | |
| + | Check for rootkits: |
| + | |
| + | sudo apt install rkhunter sudo rkhunter --check |
| + | |
| + | 6. Check for Unauthorized Docker Images |
| + | |
| + | docker images |
| + | |
| + | Ensure no unknown images are present. |
| + | |
| + | Check logs: |
| + | |
| + | docker logs <mailu-container-name> |
| + | |
| + | Look for anomalies. |
| + | |
| + | 7. Check for High Network Traffic |
| + | |
| + | Monitor unusual network activity: |
| + | |
| + | iftop -n |
| + | |
| + | Check active connections: |
| + | |
| + | netstat -tulpn |
| + | |
| + | 8. Check Crontab for Malicious Jobs |
| + | |
| + | crontab -l ls -la /etc/cron.* |
| + | |
| + | Look for unknown scheduled tasks. |
| + | |
| + | 9. Check System Logs |
| + | |
| + | Search for anomalies: |
| + | |
| + | journalctl -p 3 -xb |
| + | |
| + | 10. Review Mailu Logs |
| + | |
| + | Since Mailu runs in Docker, check logs: |
| + | |
| + | docker logs $(docker ps -q --filter "name=mailu*") --tail 50 |
| + | |
| + | Look for unexpected email activity. |
| + | |
| + | What to Do If You Suspect a Breach |
| + | |
| + | Change all passwords. |
| + | Disable root SSH login (PermitRootLogin no in /etc/ssh/sshd_config). |
| + | Restrict SSH access (AllowUsers yourusername in /etc/ssh/sshd_config). |
| + | Check for backdoors (ls -la /tmp /dev/shm for strange files). |
| + | Consider restoring from a clean backup. |
| + | |
| + | To check if your OVH VPS running Ubuntu with Mailu (in Docker) accessed |
| + | via SSH has not been breached, follow these steps: 1. Check for |
| + | Unauthorized Logins SSH Logs: |
| + | |
| + | Run the following to check for unauthorized access: |
| + | |
| + | grep "sshd" /var/log/auth.log | grep "Accepted" grep "sshd" |
| + | /var/log/auth.log | grep "Failed" |
| + | |
| + | Look for any unusual IP addresses or login attempts. |
| + | Use last -a to check recent logins: |
| + | |
| + | last -a |
| + | |
| + | Suspicious IPs: |
| + | |
| + | netstat -tnpa | grep 'ESTABLISHED.*sshd' |
| + | |
| + | Verify if any unknown connections exist. |
| + | |
| + | 2. Check Running Processes |
| + | |
| + | Run: |
| + | |
| + | ps aux --sort=-%cpu | head -20 |
| + | |
| + | Look for unknown or high CPU usage processes. |
| + | |
| + | Check Docker containers: |
| + | |
| + | docker ps -a |
| + | |
| + | Ensure only your Mailu containers are running. |
| + | |
| + | 3. Check Open Ports |
| + | |
| + | ss -tulnp |
| + | |
| + | Ensure only expected services are running. |
| + | |
| + | 4. Check for New Users |
| + | |
| + | cut -d: -f1 /etc/passwd |
| + | |
| + | Look for unknown accounts. |
| + | |
| + | Check sudo users: |
| + | |
| + | cat /etc/sudoers cat /etc/group | grep sudo |
| + | |
| + | 5. Check File System for Altered Files |
| + | |
| + | Look for recent modifications: |
| + | |
| + | find /etc /var /home -mtime -7 |
| + | |
| + | If unexpected changes are found, investigate. |
| + | |
| + | Check for rootkits: |
| + | |
| + | sudo apt install rkhunter sudo rkhunter --check |
| + | |
| + | 6. Check for Unauthorized Docker Images |
| + | |
| + | docker images |
| + | |
| + | Ensure no unknown images are present. |
| + | |
| + | Check logs: |
| + | |
| + | docker logs <mailu-container-name> |
| + | |
| + | Look for anomalies. |
| + | |
| + | 7. Check for High Network Traffic |
| + | |
| + | Monitor unusual network activity: |
| + | |
| + | iftop -n |
| + | |
| + | Check active connections: |
| + | |
| + | netstat -tulpn |
| + | |
| + | 8. Check Crontab for Malicious Jobs |
| + | |
| + | crontab -l ls -la /etc/cron.* |
| + | |
| + | Look for unknown scheduled tasks. |
| + | |
| + | 9. Check System Logs |
| + | |
| + | Search for anomalies: |
| + | |
| + | journalctl -p 3 -xb |
| + | |
| + | 10. Review Mailu Logs |
| + | |
| + | Since Mailu runs in Docker, check logs: |
| + | |
| + | docker logs $(docker ps -q --filter "name=mailu*") --tail 50 |
| + | |
| + | Look for unexpected email activity. |
| + | |
| + | What to Do If You Suspect a Breach |
| + | |
| + | Change all passwords. |
| + | Disable root SSH login (PermitRootLogin no in /etc/ssh/sshd_config). |
| + | Restrict SSH access (AllowUsers yourusername in /etc/ssh/sshd_config). |
| + | Check for backdoors (ls -la /tmp /dev/shm for strange files). |
| + | Consider restoring from a clean backup. |