Home A - Z Changelog
Menu
Page Index

Blame

749a1e admin 2025-09-03 14:26:53
added original dokuwiki page
1 
# Security
2
3
## Check up of a Server breach of security
4
5
> [!WARNING]
6
> From Chat GPT and Llama
7
8
To check if your OVH VPS running Ubuntu with Mailu (in Docker) accessed
9
via SSH has not been breached, follow these steps: 1. Check for
10
Unauthorized Logins SSH Logs:
11
12
Run the following to check for unauthorized access:
13
14
grep "sshd" /var/log/auth.log | grep "Accepted" grep "sshd"
15
/var/log/auth.log | grep "Failed"
16
17
Look for any unusual IP addresses or login attempts. Use last -a to
18
check recent logins:
19
20
``` bash
21
last -a
22
last -a | head -n 20
23
lastlog
24
```
25
26
Suspicious IPs:
27
28
``` bash
29
netstat -tnpa | grep 'ESTABLISHED.*sshd'
30
```
31
32
Verify if any unknown connections exist.
33
34
2. Check Running Processes
35
36
Run:
37
38
``` bash
39
ps aux --sort=-%cpu | head -20
40
```
41
42
Look for unknown or high CPU usage processes.
43
44
Check Docker containers:
45
46
``` bash
47
docker ps -a
48
```
49
50
Ensure only your Mailu containers are running.
51
52
3. Check Open Ports
53
54
``` bash
55
ss -tulnp
56
```
57
58
Ensure only expected services are running.
59
60
4. Check for New Users
61
62
cut -d: -f1 /etc/passwd
63
64
Look for unknown accounts.
65
66
Check sudo users:
67
68
cat /etc/sudoers cat /etc/group | grep sudo
69
70
5. Check File System for Altered Files
71
72
Look for recent modifications:
73
74
find /etc /var /home -mtime -7
75
76
If unexpected changes are found, investigate.
77
78
Check for rootkits:
79
80
sudo apt install rkhunter sudo rkhunter --check
81
82
6. Check for Unauthorized Docker Images
83
84
docker images
85
86
Ensure no unknown images are present.
87
88
Check logs:
89
90
docker logs <mailu-container-name>
91
92
Look for anomalies.
93
94
7. Check for High Network Traffic
95
96
Monitor unusual network activity:
97
98
iftop -n
99
100
Check active connections:
101
102
netstat -tulpn
103
104
8. Check Crontab for Malicious Jobs
105
106
crontab -l ls -la /etc/cron.*
107
108
Look for unknown scheduled tasks.
109
110
9. Check System Logs
111
112
Search for anomalies:
113
114
journalctl -p 3 -xb
115
116
10. Review Mailu Logs
117
118
Since Mailu runs in Docker, check logs:
119
120
docker logs $(docker ps -q --filter "name=mailu*") --tail 50
121
122
Look for unexpected email activity.
123
124
What to Do If You Suspect a Breach
125
126
Change all passwords.
127
Disable root SSH login (PermitRootLogin no in /etc/ssh/sshd_config).
128
Restrict SSH access (AllowUsers yourusername in /etc/ssh/sshd_config).
129
Check for backdoors (ls -la /tmp /dev/shm for strange files).
130
Consider restoring from a clean backup.
131
132
To check if your OVH VPS running Ubuntu with Mailu (in Docker) accessed
133
via SSH has not been breached, follow these steps: 1. Check for
134
Unauthorized Logins SSH Logs:
135
136
Run the following to check for unauthorized access:
137
138
grep "sshd" /var/log/auth.log | grep "Accepted" grep "sshd"
139
/var/log/auth.log | grep "Failed"
140
141
Look for any unusual IP addresses or login attempts.
142
Use last -a to check recent logins:
143
144
last -a
145
146
Suspicious IPs:
147
148
netstat -tnpa | grep 'ESTABLISHED.*sshd'
149
150
Verify if any unknown connections exist.
151
152
2. Check Running Processes
153
154
Run:
155
156
ps aux --sort=-%cpu | head -20
157
158
Look for unknown or high CPU usage processes.
159
160
Check Docker containers:
161
162
docker ps -a
163
164
Ensure only your Mailu containers are running.
165
166
3. Check Open Ports
167
168
ss -tulnp
169
170
Ensure only expected services are running.
171
172
4. Check for New Users
173
174
cut -d: -f1 /etc/passwd
175
176
Look for unknown accounts.
177
178
Check sudo users:
179
180
cat /etc/sudoers cat /etc/group | grep sudo
181
182
5. Check File System for Altered Files
183
184
Look for recent modifications:
185
186
find /etc /var /home -mtime -7
187
188
If unexpected changes are found, investigate.
189
190
Check for rootkits:
191
192
sudo apt install rkhunter sudo rkhunter --check
193
194
6. Check for Unauthorized Docker Images
195
196
docker images
197
198
Ensure no unknown images are present.
199
200
Check logs:
201
202
docker logs <mailu-container-name>
203
204
Look for anomalies.
205
206
7. Check for High Network Traffic
207
208
Monitor unusual network activity:
209
210
iftop -n
211
212
Check active connections:
213
214
netstat -tulpn
215
216
8. Check Crontab for Malicious Jobs
217
218
crontab -l ls -la /etc/cron.*
219
220
Look for unknown scheduled tasks.
221
222
9. Check System Logs
223
224
Search for anomalies:
225
226
journalctl -p 3 -xb
227
228
10. Review Mailu Logs
229
230
Since Mailu runs in Docker, check logs:
231
232
docker logs $(docker ps -q --filter "name=mailu*") --tail 50
233
234
Look for unexpected email activity.
235
236
What to Do If You Suspect a Breach
237
238
Change all passwords.
239
Disable root SSH login (PermitRootLogin no in /etc/ssh/sshd_config).
240
Restrict SSH access (AllowUsers yourusername in /etc/ssh/sshd_config).
241
Check for backdoors (ls -la /tmp /dev/shm for strange files).
242
Consider restoring from a clean backup.