Home A - Z Changelog
Page Index 
# Security

## Check up of a Server breach of security

> [!WARNING]
> From Chat GPT and Llama

To check if your OVH VPS running Ubuntu with Mailu (in Docker) accessed
via SSH has not been breached, follow these steps: 1. Check for
Unauthorized Logins SSH Logs:

Run the following to check for unauthorized access:

grep "sshd" /var/log/auth.log | grep "Accepted" grep "sshd"
/var/log/auth.log | grep "Failed"

Look for any unusual IP addresses or login attempts. Use last -a to
check recent logins:

``` bash
    last -a
    last -a | head -n 20
    lastlog
```

Suspicious IPs:

``` bash
netstat -tnpa | grep 'ESTABLISHED.*sshd'
```

Verify if any unknown connections exist.

2. Check Running Processes

Run:

``` bash
ps aux --sort=-%cpu | head -20
```

      Look for unknown or high CPU usage processes.

Check Docker containers:

``` bash
docker ps -a
```

Ensure only your Mailu containers are running.

3. Check Open Ports

``` bash
ss -tulnp
```

Ensure only expected services are running.

4. Check for New Users

cut -d: -f1 /etc/passwd

      Look for unknown accounts.

Check sudo users:

cat /etc/sudoers cat /etc/group | grep sudo

5. Check File System for Altered Files

Look for recent modifications:

find /etc /var /home -mtime -7

      If unexpected changes are found, investigate.

Check for rootkits:

sudo apt install rkhunter sudo rkhunter --check

6. Check for Unauthorized Docker Images

docker images

      Ensure no unknown images are present.

Check logs:

docker logs <mailu-container-name>

      Look for anomalies.

7. Check for High Network Traffic

Monitor unusual network activity:

iftop -n

Check active connections:

netstat -tulpn

8. Check Crontab for Malicious Jobs

crontab -l ls -la /etc/cron.*

      Look for unknown scheduled tasks.

9. Check System Logs

Search for anomalies:

journalctl -p 3 -xb

10. Review Mailu Logs

Since Mailu runs in Docker, check logs:

docker logs $(docker ps -q --filter "name=mailu*") --tail 50

      Look for unexpected email activity.

What to Do If You Suspect a Breach

      Change all passwords.
      Disable root SSH login (PermitRootLogin no in /etc/ssh/sshd_config).
      Restrict SSH access (AllowUsers yourusername in /etc/ssh/sshd_config).
      Check for backdoors (ls -la /tmp /dev/shm for strange files).
      Consider restoring from a clean backup.

To check if your OVH VPS running Ubuntu with Mailu (in Docker) accessed
via SSH has not been breached, follow these steps: 1. Check for
Unauthorized Logins SSH Logs:

Run the following to check for unauthorized access:

grep "sshd" /var/log/auth.log | grep "Accepted" grep "sshd"
/var/log/auth.log | grep "Failed"

      Look for any unusual IP addresses or login attempts.
      Use last -a to check recent logins:

      last -a

Suspicious IPs:

netstat -tnpa | grep 'ESTABLISHED.*sshd'

      Verify if any unknown connections exist.

2. Check Running Processes

Run:

ps aux --sort=-%cpu | head -20

      Look for unknown or high CPU usage processes.

Check Docker containers:

docker ps -a

      Ensure only your Mailu containers are running.

3. Check Open Ports

ss -tulnp

      Ensure only expected services are running.

4. Check for New Users

cut -d: -f1 /etc/passwd

      Look for unknown accounts.

Check sudo users:

cat /etc/sudoers cat /etc/group | grep sudo

5. Check File System for Altered Files

Look for recent modifications:

find /etc /var /home -mtime -7

      If unexpected changes are found, investigate.

Check for rootkits:

sudo apt install rkhunter sudo rkhunter --check

6. Check for Unauthorized Docker Images

docker images

      Ensure no unknown images are present.

Check logs:

docker logs <mailu-container-name>

      Look for anomalies.

7. Check for High Network Traffic

Monitor unusual network activity:

iftop -n

Check active connections:

netstat -tulpn

8. Check Crontab for Malicious Jobs

crontab -l ls -la /etc/cron.*

      Look for unknown scheduled tasks.

9. Check System Logs

Search for anomalies:

journalctl -p 3 -xb

10. Review Mailu Logs

Since Mailu runs in Docker, check logs:

docker logs $(docker ps -q --filter "name=mailu*") --tail 50

      Look for unexpected email activity.

What to Do If You Suspect a Breach

      Change all passwords.
      Disable root SSH login (PermitRootLogin no in /etc/ssh/sshd_config).
      Restrict SSH access (AllowUsers yourusername in /etc/ssh/sshd_config).
      Check for backdoors (ls -la /tmp /dev/shm for strange files).
      Consider restoring from a clean backup.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9