Security
Check up of a Server breach of security
From Chat GPT and Llama
To check if your OVH VPS running Ubuntu with Mailu (in Docker) accessed via SSH has not been breached, follow these steps: 1. Check for Unauthorized Logins SSH Logs:
Run the following to check for unauthorized access:
grep "sshd" /var/log/auth.log | grep "Accepted" grep "sshd" /var/log/auth.log | grep "Failed"
Look for any unusual IP addresses or login attempts. Use last -a to check recent logins:
last -a last -a | head -n 20 lastlog
Suspicious IPs:
netstat -tnpa | grep 'ESTABLISHED.*sshd'
Verify if any unknown connections exist.
- Check Running Processes
Run:
ps aux --sort=-%cpu | head -20
Look for unknown or high CPU usage processes.
Check Docker containers:
docker ps -a
Ensure only your Mailu containers are running.
- Check Open Ports
ss -tulnp
Ensure only expected services are running.
- Check for New Users
cut -d: -f1 /etc/passwd
Look for unknown accounts.
Check sudo users:
cat /etc/sudoers cat /etc/group | grep sudo
- Check File System for Altered Files
Look for recent modifications:
find /etc /var /home -mtime -7
If unexpected changes are found, investigate.
Check for rootkits:
sudo apt install rkhunter sudo rkhunter --check
- Check for Unauthorized Docker Images
docker images
Ensure no unknown images are present.
Check logs:
docker logs
Look for anomalies.
- Check for High Network Traffic
Monitor unusual network activity:
iftop -n
Check active connections:
netstat -tulpn
- Check Crontab for Malicious Jobs
crontab -l ls -la /etc/cron.*
Look for unknown scheduled tasks.
- Check System Logs
Search for anomalies:
journalctl -p 3 -xb
- Review Mailu Logs
Since Mailu runs in Docker, check logs:
docker logs $(docker ps -q --filter "name=mailu*") --tail 50
Look for unexpected email activity.
What to Do If You Suspect a Breach
Change all passwords. Disable root SSH login (PermitRootLogin no in /etc/ssh/sshd_config). Restrict SSH access (AllowUsers yourusername in /etc/ssh/sshd_config). Check for backdoors (ls -la /tmp /dev/shm for strange files). Consider restoring from a clean backup.
To check if your OVH VPS running Ubuntu with Mailu (in Docker) accessed via SSH has not been breached, follow these steps: 1. Check for Unauthorized Logins SSH Logs:
Run the following to check for unauthorized access:
grep "sshd" /var/log/auth.log | grep "Accepted" grep "sshd" /var/log/auth.log | grep "Failed"
Look for any unusual IP addresses or login attempts. Use last -a to check recent logins: last -a
Suspicious IPs:
netstat -tnpa | grep 'ESTABLISHED.*sshd'
Verify if any unknown connections exist.
- Check Running Processes
Run:
ps aux --sort=-%cpu | head -20
Look for unknown or high CPU usage processes.
Check Docker containers:
docker ps -a
Ensure only your Mailu containers are running.
- Check Open Ports
ss -tulnp
Ensure only expected services are running.
- Check for New Users
cut -d: -f1 /etc/passwd
Look for unknown accounts.
Check sudo users:
cat /etc/sudoers cat /etc/group | grep sudo
- Check File System for Altered Files
Look for recent modifications:
find /etc /var /home -mtime -7
If unexpected changes are found, investigate.
Check for rootkits:
sudo apt install rkhunter sudo rkhunter --check
- Check for Unauthorized Docker Images
docker images
Ensure no unknown images are present.
Check logs:
docker logs
Look for anomalies.
- Check for High Network Traffic
Monitor unusual network activity:
iftop -n
Check active connections:
netstat -tulpn
- Check Crontab for Malicious Jobs
crontab -l ls -la /etc/cron.*
Look for unknown scheduled tasks.
- Check System Logs
Search for anomalies:
journalctl -p 3 -xb
- Review Mailu Logs
Since Mailu runs in Docker, check logs:
docker logs $(docker ps -q --filter "name=mailu*") --tail 50
Look for unexpected email activity.
What to Do If You Suspect a Breach
Change all passwords. Disable root SSH login (PermitRootLogin no in /etc/ssh/sshd_config). Restrict SSH access (AllowUsers yourusername in /etc/ssh/sshd_config). Check for backdoors (ls -la /tmp /dev/shm for strange files). Consider restoring from a clean backup.