Tony,
I have modified the sshd_config file to what you had below. Funny I
already had in place the "PermitRootLogin no" option, and I know about the
changing of the port numbers, but the others are new to me. Obvious in
retrospect, but new to me.
I am currently installing OSSEC and will look at the rkhunter doco a bit
more.
Once again thanks.
-----Original Message-----
From: Tony White [mailto:t...@ycs.com.au]
Sent: Thursday, 13 January 2011 12:16 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Re: Apache issues
Hi Mike,
Whatever you do I would do this first...
Change the root password now.
Kick off all users
Edit /etc/ssh/sshd_config
Edit/Add Protocol 2
Edit/Add Allowusers for your username only (make sure you have shell access)
Edit/Add Port to use a different port not 22 try 3222 or something else you
can remember
Edit/Add PermitRootLogin no
Edit/Add StrictModes yes
Edit/Add MaxAuthTries 2
Edit/Add HostbasedAuthentication no
Edit/Add IgnoreRhosts yes
Edit/Add PermitEmptyPasswords no
Edit/Add PasswordAuthentication yes
This should stop almost all issues there.
Add BFD (Brute force Detection) or OSSEC
This should only take you about 10 minutes or so.
You will be able to move around the system without
anyone getting behind after this.
KEEP you current connection open
Restart sshd,
Try to connect another ssh using your username and password.
If you can connect then su - to root with the new password then
you can exit the other terminal.
Find the files that rkhunter told you of and delete them all. If files
are part of you linux distro find the originals from a cd or download
them. I had read the rkhunter actually removes those rootkits! Maybe
read the docs a bit more.
Try netstat -nat. This will give you all you connections and ports
listening.
Look for unusual ports in use.
Watch for the process again
If at this point you still have the issue then use the 3R's
Repartition,Reformat
and Rebuild.
Making sure your backup does not include the cracks of course!
On 13/01/2011 12:00 PM, Mike Canty wrote:
> Tony,
> Thanks for the information. I have installed rkhunter and
> discovered there may indeed be rootkits. 3 entries came back in the log.
(cb
> Rootkit, SHV4 Rootkit, SHV5 Rootkit)
>
> I am now looking to see if these need to be removed or the machine
rebuilt.
>
> As for the " pstree -a | less" it is interesting information, but not sure
> what to get out of it for now. The idea of moving ssh to another, is
worth
> a look, but has the horse bolted?
>
> Cheers
>
> -----Original Message-----
> From: Tony White [mailto:t...@ycs.com.au]
> Sent: Thursday, 13 January 2011 11:05 AM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] Re: Apache issues
>
> Hi,
> you might try "pstree -a | less" to show you the command line
arguments
> and paths
> of all running processes. This might give you a clue at least to where the
> source
> file can be found!
>
>
> On 13/01/2011 11:06 AM, Mike Canty wrote:
>> Eric,
>> Is it still a DoS attack, when I can get someone to run "top" find
>> the PID and kill that single process to restore connectivity?
>>
>> Cheers
>>
>> -----Original Message-----
>> From: Eric Shubert [mailto:e...@shubes.net]
>> Sent: Thursday, 13 January 2011 9:55 AM
>> To: qmailtoaster-list@qmailtoaster.com
>> Subject: [qmailtoaster] Re: Apache issues
>>
>> On 01/12/2011 03:16 PM, Mike Canty wrote:
>>> To all,
>>>
>>> I have a server that is having some problems with some "apache"
>>> services.The machine appears to have a runaway process that takes up
>>> just over 20% of the CPU, but this is enough to stop all mail and to a
>>> certain extent network as well.
>>>
>>> The problem for me is this machine is at a remote site. When this
>>> process runs away, I cannot connect to the network remotely, to resolve
>>> the issue, I need to get someone internally to log on to the server
>>> itself and kill the process.
>>>
>>> When I say "Apache", that is the user listed against the process, so it
>>> must be some form of web service.The command at fault is either "std" or
>>> "s", although I have seen a "perl" command giving issues as well, but
>>> not to the same effect.
>>>
>>> Does anyone have any idea what may be causing this?Or what I can do to
>>> rectify?
>>>
>>> Cheers
>>>
>>> Mike Canty
>>>
>> From what you've said, it sounds a little like a DoS attack. It
sounds
>> as though the problem process is saturating the network.
>>
>> What sort of firewall, internal to QMT as well as external, is involved?
>>
--
best wishes
Tony White
----------------------------------------------------------------------------
-----
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
----------------------------------------------------------------------------
-----
Please visit qmailtoaster.com for the latest news, updates, and
packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
