[Security tips inside] How to check if the server is hacked?

kanhu · October 25, 2018, 1:38pm

Yunohost is quite strong with security but as we know there is no magic bullet and there is always attempt by attackers to gain the access to the server. There are many apps which are not fail2baned and neither have 2 factor authentication.

So I would like to know from all the admins how do you keep a check on whether your server has been attacked and someone have gained access to your server?
We can’t be sure every time that the app we are installing has implemented a good security guidelines, so we need to check our logs at regular intervals. So what are these check you do on your server?

Aleks · October 26, 2018, 1:45am

Short answer : it has been attacked

Short answer : you can’t.

Long answer : well, take an analogy with your house. How do you make it so that people do not enter your house ? You lock the front door. But since the door is not the only possible entrance, you also close the window, the cellar, and the chimney somehow. Is that enough to certify that nobody else than you entered your house ? Nope … the window might not be entirely locked, or maybe someone has the key somehow…

So maybe you also check that every items is still at its place after you left. But that’s difficult to check, and what do you know maybe the intruder just entered to add poison in your yougurth in your fridge using something discrete like a syringe ?

In computer systems, a rootkit or a backdoor is pretty much invisible so it’s really hard to detect those. So you can’t really know. An attacker might have had access once 10 years ago, left a backdoor and you might never be aware of it. In fact, the backdoor could be already included in the image of the initial system you installed, or in one fundamental program running on the system (e.g. C/C++ compiler)

Of course, the attacker needs to gain access to your house at some point. So maybe you can put cameras or an alarm, and get an email each time somebody enters your house. But that’s a bit “heavy” to check each time you enter your house that “yes, this is actually me”. The equivalent on a server would be to receive an email each time you (the admin/root) log in, or each time an user gets admin/root access somehow.

But this does not prevent either an app or a service (let’s say, wordpress or php-fpm) to be compromised and start running weird activities such that suddenly sending thousand of emails. If you know what you are looking for and know what things are expected and what are not, you will end up noticing this. But generally speaking, there is no magic recipe for detecting this kind of behavior either. Sending thousand of emails might be something common and legit on your wordpress manages a ~big mailinglist. But let’s say if you use a monitor tool checking various aspects of your server, you might be able to notice an unexpected increase in resource usage which you can then attribute to your wordpress that got compromised…

So tl;dr : imho security is a mess and there’s basically no way of checking things are alright, except with regular and rigorous monitoring of many things. And as always with security : everything also really depends of what you defend against. Are you defending against targeted NSA attack (during the installation, or after the installation ?), against bots trying to bruteforce root/admin, against your own users, or against automatic attacks targeting apps with bad security reputation…

kanhu · October 26, 2018, 9:22pm

Yes, I understand there can be backdoors but these can not be taken down and would effect masses. I particularly mean the attackers who want to gain the access to various services like SMTP or PHP any other service, there would be some clues when someone gains access these services like you mentioned mass mailing from server, etc . So I would like to know what basic defense or alarms admins uses to track down the mistakes a attacker pr attackers may left behind.

I use pflogsumm to get reports for the email.

Is it good idea to scan system with CalmAV on regular interval, maybe monthly or weekly?

A tool to report status of the failed services in Yunohost services. I had failed fail2ban few days back and I got to know about it on a casual check of the service.

Tools to keep check on general protocols used for security would be good.

ljf · October 27, 2018, 5:08pm

Yes and no. Here is an attack where email sent was not logged because the virus contains is own email server program…

kanhu · October 27, 2018, 7:13pm

I am really interested in all the security issues faced by admins.
This is very new to me. So can you explain how can this type of attack can be checked and is there good tool to check on worpress code hacks? It looks wordpress is the main culprit in the apps to infect the servers.
Is our mails checked for malware on yunohost?

ljf · October 29, 2018, 6:32pm

No rspamd is not configured to scan virus in your emails. It only scan for SPAM (that reject implicitly a lot of viruses).

But you can configure it your self and even create an app for that:
https://rspamd.com/doc/modules/antivirus.html

Note, before 2.4 we have used amavis, which have virus detection features. We have replaced it with rspamd for performance reasons (amavis used 200Mo, too much for small 512Mo ram arm board).

kanhu · October 29, 2018, 6:51pm

@ljf
Look at my problem here Rspand detecting virus in emails through Clamav scanning

kanhu · November 15, 2018, 5:37pm

Fail2ban is not blocking IPv6 on the current version Fail2ban on Debian Stretch.
You can upgrade to the Fail2ban from testing branch and enable IP6 version blocking.
See here Fail2ban not blocking IPv6

kanhu · November 15, 2018, 5:43pm

Sometime you want to block IPs which are spamming from various spamming tracking sources and even block custom IPs which are annoying you with emails, sending registration request on any of your apps, spamming on your blogs, etc. Blocking of IP’s can be achieved by using this script on Yunohost.

kanhu · November 28, 2018, 3:32pm

I want to bring an old topic to light again which give a brief on the security risk for the apps installed on the subpaths.

So is installing the apps on sub-paths bad practice ?

Aleks · November 28, 2018, 5:28pm

That is indeed interesting.

But please let’s not jump to conclusions like “sub-paths is bad practice” or “sub-paths in insecure”. The assumptions of the post if “if one app has been compromised, other apps or system parts may be compromised” which is imho not really surprising… For instance, if a wordpress gets compromised, the attacker might be able to turn the server into a spam machine gun. Though of course that’s less scary and problematic than an attacker stealing webadmin credentials…

But let’s just not forget that there cross-domain cookie “stealing” may also happen. If I remember correctly, a cookie from foo.domain.tld may be accessible from domain.tld ? (I dunno what can happen between foo.domain.tld and bar.domain.tld though). So if your “home” app gets compromised, you can imagine foo.domain.tld getting compromised in the same way.

But still, that assumes (additionally to the fact of an app being already compromised) that the attacker is gonna spend time implementing this and I would not expect automatic bots to do this - but that’s me speculating.

Still the best thing to do is to not being compromised in the first place, and for this you should keep your server up to date, not install software with bad reputation, and reduce the attack surface.

Aleks · January 18, 2023, 8:20pm