Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 61
  1. #26
    yes , i can login now . may be my network suck

  2. #27
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,517
    Great tutorial

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:15 PM.

  3. #28

    Re: How to (somewhat) secure a Linux Server

    How do I keep myself unblocked from SSH if my ISP assigns me a new Dynamic Ip every 36 hours ?



    There's a number of other security tricks that I use , such as:
    limiting ssh access
    in /etc/hosts.deny
    Code:
    sshd: ALL
    in /etc/hosts.allow
    Code:
    sshd: host.ip.number.1,host.ip.number.2,etc
    Some would eliminate root login, but I wouldn't take it that far. If your server is properly monitored, you won't need to elliminate it.
    <edit>signature removed</edit>
    Last edited by choon; 02-23-2004 at 09:32 PM.

  4. #29
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    If your ISP issuing IP range is 123.456.789.x
    Then just use 123.456.789.
    Just my thoughts

  5. #30
    I wish they were issuing Ip Ranges, my isp is cox and I'm pretty sure they don't just change ip ranges but entire blocks, Ie my last ip was 67.110.47.64 and my new one well is way differen't then the old one

    <edit>signature removed</edit>
    Last edited by choon; 02-23-2004 at 09:37 PM.

  6. #31
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Then no choice allow ALL?

    P.S. Please turn off your signature as signatures are not allowed in all HOWTO forums.

  7. #32
    Sorry for the sig, I did not know sigs were not allowed in the how-to forum. I'm gonna go ask cox business side to see if I can talk them into giving me a static ip, if all else fails I'll undo that edit thanks for your help

  8. #33
    Join Date
    Mar 2004
    Location
    Venezuela
    Posts
    83
    I posted this on another Security thready in the How To forum, maybe you guys might find it useful too

    1)Conduct a Security Audit on the box and create a report for it.

    (a)Check intrusion Detection.Use chkrootkit for this purpose.Update the report with these details.

    chkrootkit is very straightforward, installation is pretty simple.
    Once chkrootkit is installed, run it from the command line, it should return lines like this:

    ROOTDIR is `/'
    Checking `amd'... not found
    Checking `basename'... not infected
    Checking `biff'... not infected
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not found
    Checking `gpm'... not found
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not infected
    Checking `inetdconf'... not infected
    Checking `identd'... not found
    Checking `killall'... not infected
    Checking `ldsopreload'... not infected
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `mail'... not infected
    Checking `mingetty'... not found
    Checking `netstat'... not infected
    Checking `named'... not infected
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not infected
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not found
    Checking `rshd'... not found
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not found
    Checking `timed'... not found
    Checking `traceroute'... not found
    Checking `write'... not infected
    Checking `aliens'... no suspect files
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while... nothing found
    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for anomalies in shell history files... nothing found
    Checking `asp'... not infected
    Checking `bindshell'... not infected
    Checking `lkm'... nothing detected
    Checking `rexedcs'... not found
    Checking `sniffer'... eth0 is not promisc
    Checking `wted'... nothing deleted
    Checking `z2'...
    nothing deleted

    This is a normal, chkrootkit output, if by anychance you find an INFECTED! I suggest checking throughly the binary of the said program.
    EXCEPTION: bindshell is known to say it's infected when running software like Portsentry, this is normal.



    (b)Check for bugs in softwares which is currently installed on the box.

    Very simple, start with checking your kernel version:
    uname -r
    2.4.25

    Then check for your services version, start with the mailserver, ftp, apache, mysql and others:
    Use, telnet to read this, or read the documentation about the software, an example should be:

    'telnet localhost 21' (FTP)
    telnet localhost 21
    Trying 127.0.0.1...
    Connected to yourserver
    Escape character is '^]'.
    220 yourserver Proftpd xxxxx FTP server ready.

    Where xxx is your server version, next you go to a security related website (www.securityfocus.com) and run a search for any security vulnerability for that version of FTP server.
    If none is found, go to the ftp server website, and see if your version is current.

    Repeat with all the other processes and upgrade when necessary


    (c)Scan all ports and find out which all are the unwanted ports open.Update the report with these details.

    Get NMAP from www.insecure.org

    Run a vanilla scan,
    'nmap localhost'

    A normal return should be

    Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
    Interesting ports on yourserver (127.0.0.1):
    (The 1547 ports scanned but not shown below are in state: closed)
    Port State Service
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop-3
    443/tcp open https

    A really bad return should be

    Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
    Interesting ports on yourserver (127.0.0.1):
    (The 1525 ports scanned but not shown below are in state: closed)
    Port State Service
    1/tcp open tcpmux
    11/tcp open systat
    15/tcp open netstat
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    79/tcp open finger
    80/tcp open http
    110/tcp open pop-3
    111/tcp open sunrpc
    119/tcp open nntp
    143/tcp open imap2
    443/tcp open https
    540/tcp open uucp
    635/tcp open unknown
    1080/tcp open socks
    1524/tcp open ingreslock
    2000/tcp open callbook
    6667/tcp open irc
    12345/tcp open NetBus
    12346/tcp open NetBus
    27665/tcp open Trinoo_Master
    31337/tcp open Elite
    32771/tcp open sometimes-rpc5
    32772/tcp open sometimes-rpc7
    32773/tcp open sometimes-rpc9
    32774/tcp open sometimes-rpc11
    54320/tcp open bo2k

    As you can see this server is running a bunch of services we dont actually need, not to mention some trojans too , check where they come from, most of them run from inet.d (/etc/inetd.conf), some are run stand alone, find out the ones you need and the ones you dont need and kill them.



    (d)Check if /tmp is secured.Update the report with these details.

    chmod +t directory
    That will prevent non-owners of objects in directory (excepting
    superuser) from unlinking (removing, moving, etc.) objects in that
    directory. In general any world writable directory should always be
    protected this way (such as /tmp, /var/tmp, /var/spool/uucppublic (or
    substitute usr for var if appropriate on your system)).



    (e)Check for hidden processs.Update the report with these details.

    ps aux should show all of the processes, remember that in order to trust this information you need to trust that the ps binary hasnt been corrupted (that's why you should run chkrootkit first)
    IF you find any strange process that you dont know about, google it !


    (f)Check for bad blocks in all particular partition.(this is just to make sure

    that the system is ok).Update the report with these details.

    e2fsck -f -p -c /dev/hdxx should scan for bad blocks, however it needs to be done with the drive ummounted.



    (g)Check for file permissions.Update the report with these details.

    I have used a program called sherpa: http://oregonstate.edu/~creliar/sherpa/ that checks file systems permissions and other things



    (h)Check if kernel has ptrace vulnerability.Update the report with these details.
    All kernels up to 2.4.20 are vulnerable, a simple uname -r should tell you which version are you running. If you are running a vulnerable version, upgrade ASAP (www.kernel.org)

    <edit>signature removed</edit>
    Last edited by choon; 03-09-2004 at 11:37 AM.

  9. #34
    Join Date
    Mar 2004
    Location
    Venezuela
    Posts
    83
    (i)Check memory(This is to make sure that the memory is ok).Update the

    report with these details.

    You can use software like memtest86 to check the status of your memory, issuing a
    cat /proc/meminfo should return all the information available about your memory



    (j)Check for open relay .Update the report with these details.
    Open relays let spammers send email through your mail system without having to login to a known user.
    For detailed instructions, check http://mail-abuse.org/tsi/ar-fix.html





    (k)Check if the partitions have enough space.Update the report with these details.
    THe linux command 'df' should tell you how much space you have available.
    MY small webserver is partitioned like this:

    Filesystem 1k-blocks Used Available Use% Mounted on
    /dev/sda7 9614116 19256 9106488 1% /
    /dev/sda2 124443 1642 116375 2% /boot
    /dev/sda5 24027628 78572 22728520 1% /var
    /dev/sda6 9614116 701716 8424028 8% /usr
    /dev/sda9 166888792 812360 157598936 1% /home

    With /home and /var being the biggest partitions (home for the users and var for all the users logs)


    (l)Check for the size of logs.Its better that the log size remains in MBs.
    For this you can use programs like logrotate to rotate logs, also, a good way to keep logs in place is to burn them into a CDR/W-DVDR/W for storage



    (m) Do stress test on the box .Update the report with this details.

    I have heard good reviews about stresslinux, which is a bootable linux distro on a CD that it's sole purpose is to run stress tests on your system (You dont have to install it, just put the cd in the cdrom boot from it and let it run the tests)

    <edit>signature removed</edit>
    Last edited by choon; 03-09-2004 at 11:38 AM.

  10. #35
    Join Date
    May 2001
    Location
    Web Hosting Land
    Posts
    73
    Hey, at that host.deny and host.allow. with the recent torn root kit scare from the cpanel exploit, if you were to deny ALL from ssh but your ip address, would they be able to SSH in?

    <edit>signature removed</edit>
    Last edited by choon; 03-14-2004 at 04:29 AM.

  11. #36
    Join Date
    Jul 2003
    Posts
    533
    Originally posted by joesmoh
    Hey, at that host.deny and host.allow. with the recent torn root kit scare from the cpanel exploit, if you were to deny ALL from ssh but your ip address, would they be able to SSH in?
    i think they can because they will have a defrant port or another service running that ignores your hosts.deny

  12. #37
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    they dont ssh in to plant it anyways. remove their backdoor and ur all good

    <edit>signature removed</edit>
    Last edited by choon; 03-14-2004 at 04:30 AM.

  13. #38
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    892
    Please keep these steps in mind while working on security

    1)Create a security policy ( Security policy is created from business requirements and risk analysis ).This is the first step one should follow while working on security.

    2) Based on the security policy create a checklist

    The check list is created according to the security policy
    ================check list ================================
    Check List
    #######################
    Software Vulnerabilities
    Kernel Upgrades and vulnerabilities
    Check For any Trojans
    Run chkrootkits
    Checks Ports
    Check for any hidden process
    Use audittools to check system
    Check logs
    Check Binaries
    Check Binaries and RPMS
    Check the email relays
    Check the cron entries
    Check /dev /tmp /var filefolders
    Checked whether Backup is maintained
    Check for unwanted users,groups etc in the system
    Check and Disable unwanted services
    Locate malicious scripts
    Querylog in DNS
    Check whether Backup is maintained
    Check for the suid scripts and nouser scripts
    Check valid scripts in /tmp
    Use intrusion detection tools
    Check the system performance
    Check memory performance ( conduct memtest)

    Note: Please feel free to add the steps which i had missed
    ================end ===========================

    3) With this check list .Please Conduct a security audit

    Format of security audit will be like this
    =====================Fromat ==========================================
    Issues or softwares # Current version ( version used in the server) # Stable Version # Notes :
    ===============================================================

    In this step we will not do any upgrades or security related work on the box.Just find out the vulnerabilities
    Find out the current versions of the software and check if it has any vulnerability .if so please note it down and add it in the notes section of audit report.


    Use tools like Nessus, nikto (Audit tool for web server ) , Chkrootkit ,dsa ( dns security audit tool ) ,memtest and find out the vulnerability

    Notes: The below section is called Security Implementation stage

    4) According to this audit report.We should first correct all software vulnerability ( can use software patches which and eliminate the bugs in the software )

    (a)Upgrade kernel if its old and vulnerable.While compiling,please remove all unwanted options and reduce the size of the kernel

    (b)Upgrade apache and its related software if its vulnerable

    (c)Upgrade php,mysql,proftpd,pure-ftpd,named if its vulnerable.

    (d)upgrade mod_ssl,openssh,openssl etc ( can be done manually or through up2date )

    (e)If the control panel has any bugs .The software vendores should be contacted and they should be informed about this bug.So that they will provide a fast fix to it.

    5) Now the proper security work comes :-D.
    Security is divided into two sections host security and network security.And each these sections has 3 parts common

    (a )Protection

    (b) Detection

    (c) Recovery

    5.1 )Host Security
    ==================
    (a)Please protect your system with password

    (b)Check file systems ( set correct permission and ownerships to files )
    eg: chmod -R 700 /etc/rc.d/init.d/*
    eg: Use rpm -Va to find out the if the rpm is modified or effect

    (c)Apply security patches to vulnerable softwares (eg : patch -p1 < patch file )

    (d)Remove all unwanted ttys and console logins by removing the entry from /etc/securetty

    (e)Check system logs ( eg : /var/log/messages , /var/log/secure etc )

    (f) Set password for boot loaded ( lilo an grub supports it )

    (g)Monitor the system ( nagios or big rother )

    5.2) Network Security
    =====================
    (1)Remove all unwanted users,groups

    (2)use the below script to mail the sysadmin to when another user with uid 0 is created
    =========================================
    The below script will mail user when another user with uid 0 is added
    -------------------------script----------------------------------
    #!/bin/sh
    #
    # This script must be owned by root or at least setuid 0
    # It will scan the system and mail the root user when another user gains uid 0.

    for id in `awk 'FS=":" {if(($3 == 0 && $1 != "root" )) \
    print $1}' /etc/passwd`
    do

    echo 'ALERT Login ID' `echo ${id}` 'has uid 0 !!' `date "+Detected On Date :%D Time :%r"` | mail -s "ALERT: User `echo ${id}` has UID O" blessen@blessen.com

    done
    -----------------------------------------------------------------
    ========================================================

    (3) Only allow password with 16 characters ( can be done by making changes in login.def )

    (4)Disable unwanted services,use tcp warappers( unwanted service can be disabled through xinet.d or xinetd.cong ).

    (5)Set timeout ,so that the ideal users will be logged out after a certain amount of time

    (6)Disable all console program acess
    (eg : rm -rf /etc/security/console.app/<service name > )

    (7) Enable nospoof option in /etc/host.conf

    (8) Specify the oder in which the domain name should be resolved ( eg : order bind hosts )

    (9) Lock the /etc/service files so that no one modifies it

    (10)Restrict direct root login ( comment the PermitRootLogin login option in sshd_config )

    (11)Restrict su ,so that only wheel group members are able to su.
    (can use pam or disable the permission of other for the su binary )

    (12)Limits users resources ( can use pam,specify the limits for each user in /etc/security/limit.conf )

    (13) Secure /tmp ( mount /tmp with noexec,nodev,nosuid )

    (14) Hide the server details.For that removes /etc/issues and /etc/issues.net

    (15) Disable unwanted suid and sgid files
    find -type -perm -04000 -o perm 02000


    eg : gpasswed,wall,traceroute etc....

    (16)Allow only ping from a specified location( for monitoring systems to work ).Use iptables for that

    (17) Take preventive measures against DOS,ping to death etc..Use the below script for that
    http://www.webhostingtalk.com/showth...hlight=blessen

    (18)Install firewall ( eg apf and iptables )

    (policy-->allow the ports which the box needs and block all other ports )
    Eg: http://www.rfxnetworks.com/
    Eg: http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html

    (19) Install intrustion detection ( eg install tripwaire or aide )

    eg: http://www.cs.tut.fi/~rammer/aide.html
    eg:http://www.redhat.com/docs/manuals/l...-tripwire.html

    (20) Install sxid to keep an eye on suid and sgid script.
    Link: http://linux.cudeso.be/linuxdoc/sxid.php

    (21) Restrict ssh to specific ips and and user ( i suggest go for key authentication using passphrase)

    (22)Install logcheck to check the logs

    (23) Install tmpwatch to delete the unused files from /tmp directory

    (24) Install and setup portsentry and configure it to use iptables to block ips

    (25)Install mod_security and mod_dosevasive to safe gurad apache

    6) Submit a Status report
    ========================
    Notes: It will contain what all you have done on the server to secure it as per audit

    7) Testing and Optimization phase
    ==========================

    Use the tools likes nessus ,nikto,nmap etc to do a penetration test and see how well your server is .Also do a stress test etc.


    Optimization
    ==========
    1) Harddisk -->enable DMA for faster disk read

    2) Limit user process

    3) For mysql use these settings for good performance
    =======================mysql settings in my.cnf======================
    port = 3306 -- i would always suggest to change the port
    skip-locking
    set-variable = max_connections=100
    set-variable = max_user_connections=20
    set-variable = key_buffer=16M
    set-variable = join_buffer=4M
    set-variable = record_buffer=4M
    set-variable = sort_buffer=6M
    set-variable = table_cache=1024
    set-variable = myisam_sort_buffer_size=32M
    set-variable = interactive_timeout=100
    set-variable = wait_timeout=100
    set-variable = connect_timeout=10
    set-variable = thread_cache_size=128
    ==============================================

    4) For proftpd use this settings
    ==========================ftp settings in proftpd.conf=======================

    TimeoutIdle 600
    TimeoutNoTransfer 600
    TimeoutLogin 300
    MaxInstances 30
    MaxClientsPerHost 2
    ==================================================================

    5) Disabling the logging of access time in partition where access time always changes ( eg /var) will improve performance
    for thst just mount that partition with noatime )

    6) Do not create latge firewall policies ,it will delay packets.

    7)Setting file sytem parameters to correct values will often provide good performance.

    8) While compiling always use these options
    for i686
    CFLAG=-09 -for best optimization
    -funroll-loops
    -ffast-math
    -mcpu=< your processor type >
    -march=< your processor type >
    -fomit-frame-pointer

    For i586
    ======
    CFLAG=-03
    -funroll-loops
    -ffast-math
    -mcpu=< your processor type >
    -march=< your processor type >
    -fomit-frame-pointer


    Hope this helps you....

    <edit>signature removed</edit>
    Last edited by choon; 03-14-2004 at 09:20 AM.

  14. #39
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    892
    I have made the above post just because of my "PASSION FOR SECURITY"

    its driven by passion.....

    <edit>signature removed</edit>
    Last edited by choon; 03-14-2004 at 12:05 PM.

  15. #40
    Join Date
    Mar 2003
    Location
    Kansas City, MO
    Posts
    71
    When you mention hosts.allow and you say:

    sshd: host.ip.number.1,host.ip.number.2,etc

    Do you mean
    sshd: 204.1.2.1,204.1.2.3,204.1.2.3

    I entered the IPS for my box, and then it wouldn't let me login. Luckily I just restarted the net svc and stayed SSH'd in. If I had rebooted, I would have been furious.

    Can you show me an example on this one?
    Promethyl Corporate.
    Webhosting and Development.
    http://promethyl.com/

  16. #41
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    skip the commas, use spaces
    ie:
    123.456.789.0 098.765.432.1
    note, there's no commas at all.

  17. #42
    Join Date
    Mar 2003
    Location
    Kansas City, MO
    Posts
    71
    Ah... that was what was wrong...
    Promethyl Corporate.
    Webhosting and Development.
    http://promethyl.com/

  18. #43
    Join Date
    Mar 2003
    Location
    Kansas City, MO
    Posts
    71
    Still, it does not allow me to connect (SSH Telnet) when that's in.

    What am I doing wrong?
    Promethyl Corporate.
    Webhosting and Development.
    http://promethyl.com/

  19. #44
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Make sure you've got the right ip address.
    if you're trying to connect from localhost, you'll need at least 127.0.0.1 and the base ip of the machine. if you're trying to connect from your own machine, then you'll need to figure out what ip you need to use.
    If you set it up as suggested, it will work. It's yet to fail me, and I've done it on numerous servers.

  20. #45
    Join Date
    Mar 2003
    Location
    Kansas City, MO
    Posts
    71
    Wait a tick, these are supposed to be the addresses of the forgien machines connecting, eh? Whoops. I was entering the addresses of my servers.
    Promethyl Corporate.
    Webhosting and Development.
    http://promethyl.com/

  21. #46
    Join Date
    Feb 2004
    Location
    Oslo/finnmark, Norway
    Posts
    120
    Can anyone explain to me how I allow only specified IPs to ping my box?

  22. #47
    Join Date
    Feb 2003
    Location
    Panorama City, CA
    Posts
    2,581
    # disable packet forwarding
    net.ipv4.ip_forward = 0
    # enable source route verification
    net.ipv4.conf.all.rp_filter = 1
    # ignore broadcast pings
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    # enable syn cookies
    net.ipv4.tcp_syncookies = 1
    # size of syn backlog
    net.ipv4.tcp_max_syn_backlog = 512
    # disable automatic defragmentation
    # set max files
    fs.file-max = 32768
    # Enable IP spoofing protection, turn on Source Address Verification
    net.ipv4.conf.all.rp_filter = 1
    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    # Enable ignoring ping request
    net.ipv4.icmp_echo_ignore_all = 1


    when u do that.. is there a way to allow 1 port to be seen IE 80 becasue when i take a server to a LAN Party i dont know what the IP address is... and takes a long time to find it again.

    so is there a way to do that? or should i just install a firewall?

  23. #48
    Join Date
    Feb 2003
    Posts
    110
    after configuration, I noticed that user "nobody" is running unusual process:

    5528 nobody 0 0.0 0.0 ps aux
    5185 nobody 0 0.0 0.0 lpd
    5665 nobody 0 0.0 0.0 2 pckt
    5689 nobody 0 0.0 0.0 1 pckt

    Is it normal?

    Thanks

  24. #49
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    # Enable ignoring ping request
    net.ipv4.icmp_echo_ignore_all = 0


    that will allow you to ping your boxes
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  25. #50
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Originally posted by ymfm
    after configuration, I noticed that user "nobody" is running unusual process:

    5528 nobody 0 0.0 0.0 ps aux
    5185 nobody 0 0.0 0.0 lpd
    5665 nobody 0 0.0 0.0 2 pckt
    5689 nobody 0 0.0 0.0 1 pckt

    Is it normal?

    Thanks
    No, not at all
    lpd is your line printer daemon, which is normal
    nobody shouldn't even be logging into your server, yet it's doing a ps? 10:1 you've been hacked. Check for a rootkit and see what's going from there.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •