Page 1 of 5 123 ... LastLast
Results 1 to 10 of 46

Thread: OpenSUSE security and examine a system.

  1. #1

    Default OpenSUSE security and examine a system.

    Hello.
    I installed OpenSUSE 42.3 and I enabled firewall by "yast" . Today, OpenSUSE sending a lot packets and used all of the internet bandwidth, I want to know is OpenSUSE a good distro for server?
    How can I understand the server hacked or not hacked? Which log files must be check?
    I just installed Apache and I guess its default configuration banned access to Apache files.

    Thank you.

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,014
    Blog Entries
    1

    Default Re: OpenSUSE security and examine a system.

    Today, OpenSUSE sending a lot packets and used all of the internet bandwidth,
    Further analysis with tools like wireshark, iptraf, and nethogs may be helpful in determining what kind of traffic is evident.
    I want to know is OpenSUSE a good distro for server?
    Why not? (This is a very general question, so you're bound to get subjective answers here.)

    Start by inspecting the apache logs perhaps...
    https://doc.opensuse.org/documentati...a.apache2.html
    Last edited by deano_ferrari; 26-May-2019 at 14:30.
    openSUSE Leap 15.0; KDE Plasma 5

  3. #3

    Post Re: OpenSUSE security and examine a system.

    Thank you.
    According to this guide, I checked the server by some commands like "w", "last" and "history" but I can't see any unusual things. I checked Apache log and found somethings :

    image-1

    As you see, someone hacked my system by a proxy from the Russia. They use a file with the name "dd.rar", but how this happened? OpenSUSE firewall activated:
    Code:
    $ sudo systemctl status SuSEfirewall2
    And:

    image-2

    How can I find how they did it? if they cleared their logs then how can I recover it?
    It is the second times that I installed OpenSUSE and my server hacked.

    Thank you.

  4. #4
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,418

    Exclamation Re: OpenSUSE security and examine a system.

    @hack3rcon:

    If you insist of changing the default permissions of your Apache Web Server and, insist on presenting the entire directory structure of your system via that Web Server then:
    1. Do not be surprised about a lot of Internet traffic being generated by that system.
    2. Do not be surprised that, someone, somewhere, will attempt to gain access to that system …

  5. #5

    Default Re: OpenSUSE security and examine a system.

    Quote Originally Posted by dcurtisfra View Post
    @hack3rcon:

    If you insist of changing the default permissions of your Apache Web Server and, insist on presenting the entire directory structure of your system via that Web Server then:
    1. Do not be surprised about a lot of Internet traffic being generated by that system.
    2. Do not be surprised that, someone, somewhere, will attempt to gain access to that system …
    I never changed the permission:

    image-3

    What's happened?

  6. #6
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,418

    Default Re: OpenSUSE security and examine a system.

    Quote Originally Posted by hack3rcon View Post
    I never changed the permission:
    I don't mean the file system permissions – I mean the permissions being setup by the Web Server's configuration – the Web Server permissions being setup by the files in /etc/apache2/ …

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,836
    Blog Entries
    2

    Default Re: OpenSUSE security and examine a system.

    Your logfiles do not say you are hacked...
    Your logfiles are reporting events including unsuccessful attempts (those are the 404 error codes, you can look that up)
    They say that proxy cluster in russia is trying to download dd.rar from your machine but unsuccessfully since you probably aren't serving that file.

    If you want to discourage the guy, then block his IP address (various ways to do this including in your firewall). Since the "attacker" (whether intentional or not) is connecting through what appears to be a proxy cluster, there are probably several IP addresses in that cluster.

    What would you be looking for that would indicate a hacked website (or system, the two aren't necessarily the same)?
    You'd be looking for 200 events (successful events), and in particular POST events that read 200, which would mean that someone has successfully uploaded something to your website.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8

    Default Re: OpenSUSE security and examine a system.

    On 05/27/2019 12:16 AM, hack3rcon wrote:

    Why are you starting with openSUSE 42.x when 15.1 is out? It's not a huge
    failure to use 42.x, but if you're starting out you should probably start
    with the latest so you can become familiar with it the most while it is in
    active support, and be on a version most people will be installing today.

    > Thank you.
    > According to 'this guide'
    > (https://bash-prompt.net/guides/server-hacked/), I checked the server by
    > some commands like "w", "last" and "history" but I can't see any unusual
    > things. I checked Apache log and found somethings :
    >
    > [image: https://postimg.cc/QBZCYxqD]
    >
    > As you see, someone hacked my system by a proxy from the Russia. They
    > use a file with the name "dd.rar", but how this happened? OpenSUSE
    > firewall activated:


    Um.... where do you see that? Having a log file is a good start, but
    understanding it is something else entirely. This is showing clients,
    some possibly from Russia, and mostly shows your server rejecting them
    with appropriate return codes.

    P.S. Pasting text is appreciated, as it is much more searchable,
    indexable, and easier to move around (you could trivially paste your logs
    here, for example). With logs here we could possibly help you understand
    what they mean better, and that would be a good first step for you at this
    point.

    > Code:
    > --------------------
    >
    > $ sudo systemctl status SuSEfirewall2
    >
    > --------------------
    >
    >
    > And:
    > [image: https://postimg.cc/HJPGcb9j]


    If you are new to having a server (regardless of distribution or OS) then
    the first thing you do should probably NOT be putting it on the Internet.
    Even if you do, though, you shouldn't immediately be "hacked" (unless
    you're running something very insecure from the start), but you will
    certainly see a lot of drive-by scanners like these; welcome to having a
    server on the public Internet; that's normal.

    > How can I find how they did it? if they cleared their logs then how can
    > I recover it?


    If you have deleted files then recover them from a backup. If you do not
    have a backup, then get a backup. Better yet send logs to a dedicated log
    server which is separate and writing to a write-once-read-many (WORM)
    device. Of course, all of this is probably overkill for you since you are
    not an enterprise and are just starting out, but this is how it can be done.

    > It is the second times that I installed OpenSUSE and my server hacked.


    You need to start with dropping assumptions about what you are seeing in
    the logs. Understand the logs, what they actually mean, and what that
    means for your computer.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

  9. #9

    Post Re: OpenSUSE security and examine a system.

    Quote Originally Posted by tsu2 View Post
    Your logfiles do not say you are hacked... Your logfiles are reporting events including unsuccessful attempts (those are the 404 error codes, you can look that up) They say that proxy cluster in russia is trying to download dd.rar from your machine but unsuccessfully since you probably aren't serving that file. If you want to discourage the guy, then block his IP address (various ways to do this including in your firewall). Since the "attacker" (whether intentional or not) is connecting through what appears to be a proxy cluster, there are probably several IP addresses in that cluster. What would you be looking for that would indicate a hacked website (or system, the two aren't necessarily the same)? You'd be looking for 200 events (successful events), and in particular POST events that read 200, which would mean that someone has successfully uploaded something to your website. TSU
    Someone has successfully uploaded something to my website? How? The default configuration let it?

  10. #10

    Post Re: OpenSUSE security and examine a system.

    Quote Originally Posted by dcurtisfra View Post
    I don't mean the file system permissions – I mean the permissions being setup by the Web Server's configuration – the Web Server permissions being setup by the files in /etc/apache2/ …
    I never changed the default configuration.

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •