securing the system, stopping unnecessary services and closing open ports.
Nmap suggests the following ports are open:
25/tcp open smtp
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
901/tcp open samba-swat
2049/tcp open nfs
I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open.
it even had SSH listening on 22, changed the port # and also
changed PermitRootLogin to no
in /etc/ssh/sshd_config after looking at the following output:
also installed gufw and set it to deny as default.
root@computer:/home/user# grep -ir "Failed password" /var/log/*
/var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2
/var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2
root@computer:/home/user# grep -ir BREAK-IN /var/log/*
/var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co [190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT!
how can I find out if this system has been compromised?
what are the steps I need to take to secure it?
--
Kind regards,
Yudi
Reply to: