I use it now, as I said, I was too reckless.
I am asking, because I am not a security expert and I want to learn and I like to know the experience of others.
Yes sure, may be you can give me some advices.
Again, what happend to the broken server:
bash was delete, history was delete, whitecat has been installed
auth.log was still present
some useraccounts with root access have been created like:
htop with root access and bash
plex user (like...
@blunix, I just use ipv8;)
So, the honeypot server is set up on the same domain and same port 22. I hope the leaked pw is still in use by the bots.
If someone will come and log in, everything it/he does will be logged independent from bash history.
Wow what a traffic here:) I also change port to a high number on all my different server now. In auth.log there are also login in appemts. So it is much less than port 22 but not zero.
Here some IP from auth.log on high port
107.170.227.24 (San Francisco, California)
107.170.233.14 (San...
thx @blunix and @f33dm3bits
Yes, password login is a bad idea, I know. So passwd login is disabled now. Next step I will block all ips except mine.
My ISP has a changing ip, so I have to update the iptables automaticly ...
I did not know port-knocking, I will have a look at the topic. Good...
Thanks for your answers!
@Condobloke, no reinstall, I testet system with clamAV, rootkithunter, chkrootkit and maldetect.
Nothing found after the reboot.
I guess it was an crypto miner running or script using my server for ddos, because system was OOM when I arravied at the server physically...
Greetings to you,
A few days ago may server was hacked and crashed via Out of memory.
In the auth.log i discovered my password as username. So my pw was stolen.
I got a lot of successful logins from many ips in my auth.log!
Source of my pw i guess:
I had saved the password of the debain...