newbie help: foolish I got hacked

I've fooling around with linux boxes for quite a while, but here got my first introduction to the scary world that exhist outside of my safe pre-programmed router. Here is My problem:

I was converting my ubuntu server to gentoo to set up a nat gateway between the router and the wired network. I was going to add firewall / proxy and a few things and start to move services off the underpowered router.

Mistake 1: using an overly simple password while setting up system. I ssh alot, have to keep restarting and so genorally just use keyboard rolls when I'm setting up. I won't do it again.

So I set up two nics, iptables, dhcp and samba. Got internal computers connecting to the net.

Mistake 2: Putting the router in "demilitarized zone" on router. Basically means all non-nat-port-forwarded-ports go to box I just set up. with open ssh. And simple password.

Might hove just been bad luck, but within ten minuteo on reconnecting via ssh my previous login was from an aol address somewhere in America (I'm in Australia).

So I restarted router (dynamic IP from ISP at least they wont know where I am). I checked iptables rules there are a few rampant accepts in the hope that if I set up firewall correctly I will gloss over it. It annoys me that some 12 yo from kentucky has got into my system but I,m not out for revenge or anything. My question from a reasonable noobie is apart from beefing password, deleting iptables rules, hiding server back behind properly set up router what can I do?

I have generic syslog-ng set up; is there any way to see what has been tinkered with? I've put only about 10 hours into setting up server, should I just scrap it and start again?

kimbecause,

You can review the shell history files to see what was done.
You can run rootkit hunter to look for back doors.
But a smart intruder will cover his tracks well.

The best approach would be to scrap it and start over.

CSR

Ok thanks . . . those are the lessons you learn I guess.

The best way to learn things is by learning them the hard way, which is what you just did. I also learnt something the hard way. I gave my friend access to my server (it's a home server, nothing important) with sudo access (it's Ubuntu) through SSH, and I told him only to use a client installed on the pc and not a web bases one. He used a web based one, and my system got cracked, cracker screwed up the system, and while I was trying to fix it, my friend tried to log out, which didn't work so he rebooted, ehhh, auch, screwed up the whole system and got kernel panic, could reinstall the system! (Happy I had back-uped my system)

It's also a very good idea to run SSH over a port other than 22. Change that to somewhere above 3000 (I admit, it's completely arbitrary).

It wont help your security one bit, but many evil portscans don't go so high up and thus a lot of scriptkiddies wont attempt at breaking in. I used to have possibly hundreds of attempts to break in per day, and now none.


Also, you can use iptables to block out a lot of addresses by range. I have a filter that is pretty crude, but it stops 70~80% of all 'hostile' traffic while blocking none of the 'friendly' traffic. If someone is out to get you, this isn't even remotely watertight. But it seems most attacks are just opportunistic, this is quite effective if only because it keeps the logs quiet.
If you are interested, I posted it in the security section.

I do have a port set, it is around the range 10.000 - 100.000, good luck finding it. The only thing is that my friend used a web based client which doesn't check the key, so there was a man in the middle. Ouch, that hurt. It took me 3 days to restore the damage done in 3 minutes.:dazed: So learn the lesson I learnt this way: "Be smart and do ssh only inside your network, never over WAN, you don't know whether or not there is somebody listening!"