Paranoia

[xilus]

Ok, so one day My machine went crazy.
The mail server stopped working, and I had to completely re-install it and it took forever.
So I was suspicious that hackers might have gained access and tried to bug my mailserver.
Since then I have installed debsums, avast.
I have been running rkhunter daily.
I have been searching though all of my logs.
I have been sitting and watching tcpdump go as I try and understand what it is telling me.

I still don't feel safe.
if debsums says everything is OK can I be sure that I have not been hacked?
if the logs say everything is OK can I be sure nobody actually has access to my system?
I have heard about linux malware that changes the logging behavior.

does anybody know how I can easily observe software on my server that might be trying to phone home?

I have been trying to read up on iptables firewalls and linux security, but does anybody have any quick tips for me?
is tcpdump the best way to see if my system is compromised?

[Blackzer]

Well I don't think someone is hacking you. ( for catch a hacker with tcpdump you have to run tcpdump when he is hacking.) Try to explain the problems and the Settings of the mail server.

[xilus]

Well I don't think someone is hacking you. ( for catch a hacker with tcpdump you have to run tcpdump when he is hacking.) Try to explain the problems and the Settings of the mail server.

Suddenly mail was not getting forwarded. I re installed postfix and copied over completly fresh configuration files and I was able to get it working.
Now I am running rkhunter, tripwire, avast, chkrootkit, denyhosts, logwatch..... and countless other security tools.

[unspawn]

Well I don't think someone is hacking you.

Awesome you can conclude that much from what little information is available...

[unspawn]

Suddenly mail was not getting forwarded. I re installed postfix and copied over completly fresh configuration files and I was able to get it working.

Re-installing software to get rid of problems may have worked for you using The Other OS but for GNU/Linux it is not a good standard approach: fix them instead by gathering process, user, network and open files information, reading the logs, verifying configurations, checking permissions, reconfiguring, et cetera.

So I was suspicious that hackers might have gained access and tried to bug my mailserver.

Suspicions should not be ignored. What leads did you have that made you doubt the machine was no longer under your control?

if debsums says everything is OK can I be sure that I have not been hacked? (..) Now I am running rkhunter, tripwire, avast, chkrootkit, denyhosts, logwatch..... and countless other security tools.

Any single local tool you run on a (perceived compromised) Live system is subject to tampering. That's why it's good to run investigations from a Live CD if you have strong doubts (OK, doesn't work for machines in colo of course). Taking precautions (right after installing the OS and before exposing it publicly to hostile networks) is the best start and running auditing software is as good as the information they safeguard (so making off-site backups of their databases, binaries and configuration files is recommended).

You've taken some measures, good, and your distribution might provide you with documentation about securing and hardening your system to ensure you have covered all aspects. Else generic HOWTOs, even if old, like the Linux Security HOWTO or Securing Debian Manual might provide a start. (Or search around or see this.)

if the logs say everything is OK can I be sure nobody actually has access to my system?

If the machine was not tampered with and the system is configured to log enough information that you can deduce that from then, yes.

I have heard about linux malware that changes the logging behavior.

There are log scrubbers that try to wipe out user login records and log lines. Those can be found as collateral for instance if a cracker has gained root. Note that type of compromise has been getting rarer and rarer the past ten years.

does anybody know how I can easily observe software on my server that might be trying to phone home?

- Don't install software packages or scripts from untrusted sources,
- Do not allow root to log in over the network ever,
- Do not allow users to access the root account (use Sudo instead),
- Run all publicly accessible services in their own unprivileged or lesser privileged user account (should be default),
- Don't set or allow ridiculously broad permissions (0666, 0777) for publicly accessible directories and files,
- Don't configure options for publicly accessible services that are known to weaken the security posture (say php.ini directives),
- Ensure all publicly accessible services log as verbose as you need them to be,
- Regularly change passwords and age accounts for all human account users and root,
- Deny bogons and if possible restrict public access and limit traffic to services (service configuration, tcp_wrappers, iptables),
- If possible restrict outbound traffic,
- Configure which users can log in to what services over the network (say ssh: AllowUsers, PAM: /etc/security/access.conf),
- Log and drop traffic to accounts, services, files and directory paths that are restricted or unavailable (service configuration, tcp_wrappers, iptables),
- Regularly test the state of the system locally and from remote (your distro's package management verification features, GNU Tiger, Nmap, OpenVAS, etc),
- Regularly audit your system,
If you do that then your logs will be filled with warnings you can run Logwatch on.


HTH