This is Part 2 of a GoGrid security blog series on identifying and recovering from a Linux security breach. Part 1 provided general guidelines for conducting a security analysis on a compromised Linux server and forming strategic teams to address and resolve the breach.
In this article, we’ll review some recommended steps for recovering from a breach.
Recovering from the Breach
Lock the doors
Now that you’ve confirmed that there are no intruders logged in and you’ve identified the established connections, it’s time to “lock the doors.” Locking the doors largely depends on who is managing your firewall. Contact GoGrid in the event that we’re managing your firewall or perform the following actions if you manage your firewall:
- Modify your system’s iptables configuration to restrict all remote console connections such as SSH to your office network
- Modify your system’s iptables configuration to block all previously identified suspicious connections from and to your system.
- Modify your system’s iptables to block all other services from the public Internet to your server. Doing so will effectively bring down your website or services, but you want to avoid compromising your customers or web site visitors.
Install and run a rootkit analyzer