1

Topic: Server hacked, running nothing but iRedMail...

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.1 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer? Github download, manual install
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I setup a brand new Ubuntu 18.04 server about a month ago. The first thing I did was upgrade packages, and proceed to install and configure iRedMail and setup an account. This went perfectly fine. I have used it a little bit to send a few emails and received a couple too from legitimate sources/businesses.

About 2 hours ago I got an abuse report from my server host stating that my IP has been attacking sshd instances on other servers, and I have 48 hours to resolve the issue. I looked for more info on my IP and was able to find that there's been a number of attacks logged from my server starting April 15th.

I have investigated my server for files which were modified in the last 30 days, in folders /tmp /bin /sbin /var /opt /home and /usr, and nothing can be found. I checked the entire log of /var/log/auth.log and found nothing, no brute force successful logins. I have a brief look at syslog for anything suspicious too and found nothing. A full clamav scan shows 0 results. I checked every Logwatch email for anything else suspicious too.

I am at a loss at how this happened. What can I do to find how how this happened and stop it happening again?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Server hacked, running nothing but iRedMail...

For starters, I'd change the passwords for any SSH accounts that might have been accessible, but other than that you should really lock down your SSH access. Using SSH keys is one way of locking down access to only trusted users, the other way to do it is to only allow specific IP addresses to connect to SSH, which is useful if you have a static IP at the location you primarily connect from.

SSH key based authentication is still significantly more secure though and is highly recommended for any SSH servers exposed to the internet.

Check in /var/log/syslog to make sure that fail2ban is assessing SSHD connections, you might have issues with fail2ban not working, in which case people can brute force your passwords

Have a look over this link, it has some useful information, but be careful you don't go locking yourself out from your own server before you get everything working properly smile
OpenSSH Security - Best Practices

3

Re: Server hacked, running nothing but iRedMail...

- If root account was hacked, i PERSONALLY prefer rebuild the server.
- After setup new server, please disable password login for ssh service, just use a (strong) key. This way you don't need to care about ssh attack.
- Always use a strong password for email account. Also force your end users to do so, unless you want to be woke up by some phone call at night.