
Envoyé par
ercapitan
This is my log/var/log/secure - no activity at 18:44
This is my log/var/log/maillog - normal users my customers
This is my log/var/log/messages - i can't find anormal logs
failban.log - Normal
You can see my /var/log/rkhunter.log
[03:21:13] Rootkit checks...
[03:21:13] Rootkits checked : 378
[03:21:13] Possible rootkits: 0
You managed to have rescue access ?
You mounted your partitions ?
So your (example) "messages" log is here /mnt/var/log/messages.log, right ?
Understand that if rkhunter can't find anything suspect then all you know is that ..... rkhunter couldn't find anything suspect.
This doesn't means your server isn't contaminated.
It could be (just an example) a small perl script that ddos attacks other servers.
This small script doesn't log - so no need to look into your log file : Its wasn't logging. Anyway, these kind of scripts will NEVER log - why should they give you the ability so you can detect them ? They won't, and that's logic.
These scripts are often upload by badly written PHP code (a very badly written plugin for a CMS is nearly always involved), so they ware uploaded by the web server. This upload will be visible in the web servers log files (apache, etc).
fail2ban blocks incoming connections upon YOUR rules.
I guess you didn't include a rule for outgoing connections - neither do you have a log for this.
fail2ban is used for other type of protection, not for blocking a 'hack program' that's running on your server.