My droplet has been compromised and is sending an outgoing Flood or DDoS. What do I do?

September 22, 2016 156 views
Security Ubuntu Ubuntu 16.04

My droplet has been compromised and i create new droplet with snapshot of old one.

the new droplet has been compromised too.

how can find problem

please help me

1 Answer

In cases like you I usually recommend to 'nuke it from orbit'.
In other words, my recommendation would be to create completely new droplet, and configure it on higher security.

PRE-start: Be sure you use new password for everything on server. If you are using SSH keys, generate new pairs, in case it got compromised.

  1. Use SSH key. It is much more secure to use SSH keys instead of passwords, but please keep in safe place. Tutorial on How to use SSH keys should help you get into it.
  2. Create non-root user and make sure it uses SSH key like root user. Follow step two, three and four of Initial setup guide.
  3. Make sure you can login to your new user with key.
  4. Disable root access and password based authentication on SSH. Follow step five of Initial setup guide. In addition to that find PermitRootLogin directive to no (by default it is yes) e.g. [label sshd_config — Disable root login] PermitRootLogin no -Optional- 5. Install fail2ban for enchanted security. Fail2ban is used to ban brute force attacks against your server. Learn more about fail2ban. Beside SSH, it can be used for protecting Apache or Nginx server.
  5. Install other packages but don't use same passwords

If you are using Wordpress, research about your theme and plugins. There could be some security holes. If you are using some other random program, make sure it is secured.

Why I'm for this: You have backup, but once hole is found, there is VERY high probability that security hole existed before, even in backup. This is usually why you should start with new Droplet if possible and make high attention to security settings.
If you need more help, we will try to help, but this is my usual procedure for hacked Droplets: never believe in backup, nuke it from orbit :P

by Justin Ellingwood
Fail2ban is a daemon that can be run on your server to dynamically block clients that fail to authenticate correctly with your services repeatedly. This can help mitigate the affect of brute force attacks and illegitimate users of your services. In this guide, we'll show demonstrate how to install and configure fail2ban to protect SSH and Nginx on an Ubuntu 14.04 server.
Have another answer? Share your knowledge.