I just installed csf and I use SSH dynamic port forwarding. I use obfuscated ssh (http://nihilex[dot]com/obfuscated-openssh) for a secret handshake wich is in "/opt/ob-openssh/sbin/sshd". I connect from my computer to my VPS (which csf in installed on) with:
Code: Select all
$ ssh -D <local_port> -z -Z <obfuscate_key> -p <server_ssh_port> <server_ip>
I already added <server_ssh_port> to "TCP_IN" and "TCP_OUT" in "/etc/csf/csf.conf", but that did not help.
here is some part of lfd log which seems relevant:
Mar 15 18:08:47 academy-vps lfd[11644]: *User Processing* PID:855 Kill:0 User:statd Time:255687 EXE:/sbin/rpc.statd CMD:/sbin/rpc.statd
Mar 15 18:11:34 academy-vps lfd[11857]: *User Processing* PID:10013 Kill:0 User:danialbehzadi Time:1848 EXE:/usr/bin/ssh-agent CMD:ssh-agent -s
Mar 15 18:13:34 academy-vps lfd[12186]: *Suspicious Process* PID:12040 PPID:11929 User:mysql Uptime:96 secs EXE:/usr/sbin/mysqld CMD:/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
Mar 15 18:18:34 academy-vps lfd[12287]: *Suspicious Process* PID:12219 PPID:1500 User:nobody Uptime:78 secs EXE:/usr/sbin/vsftpd CMD:/usr/sbin/vsftpd
Mar 15 18:18:34 academy-vps lfd[12287]: *Suspicious Process* PID:12221 PPID:12219 User:danialbehzadi Uptime:77 secs EXE:/usr/sbin/vsftpd CMD:/usr/sbin/vsftpd
Mar 15 18:43:54 academy-vps lfd[12782]: *SSH login* from 85.133.198.167 into the danialbehzadi account using password authentication
Mar 15 18:45:34 academy-vps lfd[12831]: *Suspicious Process* PID:12746 PPID:12744 User:danialbehzadi Uptime:103 secs EXE:/opt/ob-openssh/sbin/sshd CMD:sshd: danialbehzadi@pts/0