I'm trying to learn this stuff, so I set up a server and some services. I configured SSH to run on a non-standard port and disabled root login. I have a 20+ character password. I figured this would be enough (shame on me for not disabling password auth I suppose).
I did a port scan on my server and saw that port 111 rpcbind was open. It's centOS so opening ports is a bitch with SElinux, so I would have remembered doing that, which I don't. Apparently port 111 being open is bad news, according to google. I don't use NFS. I also found TOR running on my server, which made me think I'm an exit node.
What log files can I check to see? I checked secure and the older files, but couldn't find any strange IPs connecting. I'm a noob at this, what else can I do? Is it recommended I just wipe it and start over? Thanks for the help.
[link] [29 comments]