This last 24 hours, i got 4 hacking attempts. Im dont have a lot of experience in the SysAdmin biz, but how often do your server have hacking attempts?
:confused:

Hello,

Which kind of attacks ?

Flood or hacking ?

-install security tools it will alert you when somebody tries to scan your host , failed login attempts , like BFD and an Installion of a good firewall will help you in Blocking their Ip's .

Install IDS (Lids is a good choice or Snort)

-Check your logs file :

/var/log & /usr/local/apache/domlogs & /usr/local/cpanel/logs


If Flood Attack , it depends on the type of this attack (dos,ddos,drdos,syn,udp) :

run :

netstat -anp | grep SYN

If there are a lot of connections in SYN Stage , perhaps someone is flooding you .

There are a lot to do! depends on the system.

Thanks, well in my case are ssh root login attempts. I have BFD and the ban command is

/sbin/route add -host xxx.xxx.xxx.xxx reject'

Hello,

it's better to block the ip's with Iptables or apf :

iptables -I INPUT 1 -s XX.XX.XX.XX -j DROP

or just add it to your :

/etc/hosts.deny file

ALL: xx.xx.xx.xx

will work :)

I get reports of about 2 attacks a day. I grabbed a php script that reports it to me through email and it has APF block the offending ip/host.
The php script is listed in the mod_security or How To part of WHT.
http://www.webhostingtalk.com/showthread.php?s=&threadid=227642

Greetings:

I guess it depends on what you call an "attack."

If you include scans probing for weak areas along with ping of death and a variety of other forms of attacks, then several hundred times per day per server.

When we work with clients that had no security monitoring, and set up security monitor, it usually only takes an hour before they realize how dangerous a place it can be to live on the Net.

I'm sure the other security professionals on WHT can share similar experiences.

Thank you.

Make sure all your clients have updated their phpbb versions. There is a recent exploit which is very easy to use.

Update all phpbb and install mod_security ( like David suggests )

Brute force attacks seem the most common on my server. At least 4 or 5 a day. As long as your server is properly secured its not a big deal, just ban the attacking IP´s

Yeah, I also get alot of scans done that just try to access /cgi-bin, /stats, /admin etc...

Some of you will find this interesting...

But its better to NOT block the IP's, just to let them flood the server.

Because when you block the IP's you are making the server spend more time, blocking it which causes high load.

In theory its not correct, but i have seen this happen a lot.

Originally posted by SmartActive

Install IDS (Lids is a good choice or Snort)

[/B]



Snort and lids are totally different forms of IDS. If you are going to install either i would recommend installing lids over snort.

Mmmm good point, but i think is better to have more load of blocking the IP's than high load of the attacker.

How often do I get attacked? Never (FreeBSD in my friend)

Originally posted by LoganNZ
Some of you will find this interesting...

But its better to NOT block the IP's, just to let them flood the server.

Because when you block the IP's you are making the server spend more time, blocking it which causes high load.

In theory its not correct, but i have seen this happen a lot.

Can you explain under what situations this advice would apply?

Originally posted by LoganNZ
Some of you will find this interesting...

But its better to NOT block the IP's, just to let them flood the server.

Because when you block the IP's you are making the server spend more time, blocking it which causes high load.

In theory its not correct, but i have seen this happen a lot.

umm how so? If you have a firewall running (on the server) already, how does adding an extra rule cause "high load" for the server. You'd rather the packet be passed up thru the OSI layers and then having the end application deal with it? Seems you should just block it at a lower level and that would in turn free up resources. If you get high load from just doing that, then you would have died handling the packets anyway. Either that or your firewall sucks.

We're not talking tens of thousands of rules here.... hundred or so MAX should work. I've admined a number of servers for about 4 years now. Never required more than 50 or so rules in ipchains/ipfw (and half are allow ssh rules). If you require any more, you should be investing in some quality hardware IDS/Firewall solution since you're getting hit pretty hard.

But all that is just my opinion ;)

Oh yeah, I should mention I don't really block worm type queries that target IIS or apache. Those are usually useless and come from way too many IPs to even justify taking action on. Maybe that's what you were saying.... You could just drop entire blocks of ips from asia and europe and that should cut out 99% of "hack" packets though :stickout:

I get at least 2 brute force detections a day. The ip address in then entered into the firewall (apf) to be dropped whenever they try and connect again.

We get 100s of port scans a day per server. Attacks -oh those we get tons of every day due to the nature of the sites/clients we host. Thankfully - our security gears protects/shields us. But the attacks - many!!!!!!!!

Attacks (or attempt in any case) are often,

Through http: an average of 50 attempted (per server) exploits per day
SSH: 4 to 5 brute force attempts, 10 to 20 root login attempts
smtp: average 500 relay attempts per day, per server.