Results 1 to 9 of 9
  1. #1
    Join Date
    Feb 2003
    Posts
    71

    Tips for securing a server?

    Somebody broke into my server (one of my clients who has shell access probably wasn't very careful with his username and password) and installed an IRC bot inside and compromised my server.

    Everything has been fixed now but it kept on going down for no reason and the server has to be rebooted to be brought back up.

    I dont' know what cause of that was and not sure how to find out.

    The datacenter staff (thePlanet) aren't successful finding out either and their security team costs 75 dollars per hour.

    Any recommendations?

  2. #2
    Join Date
    Mar 2004
    Posts
    66
    Everything has been fixed now but it kept on going down for no reason and the server has to be rebooted to be brought back up.
    probably there are still faked programs on the server. checkrootkit may help you on this.

    i suggest you backup all sensitive data and perform a new operating system installation.

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    i suggest rootkit hunter. Also i suggest hiring a third party company to check the server out,

    wemanageservers.com
    linux-tech.net
    serveradmins.biz

    just some i recommend.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    Greetings:

    $75 per hour is very reasonable if they are experienced.

    http://www.webhostingtalk.com/showth...hreadid=262274 contains some reviews.

    For Unix-based systems, this should include the following:

    * Disable telnet.
    * Limit SSH access to specific IP addresses.
    * Disable direct root login.
    * Remove unnecessary packages / software.
    * Harden the kernel against synflood and basic DOS attacks.
    * Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).
    * Ensure /tmp is in its own partition with noexec, nosuid.
    * Ensure kernel and software is up to date.
    * Remove unnecessary users and groups.
    * Install chkrootkit, logwatch, tripwire.
    * Install a firewall, and port scan detector.
    * For Apache servers, install mod_security and configure for use with FrontPage, PHPMyAdmin, Site Studio, and other common applications.
    * Secure DNS Servers
    * Utilize firewall automation to mitigate brute force FTP, syn floods, mail bombs, and out-of-network trojan’d servers from impacting your servers

    It is important to note that security is an ongoing venture. Even if you were to take all of the steps listed above, you would still have a regular routine of review, update, research, patch, etc.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  5. #5
    Join Date
    Mar 2004
    Location
    Singapore
    Posts
    6,984
    I would suggest just reinstall everything. That's the safest method.

  6. #6
    Join Date
    Feb 2003
    Location
    Kuala Lumpur, Malaysia
    Posts
    4,974
    I second that, nothing can be as 100% clean as fresh install

  7. #7
    Greetings:

    While it can be painful, when you are hacked, you will want to wipe the system, reinstall the operating system, install applications which must be installed fresh, and restore from a backup made prior to the hack.

    Otherwise, you may be guessing did you get everything including the back door the hacker may have set up when you tried to clean things by hand.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  8. #8
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    Most probably, the irc bot was uploaded and compiled using a hole in one of the php or cgi scripts, but only further investigation can prove this.

  9. #9
    Debugging everything and recompiling lots of stuff just to make sure it's not backdoor'ed anymore will most likely consume more time and money than clean OS reinstall, restore from backup and secure the server from the scratch.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •