WE have a centos 5.3 install, and our server is keep getting hacked. We see load averages of 500+ and see people from all over the world logging into our server (used last). Is there a good place to start to avoid these kinds of things? For example, here is what I already did. Open up sshd port only setup iptables to only accept port 80 and 22 No FTP No other ports are allowed according to IP Tables. I am not sure what else measures I can take. Can someone please assist? TIA
Mag Gam wrote:> WE have a centos 5.3 install, and our server is keep getting hacked. > We see load averages of 500+ and see people from all over the world > logging into our server (used last). > >what protocols are they logging on via? what accounts? have you changed all the passwords and so forth, run a rootkit hunter like rkhunter to check for common rootkits and other incursions, and so forth?> Is there a good place to start to avoid these kinds of things? > > For example, here is what I already did. > > Open up sshd port only > setup iptables to only accept port 80 and 22 > No FTP > No other ports are allowed according to IP Tables. >what sort of website is running on port 80? if its hosting any common PHP or other applications check for known exploits in those... almost every major and minor PHP package, common perl CGI, etc, has had exploits... things like phpbb get new exploits every week and need frequent updating. at this point, if your system has been hacked this badly, I would take it offline, clean install it with the minimum packages to support your applications, fully patch it, and this time making sure you leave selinux fully enabled, and then reconfigure and redeploy your web applications.
> Open up sshd port only > setup iptables to only accept port 80 and 22 > No FTP > No other ports are allowed according to IP Tables.Where is the box? Am I correct that it runs a website? What website software are you running? Who needs to log in with SSH? And where from? Are the crackers logging in with SSH? Or are they getting in via some kind of web back door? Maybe because of the website software? Have you checked with the software to see if there are known holes? Are you running the latest version? If only certain people need SSH access and that is how the crackers are getting in, then you could set up your firewall to only accept SSH connections from certain IPs. Assuming those who need to get in have a fixed IP. You could also set up SSH to only accept connections via keys, and then install the keys on the server for those who need to get in. Lots of questions you need to be asking. What you can also consider is something I do on my box - run tcpdump continuously, with the options to create round-robin log files. You just have to make sure you'll have enough space for that. This can give you TCPIP logs going back X amount of time, so that you can do forensics with something like Wireshark to see how people are getting in. -- ?Don't eat anything you've ever seen advertised on TV? - Michael Pollan, author of "In Defense of Food"
get ; 1. fail2ban - it blocks failed login ips etc 2. get shorewall or any iptables front end and restrict ips to the ranges u need ( or even specific ips) 3. run ssh on a nonstandard port 4. good, long password these steps will go a long way and will get u started. ----- Original Message ----> From: Mag Gam <magawake at gmail.com> > To: CentOS mailing list <centos at centos.org> > Sent: Sunday, June 28, 2009 3:21:25 AM > Subject: [CentOS] server is always getting hacked > > WE have a centos 5.3 install, and our server is keep getting hacked. > We see load averages of 500+ and see people from all over the world > logging into our server (used last). > > Is there a good place to start to avoid these kinds of things? > > For example, here is what I already did. > > Open up sshd port only > setup iptables to only accept port 80 and 22 > No FTP > No other ports are allowed according to IP Tables. > > > I am not sure what else measures I can take. Can someone please assist? > > TIA > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
On Sat, Jun 27, 2009 at 12:21 PM, Mag Gam<magawake at gmail.com> wrote:> I am not sure what else measures I can take. Can someone please assist?You should install an Intrusion Detection System (IDS) as they are great tools to assist you in how the crackers are gaining access into your system.>We see load averages of 500+ and see people from all over the world >logging into our server (used last).If I understood you correctly, you're saying that running the "last" command shows logins worldwide that are not yours? Immediately suspend / disable / lockdown the accounts they're logging into if they're not important (say a user thats only used for a daemon). If I were you I would immediately set up keys for your ssh, disabling root ssh login (you can gain root via "su -" or "sudo" once you login), and only enable protocol 2 for ssh. Install an iptables frontend like APF to help you ban malicious IP addresses. Are you running the latest version of CentOS? Make sure they don't have a critical exploit like a kernel privilege escalation exploit. -- Best Regards, Justin Bull http://www.sohipitmhz.com/pubkey.txt (PGP Public Key)
On 06/27/2009 09:21 PM, Mag Gam wrote: sane and simple security management for linux systems: 1. only open ports in iptables which are being used, if possible with source address or source network. 2. use hosts.allow/deny rules for services if applicable, this adds another layer of security. 3. check logs often, use a central loghost 4. SSH: no root login, only dedicated users, only dedicated source addresses, only key based access or kerberized access, no standard port 5. enable SELinux 6. use some kind of intrusion detection, like aide (standard in centos) or snort 8. use fail2ban to deny ipaddresses with several failed login attempts within a short period of time 9. clear your shell's history on logout 10. use sudo instead of su - 11. check bastille.org for hardening 12. check center for internet security for benchmarks, they provide very detailed information for hardening servers ( csisecurity.org ) 13. use chattr -i for several key configuration files, so they cannot be changed or deleted this should get you started, good luck Sander> WE have a centos 5.3 install, and our server is keep getting hacked. > We see load averages of 500+ and see people from all over the world > logging into our server (used last). > > Is there a good place to start to avoid these kinds of things? > > For example, here is what I already did. > > Open up sshd port only > setup iptables to only accept port 80 and 22 > No FTP > No other ports are allowed according to IP Tables. > > > I am not sure what else measures I can take. Can someone please assist? > > TIA > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On Sat, Jun 27, 2009 at 12:21 PM, Mag Gam<magawake at gmail.com> wrote:> WE have a centos 5.3 install, and our server is keep getting hacked. > We see load averages of 500+ and see people from all over the world > logging into our server (used last). > > Is there a good place to start to avoid these kinds of things? > > For example, here is what I already did. > > Open up sshd port only > setup iptables to only accept port 80 and 22 > No FTP > No other ports are allowed according to IP Tables. > > > I am not sure what else measures I can take. Can someone please assist? >It doesn't matter what you do to harden after you have already been owned. It has been said here but i'll say it again - reinstall. Start fresh then harden then put back on net. You don't give much info on what this server does but as long as you change all passwds and assure they are strong then the only other point of entry would be an insecure web app. I would run a http firewall ie modsecurity. http://www.modsecurity.org/ I was getting hacked because of users apps until i installed modsecurity. I also limit ssh to only users that need it. I also run rkhunter every 30 min in silent mode. Sounds extreme but minimizing the damage a hacker can do means the difference between scheduled down time vs unscheduled. --bazooka