Compromised Server
First ever Cpanel dedicated server, after reselling for a long time.
Less than a month into things, my server is compromised and doing rogue tcp traffic. Got a WHM red message: exim security prob.
Upgraded to
WHM 9.2.0 cPanel 9.3.0-R5
Fedora - WHM X v3.1.0
System still compromised, server provider has limited the port.
What next? How could I have avoided this.
Any help much appreciated.
G.
Fedora - WHM X v3.1.0
Steve at sales@rack911.com is a very good guy on security issues ("thelinuxguy" is his username on various fora).
Interpreting Bandmin
It would appear that the update to the next newest release did the trick, though whm reports same versions as before
Exim is now the latest 4.34
BUT HOW CAN I BE SURE? It has stopped.
If you keep refreshing bandmin and the numbers don't change much, does that mean that the rogue tcp traffic has been halted?
Have you installed a firewall?
Very well worth the time/effort/resources!
Firewall and Security progs.
No, and if you mean physical box it cannot be done. The server, though managed by me, is not under my physical control but with a provider. If you mean firewall software then I'd be interested to know about the possible solutions, that are compatible with cpanel.
What I have found most difficult about the current situation is that cpanel gives you the impression that you can actually pretty much run a server with very little command line knowledge and their updates will keep you protected, when in fact all it takes is for one of the many scripts, modules, services (here exim) to have a security flaw in an update and you will be left with a mess.
Cpanel did not even report anything but allowed the compromised port/s to do 40Gig of traffic in 6-10 hours. It was only the providers phone call that allerted me.
As far as I know, there is no way to actually trace/close-off or limit a port except from the command line and it is beyond my capabilities. Of course I could learn, but it means entirely reworking my business expectations. It's hard enough in such an environment just to gain customers. But then if you spend an entire day, like the one just spent it eats away at any profitability.
I would love some pointers to some good programs that work well with cpanel and would allow real control tracking of ports and limiting bandwidth on them, and also tracking down bad traffic etc. Also: does anybody know where one can find the full logs that report details on this unknown TCP traffic? You certainly can't access any of this from cpanel.
Any pointers would be much appreciated
Maybe you could benefit from some one who could do all the security fixes for you then your time could be better spent tending your business.
I spotted this thread the other day that might be of interest and it looks like there are more offers like this in the same forum. Could be useful in your situation.
HTH.
mygregory,
apf firewall is very popular amongst cpanel users (software firewall) and is very easy to install.
Here's a link to some simple instructions for installation:
http://www.webhostgear.com/61.html
you should also checkout that site's other tutorials for improving security.
Looks interesting
Thank you for your kind help,
Useful resource. Will probably install APF, though not sure if I need to take any other action beforehand to stop the current use of the ports.
Before I installed APF, I thought that my server was fairly secure. Amazing how after I installed it, my logwatch email showed me how many packets were dropped by the firewall.
I still get some errant attempts by hackers (to no avail), but as soon as I discover the problem, I simply deny access to their IP/IP range and the hackers "Go Away!!!"
Well worth 20-30 minutes of your time to install this!
My advice, be proactive as opposed to retroactive
how can you find out there ip`s?
and then lbock it
LinkBack URL
About LinkBacks
Reply With Quote