Security, ufff!!!

[latpanel]

My sytem has been hacked and destroyed. All the system has been used as a warez repository ans as a point to throw attacks to other machines.
I was using CPanel/WHM and I'd just executed the last security update (October 18th or 19th)

I had rkhunter installed and all the CPANEL monitoring and security apps, but it was not enough. The attack was made from web server (nobody appears as owner of a lot of process and files).

I've learned: security never is enough.

Some implied exploiters: hatorihanzo, mremap_pte, r0nin ...
A real disaster. And the worst: I can't imagine how they access to the server. All logs dissapears (pointed to /dev/null) and most files erased ...

The next time I won't trust just in CPanel, I do better installing anothers monitoring tools.

Bye, I'm going to cry for a while, a long while.

[Sheldon]

lol

pay some to do your security if you dont know how.

I suggest rack911.com .. ask for Steven

I do general security and server maintenance for $39 /month

But rack911 can give you a really good deal.

[mct]

Your root login is enable ? If yes.. disable it 1st.
2nd put ur ip mask to ssh config file.

[latpanel]

What do you mean with Ip mask?
My first step are:
Secure ssh (Set IPlisten and disallow root access)
Of course: no Telnet
Inhabilite gcc (CPanel can do it)
Secure /tmp
Protect php.ini
Don't allow using exec and system calls in php.ini
php in safe mode
php open_base_dir
Compile Apache with suexec and phpexec
Install and execute rkhunter and chkrootkit
PureFTP (I've read ProFTP has a security hole)

Use RATS to check every perl and php scripts to be installed i the system.

And I know I need a good IDS (Intruder Detect System) like Tripwire or better.

My Data server has a Firewall but I think it's a good idea to set my own FW, but it must be compatible withe CPanel, so I wait to have CPanel totally installed.

Have I forget anything? I'm sure this is not the only steps.

Thanks

[kris1351]

How about a firewall?

[latpanel]

Of course.
Data center has one but two locks are better than one.
I know that Bastille is a good program to build the firewalls rules (Iptables)
Is there a better program to do it?

Thanks

[tsook]

-----------

[kris1351]

We have always used APF and AD as secondary Firewall/DOS protection. It seems to work quite well on the software side of things. We have seen a lot of help come from mod_security in just a very basic installation. Make sure nothing can be executed in your /tmp directories. Check for insecure apps such as Cups and Samba. Look under your Apache directory for folders such as proxy or any other folders you don't recognize in the system. Better to run with fewer allowed applications than too many. Root should NEVER be allowed to log in directly, port 22 on SSH helps, protocol 2 for SSH, remove users such as gopher/admin/lcp, allow wheel from only one user and make it a unique user. There are hundreds of things we can do to protect servers, but if someone wants in badly enough most likely they will get in.

[rfxn]

I would recommend (ya dont say?) APF, BFD, ANTIDOS, LES, LSM - all combined, installed. These are not end-all solutions but go a long way to harden a system.

http://www.r-fx.org/proj.php

Likewise I would additionally recommend you hire a QUALIFIED and CERTIFIED security firm such as R-fx Networks (my firm), DNI, or CheetaWeb. Not to condesend on the likes of rack911 but it has proven for many an ill experience with such organizations.

[latpanel]

I know that these rules

iptables -A INPUT -s 0/0 -d myip -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -s 0/0 -d myip -p udp --dport 33435:33525 -j DROP

make that host don't answer to ping and tracert. It doesn't appears, ping acts as if our IP don't exist.

Is it a good idea to do so? I've heard that sometimes this config can do conflictive (don ask me why, I've heard so and so I write). I think hidden our host is good.

Thanks

[latpanel]

LES (lLinux environment security, http://www.rfxnetworks.com/les.php ) protect system files against be modified. So neither root can modify thesefiles.
My question is: does it let CPanel to update system programs?

Thanks