Top tips for stopping hackers - contribs please

[spaceman]

Hi All,

My company has 3 US-hosted linux dedicated servers. To our knowledge we haven't been seriously hacked in 4 years, until a few weeks ago. Within the last few weeks, 2 of the 3 have been hacked, requiring fresh installs of the OS + WHM/cPanel. Each hack has cost us approx $1,000+ in terms of data centre support plus our hours here to re-install and re-configure non-standard software (payment processing software etc.) to get the servers back to the way they were.

I've searched around these forums for hints and tips about how to make our servers more secure. This information seems to exist in small amounts in posts here and there, often as suggestions in response to others who have been hacked.

I'd like to offer this thread up to anyone would like to offer hints and tips about how to beef up linux web server security. With each piece of advice please try to give a brief how-to and/or link to a website resource that describes what to do more fully.

Here's a starter:

1. Limit SSH root access to a fixed list of IP address
2. Ensure WHM/cPanel and other server software are fully updated with latest patches.
3. Auto-email a report for all root access logins
4. Disallow telnet access
5. Change cpanel//ftp passwords regularly
6. Install 'bruteforce detection' script: auto-blocks repeated frequent attempts to login. eg. http://www.rfxnetworks.com/bfd.php (there's a 'how-to' install here: http://www.webhostgear.com/60.html)
7. Firewall the server eg. http://www.rfxnetworks.com/apf.php
8. Turn off non-essential/unnecessary services (does anyone know of a list of what these might be?)

Firewalls
APF
- http://www.rfxnetworks.com/apf.php

Intrustion Detection Software

AIDE (Advanced Intrusion Detection Software)
- http://sourceforge.net/projects/aide
Tripwire (...is a tool that checks to see what has changed on your system)
- http://sourceforge.net/projects/tripwire/ (open source version)
- http://www.tripwire.com/products/ (commercial version)

Other Related cPanel Threads
- http://forums.cpanel.net/showthread.php?t=30159

General Website Resources on Security

- http://www.webhostgear.com/cid_6.html (some great 'securing servers' tutorials here)
- www.linuxsecurity.com
- http://www.webhostingtalk.com/showth...hreadid=307474 (how-to secure cPanel)
- http://forums.servermatrix.com/viewt...t=2198&start=0 Improving System Security on cPanel Systems (Servermatrix forum)

Books on Security

- Linux Server Hacks by Rob Flickenger (just found this on Amazon, seems well recommended)
- Any other recommendations here?

* Please note that we are not linux security experts and are not trying to be! We're just trying to share some hints and tips and resources with others who need to 'up' their linux security without necessarily having the budget to employ experts. *

[dandanfireman]

1. Ensure that the kernel is up to date.
2. Turn off access to compilers and scripts like wget.
3. Make /tmp and /var/tmp noexec.

[haze]

I'd put this at or near the top of the "todo" list:

Install AIDE or Tripwire

[drmike]

Folks, it's one thing to make a list of things to do to protect yourself. It's a much better thing to actually make a list people can use with links and the rest.

(humour)It's sort of like Bush with chasing bad guys. It's one thing to say he's doing something. It's another thing to actually see something happening. (/humour)

thanks,
-drmike

[webits]

It's nice when people acutally are so kind to give some free advice to secure our servers. I really apreciate the afford. Spiderman

[haze]

Folks, it's one thing to make a list of things to do to protect yourself. It's a much better thing to actually make a list people can use with links and the rest.

....

thanks,
-drmike

Its called research, one of the most important jobs of a system admin. If you can't figure out how to find or install any of the above, perhaps your in the wrong industry?

We could sit here all day detailing this that and the other thing, but most of us have paying jobs. Do the research, or hire someone who can.

[spaceman]

How about this: if you have a suggestion to make, eg. "Turn off access to compilers and scripts like wget." then please can you add value to this suggestion by either
a) Adding a bit more of a description about how to actually achieve this and/or
b) providing a link to an online how-to article, tutorial, forum posting or whatever that describes it in more detail.

I will then be happy to edit my original post with this info so that all the advice is consolidated at the top rather than splattered across multiple posts.

Deal? :-)

So if you spot a broken link, or advice that could be improved, or a new tutorial/link that could be added, please post away.

[drmike]

Its called research, one of the most important jobs of a system admin. If you can't figure out how to find or install any of the above, perhaps your in the wrong industry?

Agreed, most hosters are in the wrong business.

I used to voleenteer on the phpnuke site and listen all day long to users complain about poor hosting but, if you pointed out that their hoster was the issue, they always went to bat for them saying that they were the best in the world. Made me sick.

-drmike

[dgbaker]

How about this: if you have a suggestion to make, eg. "Turn off access to compilers and scripts like wget." then please can you add value to this suggestion by either
a) Adding a bit more of a description about how to actually achieve this and/or
b) providing a link to an online how-to article, tutorial, forum posting or whatever that describes it in more detail.

I will then be happy to edit my original post with this info so that all the advice is consolidated at the top rather than splattered across multiple posts.

Deal? :-)

So if you spot a broken link, or advice that could be improved, or a new tutorial/link that could be added, please post away.

There a few issues with doing this.

1. Why should anyone give away their secrets on how they do security?
2. Posting such info in public forums is also giving the hackers extra info on how the server is secured.
3. As I've stated on the forum before, we are all in this industry to make money, end of story. So why would I want to help my competition with things like this? If they have issues all the better for everyone else who may get their business.
4. Handing people tutorials on every little thing is not the answer, each must learn to fish instead of asking for the fish to be given.
5. Just because you can follow a tutorial does not mean you are any safer. Tutorials are and should be used as guidelines only and baselines, each system still needs to be looked at and handled individually to ensure proper/better security.

I know that sounds harsh and self-centered etc... but hey! business is business and in this industry one must do whatever they can to maintain an edge (no matter how small) on it's competition.

[drmike]

I know that sounds harsh and self-centered etc... but hey! business is business and in this industry one must do whatever they can to maintain an edge (no matter how small) on it's competition.

Not that I'm going to do such a thing but I'd bet that would look great on your support forum.

-drmike

[000000000]

WOW... you're a born know-it-all. And since that's the case, I'm wondering why you even wast your time in a "support forum". Nevertheless, I'll reply...


>1. Why should anyone give away their secrets on how they do security?

Why not? Unlike you everyone else learns these "sacred secrets" from some one.


>2. Posting such info in public forums is also giving the hackers extra info on how the server is secured.

FUD, FUD, FUD... Posting such info in public forums helps other people, while lending credibility to the poster as well as the hosting industry as a whole. Hackers (sic) already know how your server is secured.


>3. As I've stated on the forum before, we are all in this industry to make money, end of story. So why would I want to help my competition with things like this? If they have issues all the better for everyone else who may get their business.

You reap what you sow. Someday you might not know it all any more (things sometimes do change that fast), and maybe the competition will eat you up instead of helping you, too.

Actually, if you were not so closed minded you would have realized the financial benefit of sharing such knowledge. Not only would it give you priceless credibiltiy... not everyone (especially newbies) are up to the task of doing it themselves... you could have been making even more $$$ doing it for them.

But don't sweat it, someone else will rise to the challenge... End of story


>4. Handing people tutorials on every little thing is not the answer, each must learn to fish instead of asking for the fish to be given.

That's got to be a thinking error, if I ever heard one. This is the internet (the biggest fishing hole on the planet). Forums are like small fishing spots in that big hole. They help people find information that they might not ever find elsewhere. That is the spirit of the whole thing.

Tutorials, when they can be found, may not be the answer, but they are a great starting point to learning the question. They are nothing more than helpful guidlines, to stir people in the right direction (not yours)... even more so since every system needs to be handled individually.


>5. Just because you can follow a tutorial does not mean you are any safer. Tutorials are and should be used as guidelines only and baselines, each system still needs to be looked at and handled individually to ensure proper/better security.

Read the reply to 4.


>I know that sounds harsh and self-centered etc... but hey! business is business and in this industry one must do whatever they can to maintain an edge (no matter how small) on it's competition.

It sounds harsh, self-centered etc... because it is! True, business is business... but smart business is smart business... and fools never seem to grasp this. Apparently the only edge you have on your competition is that you still have a few dollars to play a couple of more rounds. That's why you'll always be #2, and someone else #1.


-000000000

[sawbuck]

Nevertheless, I'll reply...

Would have been better if you had not replied. Ugly/rude post for your first one.

[dgbaker]

For people that know me and have been around these forums for a while, they know I have always gone out of my way to help others. I even help other hosting companies with server admin work as well.

As to the share and share a like notion? How was it put "smart business"? Smart businesses do not tell their competition how to gain an edge over them. Whether that be an IBM, Royal Bank, EV1, etc... none will tell their secrets to their competitors.

I must also agree with sawbuck, for your first post you left a very bad impression. You treat your clients like that as well?

And drmike.... - As to posting my other statement on my forum? Not a problem.

[000000000]

Sawbuck... I agree, it was an ugly rude post, and (sawbuck and dgbaker), I wish that it hadn't been my first, but I really felt compelled to reply to it.

Both spaceman and drmike made a good suggestion that would make the thread a lot more useful for members and visitors of this forum (especially newbies). They did not ask for selfish, self-serving comments that benefit no one in this forum. The post needed to be replied to. If someone wants to blacklist me for it - so be it.

Sometimes it is more productive to keep your comments to yourself, rather than run around a forum slapping everyone in the face. Sometimes a slap needs a slap back, and sometimes harsh needs harsh back.

On a more level headed note... no one will lose anything to their competition by sharing techniques to secure internet servers. Security is an issue that affects the whole hosting industry, whether you are experienced or not. It is us against the Crackers... but if we are always divided against our own on such a simple issue, we will never gain an advantage.

The first time some jerk hacks a server hosting some of our best potential customers, many of those customers will realize that it is cheaper in the long run to just "secure" their own dedicated server than throw it away on over-priced, unsafe hosting. Then you have new competitors. Where's the profit in that?

On the subject of "Smart Business," I'm not going to comment any further. Either you see it or you don't. I see it, and I'm sure there are others that do too. Sometimes opportunity just knocks and runs.

My sincere appologies to anyone I have offended!

-000000000

[spaceman]

Hey guys, thanks for the debate and I take your points, but may I suggest that if you want to help, then post away with your hints and tips. And if you don't want to contribute, then that's fine too.

For me, it's simple. I didn't like getting hacked (it was expensive and time consuming), and I want to (try to) take steps to reduce the chance of it happening again. I'm very happy if along the way I can help others by sharing the experience around. Getting hacked is not nice, and I wouldn't wish it on my worst enemy (well, maybe there are a couple of people :-) ), so 'my server is more secure than yours' is not something I'm bothered about competing on.

I confess that on average I'm more of a taker than a giver in forums - I'm incredibly grateful for the help and support I've received over the years, and I like to give something back where I can.