The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Compromised Server? Things to Look For

Discussion in 'General Discussion' started by justhost, Apr 6, 2004.

  1. justhost

    justhost Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Halifax, Nova Scotia
    Hello

    I was thinking a discussion with input from some of the gurus in here regarding what the less skilled people like myself should be looking for on their WHM CPU Process or Apache Status outputs which would be suspect. Anything to help people out. Things like typical processes which shouldnt be running. Things that flag there might be unauthorized access?

    If people think this is a good idea please post here. I know I would appreciate it.

    Thanks.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Really, one should be looking deeper than simply at anything that WHM can provide. You're unlikely to see any suspect processes (they're typically hidden) and most intrusions would not be noticeable except in hindsight with Apache.

    Here are some ideas:

    1. Install chkrootkit http://www.chkrootkit.org and run it at least twice a day

    2. If you cannot have a hardware firewall, install an iptables one and configure both incoming and outgoing connections

    3. Add something like psad http://www.cipherdyne.com/psad/ which will read those firewall logs and alert you to trouble when it is happening

    4. Install an IDS, e.g. Tripwire http://www.tripwire.org/ and make sure that you take the time to configure it correctly for your server and run a check at least once a day and read and understand the reports and make sure nothing has changed that either you'd expect or that you changed yourself

    5. Use SSH keys instead of passwords

    6. Those passwords that you do use on the server, even for FTP or POP3 accounts, change them regularly (at least once a month) and ensure that they are "secure": at least 8 characters long, upper and lower case letters, numbers and non-alphanumerics

    7. If you ever give out any passwords for whatever reason and to whoever (including your NOC) always change them immediately after they have left your server

    8. Make backups of your server daily and store at least one of these off server securely using something like rsync over SSH (not FTP)

    9. Don't give SSH access to customers

    10. Keep your OS and apps up to date and ensure that any released updates are installed asap.

    11. Get yourself signed up to at least BugTraq and VulnWatch mailing lists so you know what is happening, why and when. This way you can react more quickly, installing security updates or even disabling services (e.g. the recent cPanel issue with the password changing script - if you were watching BugTraq you could have disabled that service immediately the announcement was made. You might get lucky and get to your server before a hacker does).

    12. Expect to be compromised. You will be at some point, so prepare for it.

    Remember that security is about layers. No one thing will stop a compromise. For example, disabling SSH will not prevent a hacker running binaries on your server, they could use a CGI script or a PHP script. But it does slow them down and they may give up and go to an easier server to crack.

    If you ever are compromised, don't imagine for one minute that you've "cleaned" your server. You most probably have not. After investigating the compromise have the system disk with the OS on it wiped clean and then restore from backups, then change all passwords and ensure whatever hole was compromised before is filled. Real cleaning of a server requires a system to be unplugged, the disks to be shipped to an expert facility to be trawled - this can cost $1000's. Whereas a system restore by your NOC might cost you as little as $50-$100.

    A good read about Recovering from a Root Compromise can be found here:
    http://www.cert.org/tech_tips/root_compromise.html

    This is not an exhaustive list by any means, but it should start you thinking about what you are not doing and what you should start doing.
     
  3. justhost

    justhost Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Halifax, Nova Scotia
    Wow chirpy, this is awesome.

    Thank you.
     
Loading...

Share This Page