I want to express my thanks and appreciation to every one who contributed to enrich the discussion of this thread, "Exploited Servers".dreamwiz said:Would you mind explaining how removing APF and BFD would increase security? IMHO they are valuable part of securing server.
The most common means of protecting a network is using a firewall. The biggest problem with firewalls is that people think they're more than they actually are. A firewall's major strength is protecting against traffic-based attacks (DoS,or DDoS). If you let people into your network from the outside, the firewall has no way of differentiating between a legitimate user and a hacker. A firewall is not a substitute for strong OS and application security.
If you're going to use a firewall package on a Linux or a FreeBSD server or any system, keep in mind that the firewall is the application. As such, a system-based firewall such as: APF and BFD won't offer much security if the underlying OS isn't hardened.
While it's unfortunate that society has produced the types of losers that make such measures necessary, there are steps you can take to protect your data. It's just that security has become an ever-growing aspect of network administration and this growth shows no signs of abating. Vigilance is as important a quality as technical expertise. Unless you have a very good background knowledge in system administration, following a step-by-step instruction given on these forums or a tutorial does not mean you are any safer. Tutorials are and should be used as guidelines only and baselines, every server needs to be looked at and handled individually to ensure maximum security possible.
Security is not a "set it and forget it" proposition. Because there are no absolutes, constant monitoring is essential. New attacks are being developed every day and if you're simply going to respond once an attack is discovered it's likely too late. Hackers will use DoS/DDoS attacks, log alterations (provided they can gain access), and other means to disguise other, more intrusive, exploits. In many cases simply waiting for obvious evidence that you've been hacked means you'll never know you've been hacked. The hackers will sneak in, grab what they want, and sneak back out again covering their tracks as they go.
In short, any security plan that is reactive rather than proactive is pretty lame. In addition to the security measures mentioned above, there are several things you can do to be more proactive in ensuring security:
- Monitor log files - By routinely monitoring system and application log files you get to know what's "normal" which makes it easier to spot things that just don't look right.
- Make sure your DC use a very good hardware based firewall system with their servers.
- Harden, properly configure, and optimize your server and network.
- Install system based firewall including Mod Security, Mod Evasive, and Tripwire.
- If you can afford it, get a "standby server", just in case your server get compromised, or there is a hardware failure, the standby server will take over a lot quicker than trying to figure out what happened to the production server.
You can read about security holes recently discovered in Linux Kernel, go to: http://www.silicon.com/hardware/servers/0,39024647,39118519,00.htm