The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security, ufff!!!

Discussion in 'Security' started by latpanel, Oct 22, 2004.

  1. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    My sytem has been hacked and destroyed. All the system has been used as a warez repository ans as a point to throw attacks to other machines. :eek:
    I was using CPanel/WHM and I'd just executed the last security update (October 18th or 19th)

    I had rkhunter installed and all the CPANEL monitoring and security apps, but it was not enough. The attack was made from web server (nobody appears as owner of a lot of process and files).

    I've learned: security never is enough. :(

    Some implied exploiters: hatorihanzo, mremap_pte, r0nin ...
    A real disaster. And the worst: I can't imagine how they access to the server. All logs dissapears (pointed to /dev/null) and most files erased ...

    The next time I won't trust just in CPanel, I do better installing anothers monitoring tools.

    Bye, I'm going to cry for a while, a long while.
     
  2. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    lol

    pay some to do your security if you dont know how.

    I suggest rack911.com .. ask for Steven :)

    I do general security and server maintenance for $39 /month

    But rack911 can give you a really good deal.
     
  3. mct

    mct Registered

    Joined:
    Oct 25, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Your root login is enable ? If yes.. disable it 1st.
    2nd put ur ip mask to ssh config file.
     
  4. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    What do you mean with Ip mask?
    My first step are:
    Secure ssh (Set IPlisten and disallow root access)
    Of course: no Telnet
    Inhabilite gcc (CPanel can do it)
    Secure /tmp
    Protect php.ini
    Don't allow using exec and system calls in php.ini
    php in safe mode
    php open_base_dir
    Compile Apache with suexec and phpexec
    Install and execute rkhunter and chkrootkit
    PureFTP (I've read ProFTP has a security hole)

    Use RATS to check every perl and php scripts to be installed i the system.

    And I know I need a good IDS (Intruder Detect System) like Tripwire or better.

    My Data server has a Firewall but I think it's a good idea to set my own FW, but it must be compatible withe CPanel, so I wait to have CPanel totally installed.

    Have I forget anything? I'm sure this is not the only steps.

    Thanks
     
  5. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    How about a firewall?
     
  6. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    Firewall, of course

    Of course.
    Data center has one but two locks are better than one.
    I know that Bastille is a good program to build the firewalls rules (Iptables)
    Is there a better program to do it?

    Thanks
     
  7. tsook

    tsook Well-Known Member

    Joined:
    Mar 21, 2003
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    -----------
     
  8. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    We have always used APF and AD as secondary Firewall/DOS protection. It seems to work quite well on the software side of things. We have seen a lot of help come from mod_security in just a very basic installation. Make sure nothing can be executed in your /tmp directories. Check for insecure apps such as Cups and Samba. Look under your Apache directory for folders such as proxy or any other folders you don't recognize in the system. Better to run with fewer allowed applications than too many. Root should NEVER be allowed to log in directly, port 22 on SSH helps, protocol 2 for SSH, remove users such as gopher/admin/lcp, allow wheel from only one user and make it a unique user. There are hundreds of things we can do to protect servers, but if someone wants in badly enough most likely they will get in.
     
  9. rfxn

    rfxn Active Member

    Joined:
    Apr 27, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I would recommend (ya dont say?) APF, BFD, ANTIDOS, LES, LSM - all combined, installed. These are not end-all solutions but go a long way to harden a system.

    http://www.r-fx.org/proj.php

    Likewise I would additionally recommend you hire a QUALIFIED and CERTIFIED security firm such as R-fx Networks (my firm), DNI, or CheetaWeb. Not to condesend on the likes of rack911 but it has proven for many an ill experience with such organizations.
     
    #9 rfxn, Oct 25, 2004
    Last edited: Oct 25, 2004
  10. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    drop ping traceroute

    I know that these rules

    iptables -A INPUT -s 0/0 -d myip -p icmp --icmp-type echo-request -j DROP
    iptables -A INPUT -s 0/0 -d myip -p udp --dport 33435:33525 -j DROP

    make that host don't answer to ping and tracert. It doesn't appears, ping acts as if our IP don't exist.

    Is it a good idea to do so? I've heard that sometimes this config can do conflictive (don ask me why, I've heard so and so I write). I think hidden our host is good. :)

    Thanks
     
  11. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    LES and Update system

    LES (lLinux environment security, http://www.rfxnetworks.com/les.php ) protect system files against be modified. So neither root can modify thesefiles.
    My question is: does it let CPanel to update system programs?

    Thanks
     
Loading...

Share This Page