Top tips for stopping hackers - contribs please

Status
Not open for further replies.

spaceman

Well-Known Member
Mar 25, 2002
513
6
318
Hi All,

My company has 3 US-hosted linux dedicated servers. To our knowledge we haven't been seriously hacked in 4 years, until a few weeks ago. Within the last few weeks, 2 of the 3 have been hacked, requiring fresh installs of the OS + WHM/cPanel. Each hack has cost us approx $1,000+ in terms of data centre support plus our hours here to re-install and re-configure non-standard software (payment processing software etc.) to get the servers back to the way they were.

I've searched around these forums for hints and tips about how to make our servers more secure. This information seems to exist in small amounts in posts here and there, often as suggestions in response to others who have been hacked.

I'd like to offer this thread up to anyone would like to offer hints and tips about how to beef up linux web server security. With each piece of advice please try to give a brief how-to and/or link to a website resource that describes what to do more fully.

Here's a starter:

1. Limit SSH root access to a fixed list of IP address
2. Ensure WHM/cPanel and other server software are fully updated with latest patches.
3. Auto-email a report for all root access logins
4. Disallow telnet access
5. Change cpanel//ftp passwords regularly
6. Install 'bruteforce detection' script: auto-blocks repeated frequent attempts to login. eg. http://www.rfxnetworks.com/bfd.php (there's a 'how-to' install here: http://www.webhostgear.com/60.html)
7. Firewall the server eg. http://www.rfxnetworks.com/apf.php
8. Turn off non-essential/unnecessary services (does anyone know of a list of what these might be?)

Firewalls
APF
- http://www.rfxnetworks.com/apf.php

Intrustion Detection Software

AIDE (Advanced Intrusion Detection Software)
- http://sourceforge.net/projects/aide
Tripwire (...is a tool that checks to see what has changed on your system)
- http://sourceforge.net/projects/tripwire/ (open source version)
- http://www.tripwire.com/products/ (commercial version)

Other Related cPanel Threads
- http://forums.cpanel.net/showthread.php?t=30159

General Website Resources on Security

- http://www.webhostgear.com/cid_6.html (some great 'securing servers' tutorials here)
- www.linuxsecurity.com
- http://www.webhostingtalk.com/showthread.php?s=&threadid=307474 (how-to secure cPanel)
- http://forums.servermatrix.com/viewtopic.php?t=2198&start=0 Improving System Security on cPanel Systems (Servermatrix forum)

Books on Security

- Linux Server Hacks by Rob Flickenger (just found this on Amazon, seems well recommended)
- Any other recommendations here?

* Please note that we are not linux security experts and are not trying to be! We're just trying to share some hints and tips and resources with others who need to 'up' their linux security without necessarily having the budget to employ experts. *
 
Last edited:

dandanfireman

Well-Known Member
PartnerNOC
May 31, 2002
117
0
316
1. Ensure that the kernel is up to date.
2. Turn off access to compilers and scripts like wget.
3. Make /tmp and /var/tmp noexec.
 

haze

Well-Known Member
Dec 21, 2001
1,547
3
318
I'd put this at or near the top of the "todo" list:

Install AIDE or Tripwire
 

drmike

Active Member
Jul 8, 2004
31
0
156
Charlotte, NC
Folks, it's one thing to make a list of things to do to protect yourself. It's a much better thing to actually make a list people can use with links and the rest.

(humour)It's sort of like Bush with chasing bad guys. It's one thing to say he's doing something. It's another thing to actually see something happening. :) (/humour)

thanks,
-drmike
 

webits

Well-Known Member
May 15, 2004
114
0
166
I dig Free Advice

It's nice when people acutally are so kind to give some free advice to secure our servers. I really apreciate the afford. Spiderman
 

haze

Well-Known Member
Dec 21, 2001
1,547
3
318
drmike said:
Folks, it's one thing to make a list of things to do to protect yourself. It's a much better thing to actually make a list people can use with links and the rest.

....

thanks,
-drmike
Its called research, one of the most important jobs of a system admin. If you can't figure out how to find or install any of the above, perhaps your in the wrong industry? ;)

We could sit here all day detailing this that and the other thing, but most of us have paying jobs. Do the research, or hire someone who can.
 

spaceman

Well-Known Member
Mar 25, 2002
513
6
318
How about this: if you have a suggestion to make, eg. "Turn off access to compilers and scripts like wget." then please can you add value to this suggestion by either
a) Adding a bit more of a description about how to actually achieve this and/or
b) providing a link to an online how-to article, tutorial, forum posting or whatever that describes it in more detail.

I will then be happy to edit my original post with this info so that all the advice is consolidated at the top rather than splattered across multiple posts.

Deal? :)

So if you spot a broken link, or advice that could be improved, or a new tutorial/link that could be added, please post away.
 

drmike

Active Member
Jul 8, 2004
31
0
156
Charlotte, NC
haze said:
Its called research, one of the most important jobs of a system admin. If you can't figure out how to find or install any of the above, perhaps your in the wrong industry? ;)
Agreed, most hosters are in the wrong business. :)

I used to voleenteer on the phpnuke site and listen all day long to users complain about poor hosting but, if you pointed out that their hoster was the issue, they always went to bat for them saying that they were the best in the world. Made me sick.

-drmike
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,548
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
spaceman said:
How about this: if you have a suggestion to make, eg. "Turn off access to compilers and scripts like wget." then please can you add value to this suggestion by either
a) Adding a bit more of a description about how to actually achieve this and/or
b) providing a link to an online how-to article, tutorial, forum posting or whatever that describes it in more detail.

I will then be happy to edit my original post with this info so that all the advice is consolidated at the top rather than splattered across multiple posts.

Deal? :)

So if you spot a broken link, or advice that could be improved, or a new tutorial/link that could be added, please post away.

There a few issues with doing this.

1. Why should anyone give away their secrets on how they do security?
2. Posting such info in public forums is also giving the hackers extra info on how the server is secured.
3. As I've stated on the forum before, we are all in this industry to make money, end of story. So why would I want to help my competition with things like this? If they have issues all the better for everyone else who may get their business.
4. Handing people tutorials on every little thing is not the answer, each must learn to fish instead of asking for the fish to be given. ;)
5. Just because you can follow a tutorial does not mean you are any safer. Tutorials are and should be used as guidelines only and baselines, each system still needs to be looked at and handled individually to ensure proper/better security.

I know that sounds harsh and self-centered etc... but hey! business is business and in this industry one must do whatever they can to maintain an edge (no matter how small) on it's competition.
 

000000000

Member
Sep 5, 2004
18
1
153
Wow!!

WOW... you're a born know-it-all. And since that's the case, I'm wondering why you even wast your time in a "support forum". Nevertheless, I'll reply...


>1. Why should anyone give away their secrets on how they do security?

Why not? Unlike you everyone else learns these "sacred secrets" from some one.


>2. Posting such info in public forums is also giving the hackers extra info on how the server is secured.

FUD, FUD, FUD... Posting such info in public forums helps other people, while lending credibility to the poster as well as the hosting industry as a whole. Hackers (sic) already know how your server is secured.


>3. As I've stated on the forum before, we are all in this industry to make money, end of story. So why would I want to help my competition with things like this? If they have issues all the better for everyone else who may get their business.

You reap what you sow. Someday you might not know it all any more (things sometimes do change that fast), and maybe the competition will eat you up instead of helping you, too.

Actually, if you were not so closed minded you would have realized the financial benefit of sharing such knowledge. Not only would it give you priceless credibiltiy... not everyone (especially newbies) are up to the task of doing it themselves... you could have been making even more $$$ doing it for them.

But don't sweat it, someone else will rise to the challenge... End of story


>4. Handing people tutorials on every little thing is not the answer, each must learn to fish instead of asking for the fish to be given.

That's got to be a thinking error, if I ever heard one. This is the internet (the biggest fishing hole on the planet). Forums are like small fishing spots in that big hole. They help people find information that they might not ever find elsewhere. That is the spirit of the whole thing.

Tutorials, when they can be found, may not be the answer, but they are a great starting point to learning the question. They are nothing more than helpful guidlines, to stir people in the right direction (not yours)... even more so since every system needs to be handled individually.


>5. Just because you can follow a tutorial does not mean you are any safer. Tutorials are and should be used as guidelines only and baselines, each system still needs to be looked at and handled individually to ensure proper/better security.

Read the reply to 4.


>I know that sounds harsh and self-centered etc... but hey! business is business and in this industry one must do whatever they can to maintain an edge (no matter how small) on it's competition.

It sounds harsh, self-centered etc... because it is! True, business is business... but smart business is smart business... and fools never seem to grasp this. Apparently the only edge you have on your competition is that you still have a few dollars to play a couple of more rounds. That's why you'll always be #2, and someone else #1.


-000000000
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,548
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
For people that know me and have been around these forums for a while, they know I have always gone out of my way to help others. I even help other hosting companies with server admin work as well.

As to the share and share a like notion? How was it put "smart business"? Smart businesses do not tell their competition how to gain an edge over them. Whether that be an IBM, Royal Bank, EV1, etc... none will tell their secrets to their competitors.

I must also agree with sawbuck, for your first post you left a very bad impression. You treat your clients like that as well?

And drmike.... - As to posting my other statement on my forum? Not a problem. ;)
 

000000000

Member
Sep 5, 2004
18
1
153
Agreed

Sawbuck... I agree, it was an ugly rude post, and (sawbuck and dgbaker), I wish that it hadn't been my first, but I really felt compelled to reply to it.

Both spaceman and drmike made a good suggestion that would make the thread a lot more useful for members and visitors of this forum (especially newbies). They did not ask for selfish, self-serving comments that benefit no one in this forum. The post needed to be replied to. If someone wants to blacklist me for it - so be it.

Sometimes it is more productive to keep your comments to yourself, rather than run around a forum slapping everyone in the face. Sometimes a slap needs a slap back, and sometimes harsh needs harsh back.

On a more level headed note... no one will lose anything to their competition by sharing techniques to secure internet servers. Security is an issue that affects the whole hosting industry, whether you are experienced or not. It is us against the Crackers... but if we are always divided against our own on such a simple issue, we will never gain an advantage.

The first time some jerk hacks a server hosting some of our best potential customers, many of those customers will realize that it is cheaper in the long run to just "secure" their own dedicated server than throw it away on over-priced, unsafe hosting. Then you have new competitors. Where's the profit in that?

On the subject of "Smart Business," I'm not going to comment any further. Either you see it or you don't. I see it, and I'm sure there are others that do too. Sometimes opportunity just knocks and runs.

My sincere appologies to anyone I have offended!

-000000000
 

spaceman

Well-Known Member
Mar 25, 2002
513
6
318
Hey guys, thanks for the debate and I take your points, but may I suggest that if you want to help, then post away with your hints and tips. And if you don't want to contribute, then that's fine too.

For me, it's simple. I didn't like getting hacked (it was expensive and time consuming), and I want to (try to) take steps to reduce the chance of it happening again. I'm very happy if along the way I can help others by sharing the experience around. Getting hacked is not nice, and I wouldn't wish it on my worst enemy (well, maybe there are a couple of people :) ), so 'my server is more secure than yours' is not something I'm bothered about competing on.

I confess that on average I'm more of a taker than a giver in forums - I'm incredibly grateful for the help and support I've received over the years, and I like to give something back where I can.
 
Last edited:

dschott

Member
May 18, 2004
14
0
151
best idea ever, if you donno how to do it, hire a security consultant to do it for you.

why?

cauz you just wasted 3000 dollars on repairs. my advice? next time spend that 3000 dollars to get a a rock solid network (btw the guy on your aim list who failed his rhse exam is NOT a security consultant, neather is the script kiddie next door) go to google and find your self a respectable security consulting agency and end the annoyance
 

spaceman

Well-Known Member
Mar 25, 2002
513
6
318
1, Perhaps there are reputable web hosting companies out there who are security experts, and for a premium (which we'd expect to pay) will take care of all these security concerns for us as part of the package? If so, make yourself known to us!

2. Does anyone have any recommendations for security experts or companies who DO offer this sort of service for existing dedicated web servers? I mean, sure, I can and have gone to Google and every man and his dog claims to be a security expert. So how about some solid referrals from someone who is employing such services and is happy to recommend them?
 

Mike Peel

Active Member
May 1, 2004
26
0
151
Wow - I came into this thread as I'm fairly new to having my own server, and was curious about how to secure it properly. Sadly, a seemingly useful thread quickly turned into a bitching arguament between members...

I'll point out that there's generally two approaches to software design / management / security - open source, and closed source. I'll use two examples: Linux for OpenSource, Windows for closed. Do I really need to point out which is most secure?

If people don't share information about potential problems with security setups, and the best ways to sort out these problems, then hackers have their own playground full of people's unprotected servers. If, however, people do share...
 

ramprage

Well-Known Member
Jul 21, 2002
651
0
166
Canada

SarcNBit

Well-Known Member
Oct 14, 2003
1,007
3
168
I have to agree with 0000000 here. This is a support forum, and there is nothing wrong (except in the instance I mention below) with someone coming by and requesting detailed tips on how to secure their server.

If you have developed some proprietary technique that you do not wish to share, then by all means feel free not to share it. The act of not sharing however is going to add little value to this forum which so many people (myself included) value.

My only problem with this thread is that it is redundant. There has to be at least 2 or 3 other threads that attack this same issue (which lends credibility to some of hazes remarks). If the original poster had something to add, they should have posted to one of the existing threads.

dgb I am surprised to see you make comments like that. It seems out of character for someone who maintains an open support forum and has been very helpful in these forums. I am going to chaulk it up to lack of coffee/sleep/etc :) :p

Most of the people here are competitors, but do not forget that they are also colleagues and I think for the most part everyone has done a commendable job of respecting each others business interests. I have learned a tremendous amount about cPanel from this and other forums and would be much worse for wear if no such resources existed.
 
Status
Not open for further replies.