[CentOS] server is always getting hacked
John R Pierce
pierce at hogranch.com
Sat Jun 27 19:31:12 UTC 2009
Mag Gam wrote:
> WE have a centos 5.3 install, and our server is keep getting hacked.
> We see load averages of 500+ and see people from all over the world
> logging into our server (used last).
>
>
what protocols are they logging on via? what accounts?
have you changed all the passwords and so forth, run a rootkit hunter
like rkhunter to check for common rootkits and other incursions, and so
forth?
> Is there a good place to start to avoid these kinds of things?
>
> For example, here is what I already did.
>
> Open up sshd port only
> setup iptables to only accept port 80 and 22
> No FTP
> No other ports are allowed according to IP Tables.
>
what sort of website is running on port 80? if its hosting any common
PHP or other applications check for known exploits in those... almost
every major and minor PHP package, common perl CGI, etc, has had
exploits... things like phpbb get new exploits every week and need
frequent updating.
at this point, if your system has been hacked this badly, I would take
it offline, clean install it with the minimum packages to support your
applications, fully patch it, and this time making sure you leave
selinux fully enabled, and then reconfigure and redeploy your web
applications.
More information about the CentOS
mailing list