Rob Townley wrote:
On Mon, Jun 29, 2009 at 9:00 AM, Sander Snelzander.snel@gmail.com wrote:
On 06/27/2009 09:21 PM, Mag Gam wrote:
sane and simple security management for linux systems:
- only open ports in iptables which are being used, if possible with
source address or source network. 2. use hosts.allow/deny rules for services if applicable, this adds another layer of security. 3. check logs often, use a central loghost 4. SSH: no root login, only dedicated users, only dedicated source addresses, only key based access or kerberized access, no standard port
PortKnocking so the open port changes continuously.
and / or
tinc-vpn / hamachi so the port is only open to another member of your tinc network. Since there there are hundreds-of- thousands or millions of infected web servers out there serving up malicious drive-by javascript, use noscript on any machine connected to a server.
Reemphasize watching cms (joomla and the like) plugins.
- enable SELinux
- use some kind of intrusion detection, like aide (standard in centos)
or snort 8. use fail2ban to deny ipaddresses with several failed login attempts within a short period of time 9. clear your shell's history on logout 10. use sudo instead of su - 11. check bastille.org for hardening 12. check center for internet security for benchmarks, they provide very detailed information for hardening servers ( csisecurity.org ) 13. use chattr -i for several key configuration files, so they cannot be changed or deleted
this should get you started, good luck
Sander
WE have a centos 5.3 install, and our server is keep getting hacked. We see load averages of 500+ and see people from all over the world logging into our server (used last).
Is there a good place to start to avoid these kinds of things?
For example, here is what I already did.
Open up sshd port only setup iptables to only accept port 80 and 22 No FTP No other ports are allowed according to IP Tables.
I am not sure what else measures I can take. Can someone please assist?
TIA _______________________________________________
Lots of good advice here.. but if your machine has been exploited you should really back up your data and reload the machine. Then carefully restore your data, checking to make sure any scripts you are restoring are secure.