[CentOS] Help: Server security compromised?

Sun Aug 10 20:43:59 UTC 2008
Noob Centos Admin <centos.admin at gmail.com>

On Thu, Aug 7, 2008 at 11:53 PM, Ray Leventhal <centos at swhi.net> wrote:

> My US$0.02 on this.....I'm a fan of apf as a front-end to iptables...but it
> takes some reading to understand the switches and the entire RAB (reactive
> address blocking) configuration options.  Sadly, RAB is poorly documented,
> but with a bit of tinkering, I've enjoyed this feature tremendously as it
> cuts down on the hammering I used to get to port 22 by the bots and script
> kiddies.

Sad to say my usual tasks keep me sufficiently occupied that I hardly have
the time to study what APF actually does. It came with ELS (Easy Linux
Security) scripts with directadmin, sounds like A Good Idea (tm) so I just
installed it. Personally I'm aghast at the manner in which I'm running the
server but practically there is only that much time I can devote to being
the server admin.

If you've a static IP at your workstation, add your IP address to the apf
> nicely formed 'allow_hosts.rules' file, usually located in /etc/apf.  This
> is a simple IP address or IP block list (using slash notation, i.e.
> to allow access to an IP or range of IPs.  Further, the
> deny_hosts.rules list is the same format for hosts to always deny.

I had considered this allowed only x.x.x.x ip strategy very early on since
it appeared to be an obvious way to head off attacks/probes from external
parties. Unfortunately, like most folks, I'm on dynamic IP. My primary role
also requires me to run around very often, necessitating urgent
administration from a variety of potential sub-networks from whichever ISP
happens to be providing access at the location. So I figured it would be
quite impractical to attempt to limit access to only certain IP addresses.

Although thinking about it now, extending the concept from a previous
suggestion, I suppose it is theoretically possible to write a privileged
script accessible from one of the server hosted domains to activate an
allow-host rule addition to the firewall and a cronjob that routinely
activates another script to removed added hosts after 1 hour or something.
So anytime access is needed, I would hit the website to activate the script
to open up SSH access to the IP I am using at the moment and then SSH in.

But of course, easier said than done since I barely know shell scripting and
allowing exec in PHP had always been met with a big frown personally. :D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20080811/8c1439b0/attachment-0004.html>