[CentOS] server is always getting hacked

[Ryan Pugatch]

Rob Townley wrote:
> On Mon, Jun 29, 2009 at 9:00 AM, Sander Snel<zander.snel at gmail.com> wrote:
>> On 06/27/2009 09:21 PM, Mag Gam wrote:
>>
>> sane and simple security management for linux systems:
>> 1. only open ports in iptables which are being used, if possible with
>> source address or source network.
>> 2. use hosts.allow/deny rules for services if applicable, this adds
>> another layer of security.
>> 3. check logs often, use a central loghost
>> 4. SSH: no root login, only dedicated users, only dedicated source
>> addresses, only key based access or kerberized access, no standard port
> 
> PortKnocking so the open port changes continuously.
> 
> and / or
> 
> tinc-vpn / hamachi so the port is only open to another member of your
> tinc network.  Since there there are hundreds-of- thousands or
> millions of infected web servers out there serving up malicious
> drive-by javascript, use noscript on any machine connected to a
> server.
> 
> Reemphasize watching cms (joomla and the like) plugins.
> 
> 
> 
>> 5. enable SELinux
>> 6. use some kind of intrusion detection, like aide (standard in centos)
>> or snort
>> 8. use fail2ban to deny ipaddresses with several failed login attempts
>> within a short period of time
>> 9. clear your shell's history on logout
>> 10. use sudo instead of su -
>> 11. check bastille.org for hardening
>> 12. check center for internet security for benchmarks, they provide very
>> detailed information for hardening servers ( csisecurity.org )
>> 13. use chattr -i for several key configuration files, so they cannot be
>> changed or deleted
>>
>> this should get you started, good luck
>>
>> Sander
>>
>>> WE have a centos 5.3 install, and our server is keep getting hacked.
>>> We see load averages of 500+ and see people from all over the world
>>> logging into our server (used last).
>>>
>>> Is there a good place to start to avoid these kinds of things?
>>>
>>> For example, here is what I already did.
>>>
>>> Open up sshd port only
>>> setup iptables to only accept port 80 and 22
>>> No FTP
>>> No other ports are allowed according to IP Tables.
>>>
>>>
>>> I am not sure what else measures I can take. Can someone please assist?
>>>
>>> TIA
>>> _______________________________________________




Lots of good advice here.. but if your machine has been exploited you 
should really back up your data and reload the machine.  Then carefully 
restore your data, checking to make sure any scripts you are restoring 
are secure.

-- 
Ryan Pugatch
Systems Administrator, TripAdvisor