[CentOS] server is always getting hacked

Sun Jun 28 19:10:37 UTC 2009
Justin Bull <justin.bull at sohipitmhz.com>

On Sat, Jun 27, 2009 at 12:21 PM, Mag Gam<magawake at gmail.com> wrote:
> I am not sure what else measures I can take. Can someone please assist?

You should install an Intrusion Detection System (IDS) as they are
great tools to assist you in how the crackers are gaining access into
your system.

>We see load averages of 500+ and see people from all over the world
>logging into our server (used last).

If I understood you correctly, you're saying that running the "last"
command shows logins worldwide that are not yours? Immediately suspend
/ disable / lockdown the accounts they're logging into if they're not
important (say a user thats only used for a daemon).

If I were you I would immediately set up keys for your ssh, disabling
root ssh login (you can gain root via "su -" or "sudo" once you
login), and only enable protocol 2 for ssh.

Install an iptables frontend like APF to help you ban malicious IP addresses.

Are you running the latest version of CentOS? Make sure they don't
have a critical exploit like a kernel privilege escalation exploit.


-- 
Best Regards,

Justin Bull
http://www.sohipitmhz.com/pubkey.txt (PGP Public Key)