[CentOS] server is always getting hacked

Mon Jun 29 14:00:01 UTC 2009
Sander Snel <zander.snel at gmail.com>

On 06/27/2009 09:21 PM, Mag Gam wrote:

sane and simple security management for linux systems:
1. only open ports in iptables which are being used, if possible with 
source address or source network.
2. use hosts.allow/deny rules for services if applicable, this adds 
another layer of security.
3. check logs often, use a central loghost
4. SSH: no root login, only dedicated users, only dedicated source 
addresses, only key based access or kerberized access, no standard port
5. enable SELinux
6. use some kind of intrusion detection, like aide (standard in centos) 
or snort
8. use fail2ban to deny ipaddresses with several failed login attempts 
within a short period of time
9. clear your shell's history on logout
10. use sudo instead of su -
11. check bastille.org for hardening
12. check center for internet security for benchmarks, they provide very 
detailed information for hardening servers ( csisecurity.org )
13. use chattr -i for several key configuration files, so they cannot be 
changed or deleted

this should get you started, good luck

Sander

> WE have a centos 5.3 install, and our server is keep getting hacked.
> We see load averages of 500+ and see people from all over the world
> logging into our server (used last).
>
> Is there a good place to start to avoid these kinds of things?
>
> For example, here is what I already did.
>
> Open up sshd port only
> setup iptables to only accept port 80 and 22
> No FTP
> No other ports are allowed according to IP Tables.
>
>
> I am not sure what else measures I can take. Can someone please assist?
>
> TIA
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>