[CentOS] server is always getting hacked

Mon Jun 29 14:39:27 UTC 2009
Rob Townley <rob.townley at gmail.com>

On Mon, Jun 29, 2009 at 9:00 AM, Sander Snel<zander.snel at gmail.com> wrote:
> On 06/27/2009 09:21 PM, Mag Gam wrote:
>
> sane and simple security management for linux systems:
> 1. only open ports in iptables which are being used, if possible with
> source address or source network.
> 2. use hosts.allow/deny rules for services if applicable, this adds
> another layer of security.
> 3. check logs often, use a central loghost
> 4. SSH: no root login, only dedicated users, only dedicated source
> addresses, only key based access or kerberized access, no standard port

PortKnocking so the open port changes continuously.

and / or

tinc-vpn / hamachi so the port is only open to another member of your
tinc network.  Since there there are hundreds-of- thousands or
millions of infected web servers out there serving up malicious
drive-by javascript, use noscript on any machine connected to a
server.

Reemphasize watching cms (joomla and the like) plugins.



> 5. enable SELinux
> 6. use some kind of intrusion detection, like aide (standard in centos)
> or snort
> 8. use fail2ban to deny ipaddresses with several failed login attempts
> within a short period of time
> 9. clear your shell's history on logout
> 10. use sudo instead of su -
> 11. check bastille.org for hardening
> 12. check center for internet security for benchmarks, they provide very
> detailed information for hardening servers ( csisecurity.org )
> 13. use chattr -i for several key configuration files, so they cannot be
> changed or deleted
>
> this should get you started, good luck
>
> Sander
>
>> WE have a centos 5.3 install, and our server is keep getting hacked.
>> We see load averages of 500+ and see people from all over the world
>> logging into our server (used last).
>>
>> Is there a good place to start to avoid these kinds of things?
>>
>> For example, here is what I already did.
>>
>> Open up sshd port only
>> setup iptables to only accept port 80 and 22
>> No FTP
>> No other ports are allowed according to IP Tables.
>>
>>
>> I am not sure what else measures I can take. Can someone please assist?
>>
>> TIA
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>