[CentOS] server is always getting hacked

Mon Jun 29 18:58:00 UTC 2009
Bazooka Joe <fastfish at gmail.com>

On Sat, Jun 27, 2009 at 12:21 PM, Mag Gam<magawake at gmail.com> wrote:
> WE have a centos 5.3 install, and our server is keep getting hacked.
> We see load averages of 500+ and see people from all over the world
> logging into our server (used last).
>
> Is there a good place to start to avoid these kinds of things?
>
> For example, here is what I already did.
>
> Open up sshd port only
> setup iptables to only accept port 80 and 22
> No FTP
> No other ports are allowed according to IP Tables.
>
>
> I am not sure what else measures I can take. Can someone please assist?
>


It doesn't matter what you do to harden after you have already been owned.

It has been said here but i'll say it again - reinstall. Start fresh
then harden then put back on net.

You don't give much info on what this server does but as long as you
change all passwds and assure they are strong then the only other
point of entry would be an insecure web app.  I would run a http
firewall ie modsecurity. http://www.modsecurity.org/

I was getting hacked because of users apps until i installed
modsecurity. I also limit ssh to only users that need it.

I also run rkhunter every 30 min in silent mode.  Sounds extreme but
minimizing the damage a hacker can do means the difference between
scheduled down time vs unscheduled.

--bazooka