Mag Gam wrote: > WE have a centos 5.3 install, and our server is keep getting hacked. > We see load averages of 500+ and see people from all over the world > logging into our server (used last). > > what protocols are they logging on via? what accounts? have you changed all the passwords and so forth, run a rootkit hunter like rkhunter to check for common rootkits and other incursions, and so forth? > Is there a good place to start to avoid these kinds of things? > > For example, here is what I already did. > > Open up sshd port only > setup iptables to only accept port 80 and 22 > No FTP > No other ports are allowed according to IP Tables. > what sort of website is running on port 80? if its hosting any common PHP or other applications check for known exploits in those... almost every major and minor PHP package, common perl CGI, etc, has had exploits... things like phpbb get new exploits every week and need frequent updating. at this point, if your system has been hacked this badly, I would take it offline, clean install it with the minimum packages to support your applications, fully patch it, and this time making sure you leave selinux fully enabled, and then reconfigure and redeploy your web applications.