On Sat, Jun 27, 2009 at 12:21 PM, Mag Gam<magawake at gmail.com> wrote: > WE have a centos 5.3 install, and our server is keep getting hacked. > We see load averages of 500+ and see people from all over the world > logging into our server (used last). > > Is there a good place to start to avoid these kinds of things? > > For example, here is what I already did. > > Open up sshd port only > setup iptables to only accept port 80 and 22 > No FTP > No other ports are allowed according to IP Tables. > > > I am not sure what else measures I can take. Can someone please assist? > It doesn't matter what you do to harden after you have already been owned. It has been said here but i'll say it again - reinstall. Start fresh then harden then put back on net. You don't give much info on what this server does but as long as you change all passwds and assure they are strong then the only other point of entry would be an insecure web app. I would run a http firewall ie modsecurity. http://www.modsecurity.org/ I was getting hacked because of users apps until i installed modsecurity. I also limit ssh to only users that need it. I also run rkhunter every 30 min in silent mode. Sounds extreme but minimizing the damage a hacker can do means the difference between scheduled down time vs unscheduled. --bazooka