Need security advice (server hacked)

Support for security such as Firewalls and securing linux
Post Reply
justin_8
Posts: 2
Joined: 2007/09/15 17:06:26

Need security advice (server hacked)

Post by justin_8 » 2007/09/15 17:43:45

Our server was hacked. I know some programming but dont know much about Linux and am not the admin. Our server has a number of softwares and packages running on different virtual domains and we try to keep them updated. Our admin is great and has always taken a lot of steps to secure the system but somehow an attacker managed to get in. Here's what the admin said happened:
- hacker logged in as root a number of times
- deleted keystroke log
- erased all tracks so we dont know how he came in.
The admin made a program to email himself of any root login attemps, thats how he got to know the intrusion had occured and he shut down the server. We also dont know how the hacker got the root password because it was very secure (the usual secure 12/16 random character password).

1) The biggest question is: is there any way we can preserve the tracks of the hacker, so we can always know how he came in so we can plug up the holes?
2) Also, which is the best intrusion detection system (IDS)? The admin is aware of Tripwire and Snort among others but he's looking for an IDS that detects attacks before they happen. He has one protection which detects failed logins from the same IP and firewalls them based on the number of attempts and logins.

Any advice would be appreciated. If you have any useful URL's or commercial/free softwares for us look at, I would be grateful for that as well.

foxb
Posts: 1924
Joined: 2006/04/20 19:03:33
Location: Montreal/QC

Need security advice (server hacked)

Post by foxb » 2007/09/17 19:38:35

You should disable root login via ssh....

As for IDS snort is good one...

yyagol
Posts: 1015
Joined: 2006/06/10 18:27:44
Location: 32 4′N 34 47′E
Contact:

Re: Need security advice (server hacked)

Post by yyagol » 2007/09/29 10:25:03

1. thing you do is change the port sshd is listening
2. i use i nice module with iptables that block IPs for some time (10 min) if they try to connect
too many time with no luck ( state NEW ). this is good for blocking an atack trying
to connect and guess you're password. (port 55660 is ssh listening)

[code]-A INPUT -p tcp -m tcp --dport 55660 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 55660 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 55660 -j ACCEPT[/code]
3. sshd is a highly secure program and can block ip also , edit sshd_config and enable the security

[code]
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3[/code]
4. use a firewall between you're server and the world , and make ssh enable only when vpn was established
let the firewall handle all this work.
5. config syslog to send all its log to a log server ( could be any server on or outside you're LAN )
hackers are good with deleting all traces . the syslog sends the log as it comes from the kernel
any entry to the system is logd.

justin_8
Posts: 2
Joined: 2007/09/15 17:06:26

Re: Need security advice (server hacked)

Post by justin_8 » 2007/10/04 07:34:05

Thanks a lot, I'll pass all this on to the system admin. I also learnt today about chrooting processes to isolate domains from each other and keep the damage confined.

hi_vkkadam
Posts: 74
Joined: 2007/11/05 16:08:34
Location: Pune

Re: Need security advice (server hacked)

Post by hi_vkkadam » 2007/11/23 19:02:13

you can also make use of tcp_wrappers hosts.allow and hosts.deny file, for your sshd services

Post Reply

Return to “CentOS 4 - Security Support”