Security - Server

[gohighvoltage]

Recently, while keeping an eye on my server error log, I have been getting multiple attacks from China IP's trying to hack into my server.

This one in particular:
58.218.199.147

It is scanning for vulnerabilities on the root server.


I also saw an advisory today that the US government is issuing warnings about CHINA hacking into US servers, causing malicious damage, stealing information,etc.

I know a good amount of security, but I figured I would ask for others expertise and opinions, for my own knowledge and for others that are reading.

Is there any settings I should double check? I have all the latest scripts for my software.

I did notice cPHulk Brute Force Protection is not enabled. Should I enable it?

Is there any other settings I should check / enable, to have the best security on my VPS?


I suggest everyone take a look at their scripts, like VBulletin, etc and make sure all is up to date.

Thanks!

[JPC-JamesG]

Great advice here, keep all software and scripts up-to-date. One of the primary reasons companies update is not just to add new features, but to combat hackers and fix backdoors, etc. Its very important.

You should install CSF+LFD if you have not already, its free and is a brilliant tool for securing your server. Its basically a firewall with advanced features and if your running WHM, plugs right in there under plugins.

You can aalso blacklist any IP addresses you notice to be doing anything like this.

Another good technique for securing your server is to change your SSH port from 22 to something a little less obvious.

Block unused ports and just generally monitor whats going on.

We can assist you in securing and hardening your VPS if you like, just open a ticket and we'll do what we can.

[gohighvoltage]

Awesome James! Thanks for the information. I hope others can add or ask questions here. Better safe then sorry!

[gohighvoltage]

I just installed CSF+LFD, configured, found lots of warnings, fixed most.

I uninstalled frontpage, as I don't use it, and there is potential security risks.

I installed Suhosin, and so far no issues with my directory scripts and vbulletin.

Enabled cphulk brute force protection.

Still checking if there is anything else.

[gohighvoltage]

Anyone have Extensive Experience with CSF+LFD?

Trying to see what settings are best.

Suhosin = Good idea? I installed it, and so far I don't seem to have any issues.


CSF+LFD troubles:

when I ran test iptables, it came back with this:
Testing iptables...

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...FAILED [Error: iptables: Unknown error 4294967295] - Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 4294967295] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 4294967295] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables: Unknown error 4294967295] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf will function on this server but some features will not work due to some missing iptables modules [4]

-----------------

Does any of the failed modules need to be fixed?

and I also am getting this warning emailed from root, Any ideas?

lfd on vps.xxxxxx.com: Excessive resource usage: cpanel (13756)
Time: Fri Nov 4 06:15:31 2011 -0500
Account: cpanel
Resource: Process Time
Exceeded: 25286 > 1800 (seconds)
Executable: /usr/bin/perl
Command Line: spamd child
PID: 13756
Killed: No


and

Suspicious process running under user cpanel
Time: Fri Nov 4 06:15:31 2011 -0500
PID: 13756
Account: cpanel
Uptime: 25286 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:34868


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/bin/spamd

Thanks!!

[gohighvoltage]

I am really impressed with the CSF+LFD. Should be standard on every server. Very easy to install. Just need to learn a bit more about it and know the settings.

[Frank Broughton]

I am really impressed with the CSF+LFD. Should be standard on every server. Very easy to install. Just need to learn a bit more about it and know the settings.

I agree, I have used it for years, great tool.

[JPC-Sabrina]

Security attacks on bulletin boards and blogs seems to be becoming a more popular venue for attacks. Frequently check for updates. Weekly maintenance may save you from an attack. And, of course, the stronger more aggressive methods of protection suggested by Gohighvolatage and James will keep you protected at deeper levels.

[gohighvoltage]

I agree, I have used it for years, great tool.

Hi Frank!! Your not kiddin bud. This tool is great! I wish I knew about it a long time ago! Many thanks to Jag's James for advising me about it.

[Ron]

You might want to look at most posts by "thisisit" and certainly at the posts in his signature

Example
JagMonitor - Monitoring script for WHM

[gohighvoltage]

THANKS SO MUCH RON!!! This is awesome information. I am checking all of them out!

[gohighvoltage]

Question, "thisisit" has a BFD rules for Jag servers,

Should I need this, since I have CSF installed and running?

[JPC-Sabrina]

It is nice to have a veteran poster who can direct forum members to another peer who has great links in his signature. Thanks once again for pointing out quality information.

[Ron]

UnknownComic.jpgFunny

[gohighvoltage]

This CSF has already automatically caught and blocked 15 port scanners and Brute force attacks. It blocks the IP's permanently. Awesome. Most of the hackers were from China and India!