how do i stop all critical access to my server - what are critical components any one knows

ssomu007 · June 20, 2010, 9:18pm

My server was attacked by hackers and i am trying to secure it.

is there such thing that i can completely stop all traffic except web visitors / who want to place orders.
i know SFTP, SSH are critical components is there anything else hackers need to enter into my system

read below, i wish if there is such thing, i can safegaurd my servers

can you tll me what are the critical blocking rules i can setup
so that when ever i needed i will allow them manually,
can i do these on router, iptables

for example sFTP, SSH, directory permissions, root access, change configuration files or modify files on system directories, on public_html
also do not allow to modify any phy files and do not allow to create any new files
on database site.

If i decide i am not planning to make changes, not installing anything, do not want to use SFTP, SSH and onlything i want to allow is accessing my website for traffic
to place orders or browse products.

how to setup a rule like that and also if at all you want to install updates
allow specific ip address to access resources.

also what are the things hackers need to get access to to mess up the system?
i know SFTP, SSH, anything else ? and can we block

ronald · June 20, 2010, 9:44pm

they could get access through a domains script and place a file in the /tmp folder. this file may then contact the crackers server which may have some malicious script to attack your server.
this is a common way to get root access.
you need to make sure any script in the domains are updated.

did anyone actually get access to our server and do things?
servers get attacked all day long.

ssomu007 · June 20, 2010, 10:00pm

how do they get access to tmp folder?
can we setup rules to stop writing files to tmp folder if someone including sysasdmin
needs to do it then we have to manually turn on and turn off access

can we do this

My sites got attacked 3 times, i changed hosting companies, service providers but of no use.
everytime it is attacked i have to reinstall complete system.

Eric · June 21, 2010, 3:23am

is there such thing that i can completely stop all traffic except web visitors / who want to place orders.

Sorry, it’s never that simple

My advice is typically twofold –

Make sure all your distro’s updates have been applied
Make sure all web applications are at their latest revision

Something not being fully up to date is the most common cause of breakins.

There’s no easy fix to keeping bad guys out, it’s just a lot of grunt work keeping things up to date.

While it’s always a good idea to secure things like SSH/SFTP, old versions of apps are a more common problem… attackers can break into SSH/SFTP, but only after guessing a password. So using strong passwords will help with that.

-Eric

ronald · June 21, 2010, 7:37am

some more thoughts.
If you are the only user of the server, disable anything you dont need, like ftp.
Use ssh only. Create a user with sudo only and use that to maintain the system.
Use keys to access the server, not a password.
Make strong passwords with different characters, like: My#S7rongPa55Word=1337 for any app on your server.
Buy a certificate and use ssl for your sites if you didn’t already.

If you do have other users, run mod_fcgi, never mod_php
Disable functions in your php.ini, some examples for the paranoid:
exec, system, passthru, shell_exec, escapeshellarg, escapeshellcmd, proc_close, proc_open, ini_alter, dl, popen, popen, pcntl_exec, socket_accept, socket_bind, socket_clear_error, socket_close, socket_connect, socket_create_listen, socket_create_pair, socket_create, socket_get_option, socket_getpeername, socket_getsockname, socket_last_error, socket_listen, socket_read, socket_recv, socket_recvfrom, socket_select, socket_send, socket_sendto, socket_set_block, socket_set_nonblock, socket_set_option, socket_shutdown, socket_strerror, socket_write, stream_socket_client, stream_socket_server, pfsockopen, stream_set_timeout, disk_total_space, disk_free_space, chown, diskfreespace, getrusage, get_current_user, set_time_limit, getmyuid, getmypid, dl, leak, listen, chgrp, link, symlink, dlopen, proc_nice, proc_get_stats, proc_terminate, shell_exec, sh2_exec, posix_getpwuid, posix_getgrgid, posix_kill, ini_restore, mkfifo, dbmopen, dbase_open, filepro, filepro_rowcount, posix_mkfifo, putenv, geoip_open, sleep
set enable_dl Off
set open_basedir to the value you need
Any web application on your server needs to be a modern one and actively being developed, definitely not some crappy forum running on php4.