[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 22 Jun 2010, Rob Beard wrote:
Hi folks,I've been asked by a friend of mine to setup his VPS server so he can stream Shoutcast streams for his online radio station.Basically he had a server before hosted with a different VPS and something went wrong and things were deleted. I'm not sure if it was someone falling out with him and deleting everything off the server, the VPS having a problem or someone breaking into the server and doing naughty things.Anyway this new VPS server is with 1&1, so far it's got a basic install of CentOS 5 with the Plesk Control Panel. I have asked him if he'd mind if I replaced this with Ubuntu or Debian which I'm more familiar with (which are other OS options that 1&1 offer).One of my concerns though is securing the server as it's got a direct connection to the internet. I wondered if anyone had any experiences of packages like Rootkit Hunter or Chkrootkit with Portsentry (I've done a quick search online and these came up as options).
The question is really "How can a remote attacker get access". Checking for rootkits, etc. is an after thought - by then it's too late and the damage has been done.
So - make sure services aren't running that don't need to run - e.g. any and all hardware auto-detect/auto mount/etc. stuff. It's a server, it has a fixed configuration, so fix it.
Web server - what's running on it - php/perl/etc. Web servers themselves (e.g. apache) are mostly OK - it's almost always what they are running that's the issue, and even then, things like PHP, Perl, Python themselves rarely have directly attackable issues, it's almost always sloppy/bad/naive coding by the programmer that's at fault here. So check what's being installed, is it user-written, or some package to serve the files?
Control interactive access - ssh - firewall it, make sure it's ssh v2 and don't use passwords - tricky to setup in the first instance, but once setup it's relatively easy from there. If you do insist on passwords, then it's still not a bad thing, but firewall it, if posible, so it can only be accessed from known loations. (and thus for that, you need a static IP address)
And don't forget to stop email/pop/imap if they're not being used. I see POP probes every day looking for username/password combinations, as well as ssh.
When firewalling, block everything, then open the ports you need. Don't do it the other way round!
And of-course make sure you consider the server to be 'write only' (ie. you just send files to it for it to serve, keeping copies of the files locally), or back it up at regular intervals.
Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html