In a post I made a few months ago: http://baselogic.com/blog/archives/252
I talked about an issue with a RootKit that I had. Well, the truth is, that was just a symptom to an issue. The reality was, I was hacked pretty bad, and really forced to completely start fresh with a complete OS reload, and getting fresh application code for all the applications I was running to ensure a fresh start. Unfortunately, I am not 100% sure how I was invaded, but I was at least infected with a Rootkit, as well as the invaders where able to actually create a user account on the server.
In the dedicated server I was running, the default install had EVERYTHING tunred on and opened up. I am not a system administrator, so I did not really know about any of these issues before. Well, um, now I know 🙁
So, I decided to move to a cloud server. Mostly due to the fact that I can pay for only what I use, not a huge box, with huge bandwidth, that never gets used. I currently use Mosso (http://www.mosso.com). I also noticed they have a sibling called Slice Host (http://www.slicehost.com) and they are both a child of Rack Space.
I was please to find that once I was given the new server (in about 10 minutes), I had a fresh install that had pretty much NOTHING turned on! Great! Then I started to dig into the slicehost documentation for setting up[ my server. I started with securing Centos http://articles.slicehost.com/2008/1/30/centos-setup-page-1 and this one page alone, really got me to understand many of the issue I had in my dedicated server. Setting up SSH was fairly straightforward, and made sense to me. The completely new concept was ipTables which I have never seen or heard of up to this point. This tutorial talks about manually creating ipTable rules. I did this at first to get my box up and running, but a friend of mine recommended I move to ShoreWall (http://www.shorewall.net/), and I must say, the rules are easier to understand. At least to me.
Then, I started on my path to install all the needed components for my new server. First I began with another great tutorial with Slice Host about installing Apache and PHP5 (http://articles.slicehost.com/2008/2/6/centos-installing-apache-and-php5). Then moved onto configuring Apache and Installing and configuring MySql which I will go into with another blog [PLACEHOLDER].
One thing I really found useful, was the ability to install and update packages via Yum. I also found a few additional yum repositories to add like RPMForge (http://rpmforge.net/), but then wanted to ensure I did not install the wrong packages, so I followed a great tutorial http://wiki.centos.org/PackageManagement/Yum/Priorities that sets priorities for each type of repository.
So next, I reinstalled RKHunter, but then added ChkRootkit and DenyHosts (yum install rkhunter chkrootkit denyhosts) to help with scanning for invasions again So I now get a few emails every morning to give me a report. This is in addition to my LogWatch report I get every morning. And I must say, LogWatch is the most amazing report I have thus far. I have found out so many things about activity on my server. This has convinced me of the benefit of all the work I did with SSH, user accounts, and firewalls. But also led me to pursue .htaccess, mod_security and other Apache vulnerability preventive tactics which I will detail in some future blogs.
Creating a bare bones CentOS install, and only installing and turning on what I explicitly need has really made my life much better. The general items that I performed to get my new Cloud serve up and running where as follows:
- Securing SSH
- Securing /tmp
- Configuring yum repositories and priorities
- Create secured users for Apache and MySql, and ensuring all System users are removed, and/or secured.
- Configuring ShoreWall firewall
- Install RKHunter and ChkRootkit and DenyHosts for monitoring.
- Configuring .htaccess for Apache
- Configuring mod_security for Apache
With all that I have done, I now find I have a far better understanding of potential security threats, even though I realize there is much more to learn. But this has also given me a great insight into potential issues with application development, as many of the issues related to security in the way today’s hackers are invading systems, was unknown to me.
… The End.