Perfect Setup Debian Lenny not so perfect for me

[diego]

Hi!

I just wanted to give some feedback on 2 installations I did 2 months ago with the perfect setup Debian Lenny + ISPConfig 3 (1 Master, 1 Slave).

The installation itself was easy and painless, but now the first installation Lenny + ISPConfig 3 was hacked and was used for Paypal Phishing attempts. I do not know how they did it, as the server is currently offline (my hoster had to do this, firefox even reports my server as a phishing server ). The installation was 100 % Standard, no mods on my side. So, there is some security issue somewhere.

The second installation also went fine, but I recognized heavy traffic (300 MB / hour) without any special software installed. After some debugging I recognized that on the standard-install, apache2 is configured for ProxyRequests and some spammers used my machine for that. After shutting that down, the traffic went back to normal. Maybe this should be mentioned and addressed in the tutorial.

One thing which should also be addressed is, that at the time of my installation the latest phpmyadmin-packages for debian which you download with apt-get had a security-problem regarding the config-file, as after installation the cookie-based authentication (needed by ispconfig) got changed to user-based in the config-file (there are posts about this on the inet, as this broke the ispconfig3 authentication).
Again, this should be addressed or at least mentioned in the perfect setups.

Keep on the good work,
Diego

[damir]

Perfect Howtos are perfect in installation but not in security, you should be aware of hardening the system after the default installation. There is a lot of work to be done to make a system secure. But even if you have a secure system, if it's not updated and if you do not have some kind of monitoring it gonna be hacked soon or later.

Ispconfig 3 is just a script that controls the services, those services needs to be secured by you.

Regarding phpmyadmin, you should always install it as separate site, because like i said you are the sysadmin and it's your job to follow at least two security related sites, phpmyadmin hole was announced and was patched immediately by me because it was on separate site, and i don't wanted to wait for debian team to release the patch.

Than you have all these web apps that are constantly targeted as soon a security hole is exposed. This is something that with the help of ISPConfig and you can be isolated to a minimum of damage.

[diego]

Hi!

Thank you damir for your response.

Are there any howto's on securing an ISPconfig-based installation? Would be nice to get some background knowledge about the security holes and the neccessary steps to avoid any pitfalls.