Suggestions for securing server?

Discussion in 'Installation/Configuration' started by BorderAmigos, Sep 15, 2008.

  1. BorderAmigos

    BorderAmigos New Member

    On 9/11 many of the scripts in /etc/init.d/ got rewritten to zero bytes. This wasn't noticed until a reboot on the next day when so many things suddenly weren't working (no network, no external disk drive or USB connections, etc.). Luckily, copying the scripts from a Debian Live CD got the network and connections running. Then copying the rest from a backup brought the system back. So all was saved with a few hours work.

    My big question is how the scripts were modified/deleted?

    No work was done on the system on 9/11 so I can only think I was hacked into or some malicious script was able to run as root. Looking at the logs I can only find the usual suspects trying to insert known-hackable page names into the websites. All show as denied though.

    There is a hardware firewall running in my router with port forwarding of only the ports used. I changed my passwords to something even longer and more obscure. What other suggestions do you all have for preventing this from happening again?
     
  2. chipsafts

    chipsafts New Member

    do you have logwatch installed ?
     
  3. BorderAmigos

    BorderAmigos New Member

    No, I'll check it out. I'm really curious how someone got in if that is what happened.

    Also, logs often show that there are http accesses to the var/www/localhost directory. I don't know how that is done either. By domain name should go to the /var/www/web(1,2...) and by IP should go to /var/www/sharedip.
     
  4. falko

    falko Super Moderator ISPConfig Developer

    I'd install fail2ban to block brute-force attacks.
     
  5. ralic

    ralic New Member

    Setting scripts to 0 size seems to me to be unusual hacker type activity. Perhaps a rogue backup/restore script?

    Also give your disks a thorough checking out. And look in /lost+found for any recovered data. Might not be a hack attempt, but could be a sign of impending disk failure.

    Good luck!
     
  6. BorderAmigos

    BorderAmigos New Member

    Thanks for the response. Lost+Found is empty. fsck says the disk is ok. Only certain files in one directory were affected.
     

Share This Page