Are there any other suggestions you can make?
Yes, but before I do a word of warning if you please. While during the course of this thread the exact date and time, entry vector and result wheren't determined I would like to emphasise once more your box was compromised and you should act on it by at least doing the following: please start by reading
CERT: Steps for Recovering from a UNIX or NT System Compromise. While I've done my best to guide you through this I am certain I did not follow all steps. I don't need to tell you it is your responsability towards your fellow internet users to make sure the system is and will remain onehundred percent under your control. Minimally you should aim to have all system and user passwords changed, offending software updated or removed, network facing software re-installed and updated, and the box hardened as a whole.
I would also like to remind you that continuing to use, and installing and running filesystem integrity check applications on a compromised host isn't a sound basis and will lead to a false sense of security.
Enough said. Most of the stuff mentioned you find reading the
LQ FAQ: Security references, I'll try and highlight some here. For trying out some I'd recommend have a dev box so your tests won't kill the server. While I don't go into it here you will also want to work on the procedural approach wrt responsabilities like timely upgrades, backups, auditing and post-upgrade testing. Building and implementing a policy will take time but will save you time in the long run.
Basic host configuration and hardening
I find
The SANS Top 20 Internet Security Vulnerabilities a good starting point, especially C3: "PHP-based Applications". Check out
CERT: UNIX Configuration Guidelines and
AusCERT - UNIX Security Checklist v2.0 - The Essentials, while rather old they contain enough basic material to still be relevant. Add your choice of docs like Linux Administrator's Security Guide (LASG) and Securing & Optimizing Linux and the SELinux docs. Check with
Tiger,
LSAT (Number9's, not Mixter's),
Bastille Linux (--report mode). If you don't want to use SELinux, maybe you could consider the GRSecurity kernel patch which offers considerable hardening (for instance chroot functionality), control (for instance Trusted Path execution (TPE), rule-based access (RBAC) and the ability to deny certain users network access) and auditing features (who executed what when?).
Network, service and application-specific configuration and hardening
Network restrictions are a layered combination of TCP wrappers (/etc/hosts.{deny, allow} and libwrap-compiled apps like OpenSSH and Xinetd), PAM settings for accounts, firewall, service-specific settings (Apache's deny from all/allow from, SMTP Blacklists) and finally a NIDS. See LQ FAQ: Security references post #2 and 3.
Basically three things to consider. Network stack hardening (sysctl), iptables: default DROP policies so you only open up what you explicitly allow, in/egress filtering and logging. There's also a few good threads in this forum about building good rulesets. Deploying a NIDS, preferably Snort. Add a third-party add-on like Guardian if you want to have active blocking capabilities.
You're right to only allow SSH access from your management IP ranges. I always add a Xinetd entry for SSH on a high port and restrict access to that. Next to that I mount /usr read-only or chattr +iu the whole tree where ro mounts aren't possible, use partitions for user-writable temps and minimally mount them noexec,nosuid where possible.
Check services with Tiger,
Env_audit,
Nessus, Nmap (and
Metasploit if you're feeling lucky :-] ).
Some application-specific stuff. Next to the developers docs about and threads here about Apache/MySQL security, chrooting ( LQ FAQ: Security references post #4) here's an extension of post #6, which was due like six months ago:
Apache
Web Security Appliance With Apache and mod_security (SF):
http://www.securityfocus.com/infocus/1739
Securing Apache Step-by-Step:
http://www.securityfocus.com/infocus/1694
Securing apache2:
http://www.securityfocus.com/infocus/1786
Apache mod_security guide:
http://www.securityfocus.com/infocus/1739
Apache mod_ssl:
http://www.securityfocus.com/infocus/1356
Apache modules
mod_dosevasive:
http://www.nuclearelephant.com/projects/dosevasive/
mod_security:
http://www.modsecurity.org
mod_security rulesets:
http://www.gotroot.com/mod_security+rules
mod_security rule generator:
http://leavesrustle.com/tools/modsecurity/
MySQL
Securing MySQL Step-byStep:
http://www.securityfocus.com/infocus/1726
Secure MySQL Database Design:
http://www.securityfocus.com/infocus/1667
SQL injection attack mitigation: SafeSQL:
http://www.phpinsider.com/php/code/SafeSQL/,
http://www.webmasterbase.com/article/794
Detect SQL injection attacks: class_sql_inject:
http://www.phpclasses.org/browse/package/1341.html
PHP
Top 7 PHP Security Blunders:
http://www.sitepoint.com/print/php-security-blunders
PHP Security Guide:
http://phpsec.org/projects/guide/ (PHP Security Library:
http://phpsec.org/library/)
PHPsec.org Security Guide considered harmful:
http://www.hardened-php.net/php_secu...armful.51.html
PHP: Preventing register_global problems:
http://www.modsecurity.org/documenta...r-globals.html
Securing PHP Step-by-Step:
http://www.securityfocus.com/infocus/1706
PHP Security:
http://www.onlamp.com/pub/a/php/2003...undations.html
Security of PHP:
http://www.developer.com/lang/article.php/918141 (PHP Foundations:
http://www.onlamp.com/pub/ct/29)
Auditing PHP, Part 1: Understanding register_globals:
http://www-128.ibm.com/developerworks/library/os-php1/
Hardened PHP:
http://www.hardened-php.net
SuPHP:
http://www.suphp.org/Home.html
(
http://www.phpsecure.info seems outdated)
Checking PHP
phpcksec:
http://tools.desire.ch/phpcksec/
CastleCops Analyzer (Nuke only?):
http://nukecops.com/
We definately need more checking apps for the AMP part of LAMP.
Logging and auditing
When configuring your system you should make sure the system logs, all application logs and security add-ons provide enough logging for you to get clues from (and you're right your retention time was way too low). There are tools (iptstate, apachetop, ACID, SPADE, FWLogwatch) providing you with a dashboard to check, but they should be used in combination with more central parsers like
Logwatch or
Swatch.
Next to regularly running tools like Tiger, Rootkit Hunter and Chkrootkit you will want to deply a filesystem integrity check application like Aide, Samhain or even tripwire because the scope of "rpm -Va" is limited. Make sure any checksum databases are mirrored off-site as a precaution wrt tampering.
Make sure root account email is read periodically by an unprivileged user (or else at least pre_load Libsafe and "noexec pine").
I also want to mention Monit. While Monit is a tool primarily for making sure/keeping services alive, it has many more features like checking ownership, MD5sums, disk space, etc etc and the capability to perform actions when a condition changes varying from sending email and restarting services to executing shell scripts. If you run it from init and make it's config immutable it can't be killed easily. Some tools mentioned are passive (for instance Tiger, Chkrootkit, Rootkit Hunter, Aide), meaning you won't get a warning until *you* cronjob some action, and some are active (for instance Snort, Samhain, Monit). You should decide what mix you need.
./close
I hope I didn't scare you away :-]
While I consider many of the above mandatory your decision on what to implement will remain a battle for either more security or more usability, and since security is an ongoing process it is a battle that needs to be prepared for and fought everyday.
Anyway, have fun!
Cheers.