LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-23-2007, 01:42 PM   #1
Raakh
Member
 
Registered: May 2007
Posts: 128

Rep: Reputation: 15
dedicated server security problem


I have dedicated server
OS= RHE

Someone is trying to hack my server and even changed some of my files. I am regularly receiving the WatchLog and
Cron <drweb@server> /opt/drweb/update.pl‏
From: Cron Daemon (root@servername.com)
Sent: Sunday, December 23, 2007 4:20:50 PM
To: drweb@servername.com

/bin/sh: /opt/drweb/update.pl: Permission denied

the hosting company recomended three basic server security measures such as, changing the default ssh port, disabling root access except through a wheel user, and adding software or hardware firewalls.

I changed the root access except through wheel user
but failed to changed the default port please see my post http://www.linuxquestions.org/questi...h-port-608734/

I request to please help me to:
1). where am making mistake to change the default port by viewing my aforementioned post

2). which firewall you recommend preferably free firewall for RHE with method to install

thanks & best regards
 
Old 12-23-2007, 02:32 PM   #2
harry edwards
Member
 
Registered: Nov 2007
Location: Lincolnshire, UK
Distribution: CentOS, Fedora, and Suse
Posts: 365

Rep: Reputation: 48
I've read your previous post: You do not mention whether you already have iptables installed. This is the firewall that comes with RHEL. If you do then you will need to open the new port which you have allocated to ssh. You will only be allowed to connect to ssh once this is done.

As for a recommended firewall I would suggest iptables; however, simply switching the default port of ssh will not stop hacking attempts. Any port scanner will take seconds to find the newly allocated port.

A few suggestions:

1) Implement /etc/hosts.deny and/or /etc/hosts.allow

2) Tweak ssh_config to enforce timeouts for repeated log on failures.

3) Report hacking attempts to the ISP of the hacker.
 
Old 12-29-2007, 12:03 PM   #3
Raakh
Member
 
Registered: May 2007
Posts: 128

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by harry edwards View Post
I've read your previous post: You do not mention whether you already have iptables installed. This is the firewall that comes with RHEL. If you do then you will need to open the new port which you have allocated to ssh. You will only be allowed to connect to ssh once this is done.

As for a recommended firewall I would suggest iptables; however, simply switching the default port of ssh will not stop hacking attempts. Any port scanner will take seconds to find the newly allocated port.

A few suggestions:

1) Implement /etc/hosts.deny and/or /etc/hosts.allow

2) Tweak ssh_config to enforce timeouts for repeated log on failures.

3) Report hacking attempts to the ISP of the hacker.
Thanks for your reply

Can you please let me know how can I do 1) & 2)

thanks again & best regards
 
Old 12-29-2007, 05:20 PM   #4
harry edwards
Member
 
Registered: Nov 2007
Location: Lincolnshire, UK
Distribution: CentOS, Fedora, and Suse
Posts: 365

Rep: Reputation: 48
1) To implement /etc/hosts.deny. Simply add any entry to the file, containing the service and IP address you wish to block. For example:

Code:
# /etc/hosts.deny
# See `man tcpd´ and `man 5 hosts_access´ as well as /etc/hosts.allow
# for a detailed description.

http-rman : ALL EXCEPT LOCAL
sshd:24.74.163.67
sshd:194.149.213.16
sshd:201.134.34.171
In this sample three IP addresses have been banned from accessing ssh.

2) To enhance the security around ssh, edit /etc/ssh/sshd_config

Set PermitRootLogin to without-password i.e.

PermitRootLogin without-password

If this option is set to 'without-password' password authenti*cation is disabled for root. Therefore, root cannot logon remotely: unless you certificates set-up.

Reduce the LoginGraceTime

The server disconnects after this time if the user has not suc*cessfully logged in. If the value is 0, there is no time limit. The default is 120 seconds. I would reduce this to around 15 seconds. This slows down anyone trying to brute force your system.

There are lots of other settings. Take a look at the man page for sshd_config
 
Old 01-01-2008, 10:38 AM   #5
Raakh
Member
 
Registered: May 2007
Posts: 128

Original Poster
Rep: Reputation: 15
thanks a lot
 
Old 01-03-2008, 05:36 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Wrt to hosts_access and firewalling it would be more efficient to use whitelisting if users are from "known good" IP ranges. If not it would be good to read the sticky thread http://www.linuxquestions.org/questi...tempts-340366/.

Wrt sshd_config's PermitRootLogin AFAIK the value should be "No" instead of "without-password". The "root" account should *not* be used for logging in over untrusted (read: almost all) networks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu Gutsy 32bit, Source Dedicated Server HL2MP & server UDP port not allocated rautamiekka Linux - Networking 1 10-29-2007 11:45 AM
linux dedicated server problem reading all .pk3 files rronald Linux - Games 0 01-07-2006 04:57 PM
CounterStrike Dedicated server problem LINUX MajSlayer420 Linux - Networking 4 05-26-2005 03:25 PM
Quake 3 dedicated server problem!! maze_fire Linux - Games 5 10-18-2004 03:29 PM
Steam Dedicated Server problem Zaskar Linux - Software 0 02-28-2004 01:47 AM


All times are GMT -5. The time now is 04:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration