Hi All,

I run a web server/Mail server (dedicated hosting from a hosting company.
Now my server had been comprmised and was being used to scan other servers for
XML RPC vulnerabilities.

I would like to secure my server as much as possible.

Services used on my server are as follows

80 - web
8443 - Plesk (user control panel login)
21 - ftp
25 - SMTP (With User authentication)
110 - POP

Im not much of a guru with IP tables and security but I understand
that IPTables is whats used to secure the server.

I would also like to find out how my server was used to send out objectional
traffic, how may I do this? Which logs would I check?

What would be the best way to secure the server?

All your help will be highly appreciated
For now please treat me as a in the security domain

Redice

Now my server had been comprmised and was being used to scan other servers for XML RPC vulnerabilities. I would like to secure my server as much as possible.
Please have your hosting company make a backup of human readable data if necessary, wipe the install reinstall the OS from scratch. Then have them hand-off the box to you with a minimal set of services running, the firewall up with only access from your IP(.range) before continuing anything else doesn't make sense.

When you get the box back close off any services you don't need to run in this phase (you probably only need ssh access). Make a backup of /etc (config files, etc, etc), then make sure you have a unprivileged user account from which you can su(do) to root, and harden your sshd_config by disallowing root access, restrict ssh access in /etc/hosts.allow to only your IP or range and ALL: ALL in /etc/hosts.deny. Restart ssh. Log in and first remove any software you don't need, then upgrade your software.

These are the first things you should do. I could probably type a whole hardening checklist, but it's best you first check out the LQ FAQ: Security references under hardening, propose what to do and we'll add to that.

Hi unSpawn,

Thanks a million on the reply. Problem here is that the ISP will charge quite alot (around $150 per hour) to backup my data and reinstall the server.
Is this step compulsory? Can i not just go on with what I already have?

Thanks for the link. I will try to follow it fully and get back to you if i get stuck anywhere.

Redice

Before you do anything else please make sure any unwanted processes are killed and any services you don't need are stopped and not allowed to restart. Also make sure access is restricted to only your IP (range) in the firewall.


Problem here is that the ISP will charge quite alot (around $150 per hour) to backup my data and reinstall the server. Is this step compulsory? Can i not just go on with what I already have?
OK. You could probably backup the data yourself. Short answer is that reinstalling from scratch will provide you with a more trustable environment than anything else. Long answer is that you probably could try to triage, pry (most of) the splinters out, bandage, patch and resurrect your current, compromised setup but that will take someone who is not well-versed in system security and forensics more time compared to a "safe" way like reinstalling from scratch.


I will try to follow it fully and get back to you if i get stuck anywhere.
Please get back *before* you do: make a list of what you think you need to do and we'll add to that.

Thanks again.
I have asked the ISP to do a fresh install.

Kindly let me know how I may stop root from SSH'ing into the
server and only the user to SSH into it and use SU for
root privelages

Redice