I have a virtual dedicated server running CentOS 5. The server uses Plesk to manage the websites that it hosts.

I am moving those sites off and I am going to reinstall so its clean. From what I understand, I should yum update everything but is there any other thing I that I should do? It seems that chkrootkit and rkhunter are cool but they tell you when its too late.

Thanks in advance...

Before answering, could you please indicate:
- How you hardened your machine?
- What "evidence" do you have the cracker dropped SHV4/5 after the root compromise?
- Any idea how they got in?

Thanks for the reply!

I haven't done anything to harden my machine. The virtual dedicated server comes "ready to go" so I assumed (foolishly) that there were some things in place.

I ran rkhunter and chkrootkit and they both informed me of SHV4 and SHV5. Also there were a lot of "errors" when I tried yum update and proc aux.

I have no idea how they got in. I am guessing because of not being updated. The machine has already been re-provisioned (reinstalled).

I guess What I want to know is if there are some newbie guides to hardening.

That would work partially if you leased your VDS from a quality company at the top end of the price range. In turn for shelling out way more cash you could expect the bed of roses type of service. I'm saying partially because phones, the BFG2000, microwave ovens, small tactical nuclear missiles, hardware, software, most things come with a manual (or two). Not taking the time to or just not wanting to familiarize oneself with features offered and usage instructions may well lead to problems (as you've experienced). OTOH GNU/Linux' image, as offered by low range price fighting resellers, is also not helped by them promoting it as some sort of turnkey system and the (wrong) idea that being able to click ones way through some web-based admin panel is a substitute for knowledge or even makes one (feel like) a Good Admin. Not.
I. There is no substitute for knowledge.


Alright. So the next things you should learn are that you should suppress the "on failure immediately re-install whole OS" reflex and investigate before nuking things and that when it comes to assessing a situation we will almost always want to see logs or log excerpts, actual tool output and exact error messages. Because without knowing how they got in you're bound to make the same mistake again and tools may emit what really are false positives.


With all due respect but whatever the reason for doing that, that is a major error on your side. While you may not exactly care or feel responsible, we do. Because when a machine connected to the 'net gets compromised it may well serve as a springboard to other systems.
II. Running GNU/Linux comes with responsibilities.


Please read at least these:
- the CERT Intruder Detection Checklist (to be prepared),
- the Centos documentation at http://www.centos.org/docs/5/ (basic admin),
- the Centos Wiki HowTos > OS Protection > Basic Hardening,
- Hardening RHEL5,
- NSA reference guide for securing Linux installations,
- NSA Guide to securing Linux installations.

Add these:
- Securing and Hardening Red Hat Linux Production Systems (puschitz),
- Securing Debian Manual (one of the oldest, most comprehensive ones).

And maybe check the LQ FAQ: Security references.

I suggest you read the first 6 documents, extract core measures to take to a checklist then post your checklist here. We'll then help you adjust and correct. Deal?

2 members found this post helpful.

Thanks for the links, unSpawn! I am currently learning (on my own with the help of google, LQ, and the Debian Linux Tutorial) how to setup a dedicated firewall box and LAMP server. I am almost to the point of real-world testing and am just starting to try to harden my boxes (I do realize that the debian tutorials do not leave me with a secure machine). Perfect timing!

Thank you unSpawn, that is exactly what I needed. I have no problem accepting full responsibility for what happened and I will learn from my mistakes.

I will start reading and update this thread with my progress.

Again.. thank you.

You're welcome (both). Any related security or hardening questions: please feel free to ask here.