Help, my server was hacked :(

The better the password the better your security, and absolutely nothing can replace good passwords. Recently a poster recommended switching ssh to another port and even created a How-To, but daily we're the target of attempted port-scans to see which services are running which ports.

We don't install apf/bfd except by request because it can result in a lot of email reports to look at.

But it's really good at noticing and blocking attacks in real time.

In response to kadilack I can only say that I'm suspicious of a new poster who comes out of nowhere to answer a new post by saying "trust me and I can help you fix the problem". And frankly, I think in this case distrust is quite prudent. In my opinion, a professional would have answered me professionally, and I sure wouldn't trust a nonprofessional to get into one of our servers.

kadilack said he wrote a brute force scanner, and when I googled the name he gave, all I found was a hackers site.

So I stand by my challenge.

But that's only my opinion.

Jeff
 
I agree with Jeff on the fact that, changing ports etc.. does not prevent from getting port scanned etc.. but still it does reduce the risk alot.

further more there is a possibility to rename your root user to something else by creating an alias e.g. or even only allow normal users login and not root ( so that once you are logged in as a normal user you can invoke the "su" to become root. )

I said before, and i say again that this does not makes your server impossible to hack, nothing does that, but it just decreases the risk.

And Kadiliack, I think i share Jeff's opinion

Bastiaan.
 
I haven't replied to Kadilack's post. Maybe he means well, but there is just no way for me to know for sure. I can't take the risk. Besides, I think my server is pretty secure now (fingers-crossed).

After the hack and restoring the server afterwards I monitored everything closely for several weeks, running different tools like who, ps, iptraf etc. etc. to see who comes and goes and what's running. Nobody unauthorized ever accessed the server anymore.

The whole incident has had one positive sideeffect for me though. I've learned a LOT about security :)

The root password has been replaced with a very long one - over 11 chars (not saying exactly how many) generated randomly by a little tool I have and then I memorized it.

I'm running a firewall with a customized list of ports that are blocked, as well as a long list of IP ranges that are blocked as well (most are from china and korea). I also run chkrootkit and rkhunter daily. I also check all logfiles on a daily basis.

This all may sound paranoid, but I guess that's what you become if you're hacked ;)

Of course the massive-scans still continue. The server is scanned on average once every other day. These scans usually last between one and two hours and often contain many thousand individual probes. In the beginning I worried a lot about it, but I learned that most servers get hit by these scans so for me they are just a nuicance now.

Again, everyone a big thanks for all your input! This truely is a magnificent forum.
 
Hi my dear friend

How are you?:p
i have hacked your site :P
please . u give me the password of your server?:p
to scan :DDD
if u want email me at [email protected]
i can help you .. if u need assistance
Bye ... have a nice day :P
nice to meet u :p
 
It's impossible to tell if coago is the real hacker of the server or not.

I'd suggest that anyone who contacts him is doing so at their own risk.

Jeff
 
Fail2ban, denyhosts, portsentry, change ssh ports, etc

Fail2ban, denyhosts, portsentry, change ssh ports
I use shorewall - can rate limit connections, and leave port22 open, and some others, also increase portsentry to port 46000 or so - that way they easily trigger and drop themselves before get near my ssh port. With port 22 open, and no service on it, its a portsentry honeypot.

Also spamhaus lasso list (bogons) - can help a ton.

Also, I explain to customers they'll be locked out for 45 minutes if enter password wrong - they usually are fine...
 
You must log in or register to reply here.
Back
Top