Re: securing linux webserver?

[David Glosser <david_glosser () yahoo com>]

In addition to the other helpful posts about using google and Bastille:
-Lock down the external firewall to only allow port 80 and 443 inbound and
outbound.
-Consider getting a firewall with some sort of application-level awareness
(sometimes calles "IPS" for intrusion prevention system) in order to block
out some of the sql buffer overrun attempts and the like before they hit
your webserver
-Run tripwire to detect any system changes as soon as possible.  (For
example, newly created directories).
-Run nessus and other vulnerability scanners BEFORE opening the site up to
the internet.
-Copy the http and syslog files to another server so evidence isn't
destroyed. Syslog can easily send to an external box, you may have to have
to find a client which will manually grab the apache logs on a regulat
basis.

Due to your inexperience, expect to be hacked again. This isn't a negative
statement, just be prepared....Hope for the best and prepare for the worst.
Consider yourself lucky that the hacker didn't root the box and put stuff on
it w/o your knowledge, such porn, warez,  or IE exploits coded into web
pages on your server. Consider yourself lucky the box wasn't used as a
zombie to DOS someone else or send out zillions of spam emails.  (or maybe
it did.....)

Also:
Consider running your website within a virtual server (of course the box
will need extra horsepower for that).  You can save a copy of the virtual
disk after you've done the initial installation. That way you can always
back out to that copy if an upgrade fails, and  if you are hacked again, you
can save a copy of the virtual server and examine it *offline*.  Hopefully
you can find the exploit (usually in a log file if it hasn't been deleted),
go back to your initial image, fix the problem, make a copy,  and start up
your server once again.





----- Original Message ----- 
From: "Kurt Leum" <sarinshadow () yahoo com>
To: <security-basics () securityfocus com>
Sent: Sunday, February 27, 2005 9:04 PM
Subject: securing linux webserver?


> sorry to be so noob,
>
> A friend of mine set up a webserver:
> http://www.globalgamesearch.com
> problem is, he and I have no idea how to go about
> securing it;
> he started with SuSE Linux 9.1 with Apache 2.0, PHP
> 4.3.1, and MySQL out of the box and put it up.
>
> about half an hour ago, an intruder broke in, replaced
> SSHD with a back door, and pretty much screwed the
> system up.
>
> We're going to reinstall the system with minimal
> programs, extremely secure permissions and a basic
> firewall, but beyond that we have no clue what to do.
> Can anyone here please help me out on this?
> Thanks in advance for any help.
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - Find what you need with new enhanced search.
> http://info.mail.yahoo.com/mail_250