My server was attacked by hackers and i am trying to secure it.
is there such thing that i can completely stop all traffic except web visitors / who want to place orders. i know SFTP, SSH are critical components is there anything else hackers need to enter into my system
read below, i wish if there is such thing, i can safegaurd my servers
can you tll me what are the critical blocking rules i can setup so that when ever i needed i will allow them manually, can i do these on router, iptables
for example sFTP, SSH, directory permissions, root access, change configuration files or modify files on system directories, on public_html also do not allow to modify any phy files and do not allow to create any new files on database site.
If i decide i am not planning to make changes, not installing anything, do not want to use SFTP, SSH and onlything i want to allow is accessing my website for traffic to place orders or browse products.
how to setup a rule like that and also if at all you want to install updates allow specific ip address to access resources.
also what are the things hackers need to get access to to mess up the system? i know SFTP, SSH, anything else ? and can we block
they could get access through a domains script and place a file in the /tmp folder. this file may then contact the crackers server which may have some malicious script to attack your server.
this is a common way to get root access.
you need to make sure any script in the domains are updated.
did anyone actually get access to our server and do things?
servers get attacked all day long.
can we do this
My sites got attacked 3 times, i changed hosting companies, service providers but of no use. everytime it is attacked i have to reinstall complete system.
is there such thing that i can completely stop all traffic except web visitors / who want to place orders.Sorry, it's never that simple :-)
My advice is typically twofold --
Make sure all your distro's updates have been applied
Make sure all web applications are at their latest revision
Something not being fully up to date is the most common cause of breakins.
There's no easy fix to keeping bad guys out, it's just a lot of grunt work keeping things up to date.
While it's always a good idea to secure things like SSH/SFTP, old versions of apps are a more common problem... attackers can break into SSH/SFTP, but only after guessing a password. So using strong passwords will help with that.
-Eric
some more thoughts.
If you are the only user of the server, disable anything you dont need, like ftp.
Use ssh only. Create a user with sudo only and use that to maintain the system.
Use keys to access the server, not a password.
Make strong passwords with different characters, like: My#S7rongPa55Word=1337 for any app on your server.
Buy a certificate and use ssl for your sites if you didn't already.
If you do have other users, run mod_fcgi, never mod_php
Disable functions in your php.ini, some examples for the paranoid:
exec, system, passthru, shell_exec, escapeshellarg, escapeshellcmd, proc_close, proc_open, ini_alter, dl, popen, popen, pcntl_exec, socket_accept, socket_bind, socket_clear_error, socket_close, socket_connect, socket_create_listen, socket_create_pair, socket_create, socket_get_option, socket_getpeername, socket_getsockname, socket_last_error, socket_listen, socket_read, socket_recv, socket_recvfrom, socket_select, socket_send, socket_sendto, socket_set_block, socket_set_nonblock, socket_set_option, socket_shutdown, socket_strerror, socket_write, stream_socket_client, stream_socket_server, pfsockopen, stream_set_timeout, disk_total_space, disk_free_space, chown, diskfreespace, getrusage, get_current_user, set_time_limit, getmyuid, getmypid, dl, leak, listen, chgrp, link, symlink, dlopen, proc_nice, proc_get_stats, proc_terminate, shell_exec, sh2_exec, posix_getpwuid, posix_getgrgid, posix_kill, ini_restore, mkfifo, dbmopen, dbase_open, filepro, filepro_rowcount, posix_mkfifo, putenv, geoip_open, sleepset enable_dl Off
set open_basedir to the value you need
Any web application on your server needs to be a modern one and actively being developed, definitely not some crappy forum running on php4.