got a question

[3TeK]

well to start off I do some contract work for a Data Center and it seems like every other day someone is hacking one of the servers we host. had problems with paypal phising websites, DoS attacks from a server to another server, viruses, etc. I dont have a detailed way the ISP's are hooked up (we have 3) but I dont remember seeing a firewall or anything. I've just seen a mikrotik router that we use for our point to point to our other building.

so my question is, how is your network secured? i'm tired of always fixing crap like this :-/

thanks

[Sparda]

The main problem is probably the software installed on the web server and not really the network.

You got to make sure that Apache is kept up to date (preferably with all unused features disabled). All languages Apache recognises (php and the like) are kept up to date, again with all non-used features disabled. Make sure that Apache is running as it's own limited user. Keep all web applications (phpBB and the like) upto date as well, these types of applications are the biggest vector for web server ownage.

If you have remote admin tools (phpmyadmin and the like) try and limit there access by IP range. Try and limit it by country or better yet ISP, this should stop most of the stuff from attacking it.

if you don't know how they are getting in, look at the server logs again. If it was a bug in a web application they used to gain access it will probably stand out as a unite get or post request. Unless the creation date of the files used to host the phishing sites have been modified (possible, but unlikely, need to be root to do this) this should be a good indicator as to where to start looking in the logs.

[3TeK]

cool, thanks for the tops

[digip]

Doesn't sound like much of a data center with no firewalls or security in place. What kind of outfit is this? And they ar eusing mikrotik(wireless??) routers. if it swireless, chances are they are leaving their whole network open to attack, so regardless of the server patches and such, if they get into the network from outside or even employees on the inside, they can sit and sniff traffic all day long for passwords, etc. Is there no firewall or security on the network at all?

[Sparda]

It would be nice if there was a separate firewall blocking all inbound except 80 (and such), but it's not really necessary as long as all the network bound services and kernel are kept up to date whcih is mostly easy to do. This kind of stuff can be automated really easily.

[lopez1364]

not necessarily because you can use wireless routers as long you configure them to hide the SSID, set them to PEAR and give it a password. You should be good to go. Now for the security part..... A webhosting will receive DoS attacks it just happens. To avoid this your networking needs to become redundant (double up the equipment) so when one gets over whelmed the other will pick up and never miss a beat.

[3TeK]

its just a Point to Point on 5ghz channel, its all encrypted and shit. this is all off of what i have seen, i actually haven't been told what everything does, so i could be missing something.

[ansichild]

The main problem is probably the software installed on the web server and not really the network.

That's a good question, what do you do if you have a user that is installing a bunch of insecure crap on his web site? Like old versions of phpBB and Wordpress and such?

[Sparda]

You tell them to keep it up to date (or they can get out, and keep there money?).

Suppose then it becomes a legal issue. Who's responsible, the idiot who installed the app they wrote them selfs/didn't keep it up to date or the host for not messing with there clients setup?