Slightly OT: Experiences protecting server against attacks

Hello,

after a recent break-in into my server I'm wondering how I
can better
protect my "machine" (a virtual server actually)
against this happening
again.

Has anybody made special good experiences with one or
another method or
tool that he/she likes to recommend?

At this opportunity the idea of having a centralized
blacklist server for
attacking IPs (similar to the spam blacklists, but also with
their
disadvantages) came once again to my mind. Would there be an
interest/
does it make sense to have something like this realized?

Thomas



_______________________________________________
pmwiki-devel mailing list
pmwiki-develpmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel

To elaborate the idea with the black list, things would work
like this:

On some servers, the respective hosters would install
intrusion detection
software. Whenever an intrusion attempt is detected, the
malicious ip
address is communicated to a central server that registers
it a
compromised machine.

"Consumer" servers can then more or less regularly
query the black list
server to obtain a list of bad ips or to simply query the
status of an ip.

So far the trivial basics. Questions of abuse and speed
would remain
obviously, but in general with this principle one could
"reuse" a certain
fraction of all internet servers as honeypot.

To avoid the abuse of someone alerting a good machine as
evil, one would
have to restrict the privilege to alert to hand-chosen
server
administrators (as a first simple remedy). Distribution of
the blacklist
could involve donated mirrors.

Any ideas on this?

Thomas



_______________________________________________
pmwiki-devel mailing list
pmwiki-develpmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel

On Thu, 27 Mar 2008 11:54:55 +0100 (CET)
"ThomasP" <pmwikisigproc.de> wrote:

> after a recent break-in into my server I'm wondering
how I can
> better protect my "machine" (a virtual server
actually) against
> this happening again.

Sorry to hear about that. If this is not the first time, it
means
that "your setup" is "not right". 

A. You haven't told us what's your setup.
B. You haven't told us how they broke in.

1. The OS must be properly configured either MS, Linux or
BSDs, and
yes they can be configured to be very secured.
2. For Pmwiki take a look at:
http://www
.pmwiki.org/wiki/PmWiki/Security as a starting point.

> At this opportunity the idea of having a centralized
blacklist
> server for attacking IPs (similar to the spam
blacklists, but
> also with their disadvantages) came once again to my
mind. Would
> there be an interest/ does it make sense to have
something like
> this realized?

Not really. A good server and good implementation MUST
survive in
the wild by itself.

Actually, I doubt that it was 1 person that attacked you,
unless
you have some personal enemies. It's much more likely that
it was
a bot, and for those the IP addresses are useless, because
they
infect other computers/IPs.

-- 
Thanks
http://www.sqlhacks.com
The SQL Server knowledge base

_______________________________________________
pmwiki-devel mailing list
pmwiki-develpmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel

On Thu, March 27, 2008 3:35 pm, pmwiki911networks.com wrote:
>
> A. You haven't told us what's your setup.
> B. You haven't told us how they broke in.
>

Correct, I "forgetfully" omitted this. It's an
Debian etch 4.0, running
with a 2.6.18 linux kernel. How the break-in happened is not
yet clear,
but that the machine was compromised at all was noted by an
outgoing DDoS
attack. [This was seen in the process list as "./s
<ip-address> 80" forked
from a /usr/sbin/httpd process, even though there is no
httpd file on the
machine, at least not anymore.]

I'm relatively sure that the compromise did not follow over
a PHP/PmWiki
route. Register_globals are off, and I have been cautious
with all
dealings of ini-files etc. (I'm running an apache btw,
together with a
FastCGI version of PHP and suExec.) Critical in my view
could be
old-versioned components, but this is a problem that will
always persist.
(The software is always only up to date until the next
bugfix is made.)


> 1. The OS must be properly configured either MS, Linux
or BSDs, and
> yes they can be configured to be very secured.
> 2. For Pmwiki take a look at:
> http://www
.pmwiki.org/wiki/PmWiki/Security as a starting point.
>
>> At this opportunity the idea of having a
centralized blacklist
>> server for attacking IPs (similar to the spam
blacklists, but
>> also with their disadvantages) came once again to
my mind. Would
>> there be an interest/ does it make sense to have
something like
>> this realized?
>
> Not really. A good server and good implementation MUST
survive in
> the wild by itself.
>
> Actually, I doubt that it was 1 person that attacked
you, unless
> you have some personal enemies. It's much more likely
that it was
> a bot, and for those the IP addresses are useless,
because they
> infect other computers/IPs.
>

Well, I would not agree with this. No matter whether it is a
human, bot or
a pile of bots, in the end there has to be one machine
(having one IP
address) that actually breaks in (=gains root access). It
does not matter
in this regard whether that machine was itself only used as
"proxy" by the
real attacker, one would nevertheless prefer to mark it as
bad.

Thomas




_______________________________________________
pmwiki-devel mailing list
pmwiki-develpmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel