At a guess, I'd say it was a vulnerability in Nagios, perhaps this one: http://www.securityfocus.com/bid/35464/discuss
As for what you need to do to secure a sever against any incoming hacks? If I had the perfect answer, I'd be making a mint as a security consulting. Personally, this is what I do:
* Logwatch is your friend, read the daily emails that it sends out
* Use IPtables to only expose the ports for the services that you're
actually going to use.
* Fail2Ban - watches login attempts and uses IPTables to ban IP
addresses that fail too many times. It's not perfect but it at
least slows down the bad guys.
* If you've got the hardware & time, keep 2 servers running. One is
a dev/play machine kept in the office that doesn't talk to the
outside world. Install all of the nifty stuff on this box to
play/experiment with. Only once you're comfortable with a
software package do you install it on the 2nd live server. I
really like having virtual machines for this because I can
completely screw up a server and it's easy to restore from the
backup files.
* Setup Cacti to pull traffic graphs from your router. You won't
spot the subtle attackers but the guys either attacking your IP
with a DOS attack or using your server to do a DOS attack will
stand out like sore thumb. That way you can shut the server down
before Comcast or the data center takes your server offline.
Have fun!
Rene
On 5/12/2011 5:18 PM, Patrick Litke wrote:
But this left us with questions.1) How did they gain access? I doubt that it would be possible for them to bruteforce that password - it was 10 characters long, upper and lower case, numbers and symbols. So then what vulnerability did they exploit to get in?2) What else do I need to do to secure a Debian install for dedicated online time plugged into the ebil interwebs?We now are starting over, on both servers. We have fresh Debian installs (no gui - why bother?). The list of things to do that I have come up with is as follows* Install Linux * Install Snort-mysql and acidbase w/ addons & configure with/for IPTables * Install Nagios (is there some vulnerability to this?) * Install Webmin * Install Cactus * Ensure that SSH is listening/accepting logins with keys ONLY (it is, now)This is all before we do anything else - our LAMP stack will be installed at the end anyway having installed everything with snort. Is there anything else that we should be taking in to consideration / that we should do? And, having played around with a snort install... I am WAY over my head, I have no idea how the classes of IP blocks break down, or how to set SNORT to listen on a single adapter (as the router only forwards ports to the server, nowhere else on the network).I'm looking forward to the next meeting as I am thinking about showing up! :)
--
------------------------------------------------------------------------
René Churchill
VP of Development (i.e. Geek #2)
WherezIt.com - Your source for Local information
[email protected] <mailto:[email protected]>
802-244-7880 x527
http://www.wherezit.com/
