I don't know about security on servers much, and we're setting up our new server. I have the techs doing the install stuff, but I would love to know what to install security wise. My current list:
Firewall - good free one?
Antivirus - good free one?
rootkit, some way of stopping it (anti-rootkit?)
Also, is there some sort of script which searches all cPanel accounts/files for phishing sites or spam sites etc? I swear I've seen one before, in firewall form?
Oh the server setup is going to be:
php5-CGI, fCGI, mySQL 5, apache 2.2.x, centOS, ruby on rails, django, ioncube, other php libraries, mod_rewrite, I think thats everything. (cPanel).
It is possible to have anti-virus and anti-spam enabled by default when we go to "CREATE E-MAIL ADRESS" -> "SPAM FILTER" / "ANTI-VIRUS" is always disabled.
Seems like I'm having considerable problems with APF's antidos feature. I keep getting legit users banned from my site, and don't know how to stop it (other than disabling antidos altogether, but I guess there should be another way).
I've already set: TRIG="100" SF_TRIG="100"
...in the antidos configuration file but I'm still seeing more and more legit IPs getting added to ad.rules. I've read that raising or lowering LN="100" is the other tweak I should try, but there simply is no such value defined in my conf.antidos file.
Another thing I noticed that, although I only got two notification mails telling me about "attackers" blocked by antidos, there are roughly 40 entries in ad.rules. As a matter of fact, I don't understand what antidos is doing there in the first place. Seems like iptables doesn't log to var/log/messages anyway, at least not on my machine - so where is antidos getting those ips from?
This is a instructional overview thread for those developers who are getting into setting up their own server with a LAMP (Linux Apache MySQL PHP) setup. The linux distro referred to in this thread is a centOS (fedora|redhat) setup.
Before Anything
- Make sure that your actual RAM is the same amount that is displayed by the server (there could be some BIOS restrictions on RAM so check for that).
Linux OS Installation
- Use a server system for the type of install. ------------------------------ - Setup you partitions with care: - Make sure that everything other than /swap is an ext3 partition type. - /swap (usually double the amount of space that your ram has but never larger than 4 gigs. - /tmp (700meg is ok). - /boot (100meg is ok). - / (leave rest of the available space in the harddrive for this). ------------------------------ - Use GRUB boot loader - Use DCHP only if your IP address changes due to the network. If not, then assign the IP address of the box. - Assign the netmask if DCHP is not in use. ------------------------------ - When setting up the packages, select only what you need. Most of the time it's better to just install no packages and then install everything you need by yum (yellowdog update manager). If you do not select any packages, only the 1st CD of the linux install will be needed.
Linux OS Customizing
- Create a new user and provide it a password (with # passwd). Do not create a user with a generic or commonly known names used in any daemon programs (ex. mysql, apache, admin, user, php, postgresql). - Disable the ROOT login in SSH (this means that when you login using the other user with SSH, you'll have to $ su to the root user). - Install "Development Tools" with yum using group install if you plan to compile your own apache. If not then install apache with yum install apache.
Apache Settings
- Disable the extensions that you're not using for your website. If the server is only hosting one website, then there is no use for Virtual Hosts. - Set the ServerLimit value to a suitable value so that users won't get locked out of the website. - Change the User and Group directives to the newly created user. - Set Options +Indexes to Options -Indexes so that the contents of directories w/o an index file will not be displayed. - Change the DocumentRoot setting to the newly created user's home (~) directory. Or if you plan to use the default (/var/www/htdocs or /var/www/html) then assign the permissions of the user to that directory. - Add apache as a start up program when the operating system boots up (this can be set in /etc/rc.d/local). - Setup logs accordingly. If you setup image logging and your server has 20+ images per page then your website performance can suffer. - Setup Error Logs to a suitable level. - If any web pages are not displaying and the web server appears to be on when accessing it from the localhost (wget http://localhost) then disable or flush the iptables (/usr/sbin/iptables --fliush). You should also set this as a start up option for the OS. - Use mod_rewrite to use modern URLs.
MySQL Settings
- Use --skip-name-resolve. - Use --skip-bdb (if you're not using it). - Use --skip-innodb (if you're not using it). - Set a log for slow queries. - Set the max_connections to a high value. - Do not set a user with a wildcard ip-address. Only setup users with a specific ip. - Use Query Caching for frequently used queries.
PHP Settings
- Disable Magic Quotes. - Disable Register Globals. - Disable Short Tags. - Disable ERROR REPORTING if the website is not in development mode. - Enable HTTP Only Session Cookies. - Set Session Cookies to only be cookies (and not URL's). - If sessions do not work, then set the session save path to a directory where the apache user has access to. - Use Gzip Compression.
Optimizing Concepts
- Use an optcode cache for PHP (Eaccelerator). - Consider using a static domain for CSS and JS files (this way the same cookies for the website won't be sent on each request). - If your website uses alot of CSS and JS files per page, bundle all of them together into one request using mod_rewrite and php [url] - For Apache, use the lingerD module (this reduces the amount of resources that are used when an apache connection is closed).
Here are some links for optimizing your server build:
I am looking for a new supplier for colocation related stuff like shelfs, powercables, tyraps, etc etc. A shop which has most of the items which come in handy when you are in a datcenter.
Location does not really matter if they can ship :-)
Feb 19 15:57:39 server proftpd[1363]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 16:06:02 server proftpd[1982]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 16:06:02 server proftpd[1982]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 16:14:24 server proftpd[2471]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 16:14:24 server proftpd[2471]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 16:22:46 server proftpd[3062]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 16:22:46 server proftpd[3062]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 16:31:09 server proftpd[3696]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 16:31:09 server proftpd[3696]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 16:39:31 server proftpd[4185]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 16:39:31 server proftpd[4185]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 16:47:53 server proftpd[4946]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 16:47:53 server proftpd[4946]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 16:56:16 server proftpd[5495]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 16:56:16 server proftpd[5495]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 17:04:38 server proftpd[6206]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 17:04:38 server proftpd[6206]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 17:13:00 server proftpd[6661]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 17:13:00 server proftpd[6661]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed. Feb 19 17:21:23 server proftpd[7225]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened. Feb 19 17:21:23 server proftpd[7225]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
I see over a few hundred of these lines in /var/log/messages. The timestamp is exactly the same for every 2 lines (Proftp session- Opened and Closed). It's occuring every hour of the day. Is someone attacking the ftp daemon or something?
My host tells me that they have security to stop DDoS attacks and stuff, however today my server load jumped to 17.12 and my site went down giving me a "Network Timeout" error.
My host tells me it's my fault that I am using too many resources. The MOST my site has been on load is 3.06 and that was around lunch time a few weeks back. It's 11:43 and the server load is 17.12? I think my host is pulling my leg. I have not added ANYTHING new to my site and have not changed anything in 3 days. The load has been fine till today.
with my server i ran in to big issue with phishing sites. i have secured my server with firewall, and many other security things. but still i can see some times some one place phishing site. serverbeach suspend my server few times. i know this is not doing by users by there selfs. but however its coming in to the server. in secure side now i have to only go thorugh sites and check all writable directories.
is there any way to monitor the phishing activities? may be its some kind of scripts some one running inside the server?
I currently run a dedicated server and for the past 2 month or so have been attacked by some hackers or so. Meaning that on my sites every other day there is a folder of a phishing site. It is either paypal, ebay, exc phishing site and I know that I did not upload it there. I have tried almost anything to stop that, but it just keeps happening, my server company suggested to do os reload, but I am not sure as that will cost me $100. Was anyone faced with a problem like this that can give few suggestions? I use cpanel server.
I'm not that techy I'd like to ask why this person downloaded the file below before uploading some phishing webpages on my account ? I've changed my password numerious times from different computers and even from mobile phone just to check if the person can still get in. But again it is no use the person were able to upload phishing pages.
Right now I deleted all other scripts on the account and remain some htmls. Folder were also set to 644 no 777, while waiting if the person can still upload his phishing pages please help me why he downloaded the file above. I've check the file on my account and I cannot see Login.php. By the way I have a root login and only two accounts were a constant phishing victims.
I spotted a user on my site with the hostname: gator832.hostgator.com This particular visitor identified themselves as a "visitor", with the user agent: Mozilla/4.8 [en] (Windows NT 6.0; U)
Upon typing the user's IP into google, a boatload of "phishing" / "bad bots" logs come up.
My question: Can I identify visitors like this via automation? i.e.: fake users. People who masquerade themselves as a human, while they're really a bot. (I only noticed this potentially 'bad' user because I was viewing my visitor log in real-time. -I was on at the very moment they were-)
In previous experience, not every user with the "host" phrase in their hostname are bad users, so sniffing those bits wouldn't do anything useful.
Gmail has a feature to detect email phishing and it marks them with a red header alert saying "Warning" This message may not be from whom......", I believe this red alert has nothing to do with spf record of that email, so how does it detect it as phishing email?
We have spf record and I sent an email from another server, when I received that emai the spf record was "softfail" but it does not have that red alert.
We have received the complain from paypal that one of the domains were phishing. How to track it down? How to find out the method that how they uploaded? I checked /tmp file and couldn't find anything. I check access_log file for wget and couldnt find anyting.
I am running a hosting service. Recently a user put a phishing site on the server, pretending to be an eBay signup page and soliciting passwords. I had all kind of truble with this, because eBay complained to my server company.
I would like to ask if you know any solution what would block such sites automatically?
It could search for some predefined texts on the page (such as "sign in to eBay") and block the page if they are found. I wasn't able to find anything in Apache documentation.
I want post here about RapidVPS hosting, they host all scam and phishy sites like Hyip. What is Hyip? Here-> [url]
My proof:
ablehyip. com/hyip/ (IP:208.84.144.131) globalmarketsol. org (IP:66.35.79.68) forexco. us/index.php?a=home (IP:66.35.79.37) xlinvestment. us (IP:66.35.79.29) topprofitworld. net (IP:66.35.79.94) real-onlineforex. com (IP:66.35.79.118) fx-88. com (IP:208.84.150.149) marvelpartners. us (IP:66.35.79.68) and so on too many hyip scams, very big list.
All provided IP addresses are rigistered with OrgName: Infinitum Technologies Inc. (RapidVPS) OrgID: INFIN-27 Address: 873 Grand Regency Pte. Address: Suite 201 City: Altamonte Springs StateProv: FL PostalCode: 32714 Country: US
All IP addresses are provided for network: Organization-Org-Name:NVHSERVER Inc network: Organization-Name:Ha Nguyen network: Description-Usage:Internet Service Provider
I have contacted with RapidVPS admin and this guy (name is Rick) never answer my reports, just ignore me, ban me, I'm sure he is owner of all this scam.
I have created account on the RapidVPS forum, and Rick ban me for my first post about hyip scam on their servers, here is proof: [url]
If you wanna ask about this issue, contact Rick directly: rickb@rapidvps.c0m
Guys what you think about this issue or maybe it's normal for all US hosters?
Please your comments.
Thanks for this post reading and your time.
Here is more info about hyip scam: fbi.gov/majcases/fraud/fraudschemes.htm#ponzi sec.gov/answers/ponzi.htm
I know Brent from HostGator reads here so thought I share this, If you are an Australian you are more than likely getting phishing emails supposedly from Commonwealth Bank (Australia's largest bank). I get about 20 a day to all my email addresses, here's one I got today:
We recorded a payment request from "HostGator -www.hostgator.com- Reseller Web Hosting" to enable the charge of $74.95 on your account.
Because the order was made from an African internet address, we put an Exception Payment on transaction id #POS PAYM7284 motivated by our Geographical Tracking System.
THE PAYMENT IS PENDING FOR THE MOMENT.
If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "HostGator - Reseller Web Hosting".
If you didn't make this payment and would like to decline the $74.95 billing to your card, please follow the link below to cancel the payment :
Cancel this payment (transaction id #POS PAYM7284)
NOTE: Because email is not a secure form of communication, please do not reply to this email.
One day, you noticed that someone remotely connectted your computer and an application sends spam/phishing emails bu using your IP. What do you do?
Of course, I stopped the program and blocked remote connection for a while and changed my password... I any way, i have to connect my computer remotely... What do you advice?
By the way, i have more than 1000 email accounts on my computer. Hacker left me a gift, but I don't need them))
I run a Free web hosting service on my server with XPanel script installed. It has around 47K accounts in all. Recently i started getting mails from e-bay, banks and many other institutions regarding the Phishing sites operating from my server for cheating their customers / members. Though i removed them but i have to do it manually and after getting mails from them.
Now that i dont want any more such site to run from my hosting site, What are the options available for me in order to check all accounts automatically and remove any such site on its own? As there are 47K accounts and 100+ new signups each day, it is not possible to check all accounts manually.
I want any script / addon which can check all possible Phishing / Spamming / Spurious / Fraud sites and intimate me/ delete them upon request. Any person using such services? I need your guidance + support.
Looking for some fast and effective answers from experts here.
I are running an Plesk 11.5 on a Ubuntu 12.04 machine. Since days i have problems where i see scripts of phishing sites and mailer scripts installed in the httpdocs directory of various domain.
How I can prevent that people outsiders install this scripts on the server? Where is the bug that allows this?
One of my potential client is getting DDOS occassionally. According to the DCs-PCCW and Singtel, the attacks come from China mainly and the DDOS used up all the available bandwidth.
I have asked many DC in Hong Kong. Most of them said they will only null route their IPs and wait the DDOS gone. It seems that none of the DC in HK offer any sort of Anti-DDOS solution.
My client don't want their site completely offline every time they got attacked. So, could any professional suggest what we can do?
What I am thinking of is: 1. Getting 2 connection from different bandwidth providers 2. Using Geo DNS: [url]
Then, I can separate all China users by forcing them to use 1 connection. Will this work? Is there any potential problem here?
Also, I am also thinking of using BGP. Will that make us partially visible as well?
We have 2 servers, one running Windows 2003 Enterprise that hosts a ColdFusion app, and one running Windows 2003 Standard that hosts our SQL database that is used by the CF app. Nothing else runs on them.
Does anyone have any suggestions for anti-virus products that we could use on these? I don't want one of those elaborate and expensive "suite" programs. I just need to protect the boxes.
I use Kaspersky on our individual machines, and I really don't care much for Norton anymore.
it seems people tell Dos Deflate is the best basic antiddos script and tons of webhosts use it.
I think its ratter old and it doesnt work for anything these days. Why do hosts still run it? And why isnt there a better alternative?
I used Deflate some years ago and I got problems. And tried then after some years again and nothing changed, the same basic old script which counts connections and ban IPs.
The think with Deflate is that if you have a high limit, lets say ban with 150 connections per IPs, its absolutely worthless for attacks, since you are letting already 150 connections per IP.
And if you lower it at least me got with tons of problems banning real visitors. Even over 150 I had complaints about real visitors on a server telling the server blocks him. Dont ask me how someone has 150 connections to a servers but I got complaints from multiples people over the world the 1 month i had it running over a 2 years ago.
I also see a really big problem with it. Allot of ISP share IPs between users. So its really possible you get 200 connections from the same IP and they are different users. Banning an IP based on the connections you can probably shutdown a full IPS and their visitors. I wish there was a better solution but using a high value like 300 or 500 doesnt make sense in a Dos attack. And if you use a low value you start to get into problems.
We agree it will not work with distributed attacks but I dont think it can even work with single attacks since besides connection count it doesnt seem to be any more analisys behaviour.
The way I would make a script like that. Is to check all traffic and IPS all the time. And mark IPs that always access a server ass good ones. The newer the IP the more suspicious. On a attack this way real visitors would still pass but attackers will not as they are new ips. You can also match then the number of times its connecting, how long, etc.
Over the past number of years there has been an obvious increase in credit card fraud and identity theft.
Our policies have always tried to stay a step ahead but it seems no matter what is done the occasional fraudster manages to squeeze through, costing us a lot of money. At one some point in early 2009, it got as bad as 60% of the orders we received. It ended up eating a LOT of our time just to go through each order and verify them as best we could.
What methods do you use to fight fraud?
I'll start with some of the things we do.
- Require CVV code on the credit card - We call the customer's telephone number and verify with them. - Verify the telephone number matches the region of the address they provide - Require the CC issuing Bank's name and number - We often require the customer to fax a signed credit card authorization form - GeoIP matches location of the address in the order
Obviously the big challenge is proving that the person placing the order is the actual owner of the card. I've received the correct CVV, spoken with the customer on the phone number, had the phone number match the region... non-US so I wasn't able to verify their telephone details with the issuing bank. Had the GeoIP match and still found out it was fraud.
On a side note: Am I the only one that feels banks and those issuing credit cards need to take more responsibility for a system that's clearly broken? Even after going through the process above, it can still be fraud with a chargeback issued. In those cases, the company loses the money they made, pay a fee to the payment provider, lost time for Sales Reps and Tech Reps, and of course they lose money on hardware, electricity and bandwidth.
I am running Win2003 server with Plesk 8.3. Antivirus running is F-Prot. Me and my clients have been getting a lot of spam emails and I am looking for suggestions on how to stop them. Plesk seems to provide some options for checking blacklisted spam servers but I was not too satisfied with the result. Maybe I was not looking up the right urls?
So, any suggestions on blocking the spam would be welcome. I am ready to pay for it too...but I am on a very tight budget. A free solution would be the best for me at the moment.
I also used SpamAssasin for a time being but it did not work out to any of my client's satisfaction even after a month's "training" of SpamAssasin.