AV, Anti-RootKit, And Firewall For Dedi
Nov 15, 2008
trying to secure my new server that will be opening for shared hosting.
So far I've found:
CHKRootKit, RKHunter, and ClamAV
As for Firewall, I've setup CSF but my question is, what is a good setting for blocking SYN Floods without blocking clients who might be browsing their site and, using DA, and FTP.
In the past I've used:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 3/s --limit-burst 5 -j DROP
and took down some pretty big attacks, but it was very touchy.
View 0 Replies
ADVERTISEMENT
Jun 19, 2008
I was following this guide: url]
It's very nice but, 4 years old. So now I am wondering what is best rookit detector, and what is best firewall for centOS 5.
View 9 Replies
View Related
Apr 10, 2009
I am trying to purchase either a anti-ddos or firewall machine. My main objective is to prevent from ddos attack.
Do i purchase a anti-ddos hardware (please recommend), or firewall hardware (please recommend)?
anti-ddos and firewall is the same right? is about ip analyse and filter right?
After using the ddoss/firewall , i may also want to subscribe to those third party doss prevention which has big bandwidth, if i have a good hardware anti-ddos/firewall already, do i still need to have subscribe to these services?
View 12 Replies
View Related
Apr 11, 2008
I will be getting my first dedicated Windows 2003 Server next week. I was just wondering what antivirus, anti spyware and firewall to use.
I will be using this server to start of a small webhost business here so I need the server to be reliable.
View 6 Replies
View Related
May 27, 2013
It is possible to have anti-virus and anti-spam enabled by default when we go to "CREATE E-MAIL ADRESS" -> "SPAM FILTER" / "ANTI-VIRUS" is always disabled.
View 13 Replies
View Related
Feb 7, 2007
Seems like I'm having considerable problems with APF's antidos feature. I keep getting legit users banned from my site, and don't know how to stop it (other than disabling antidos altogether, but I guess there should be another way).
I've already set:
TRIG="100"
SF_TRIG="100"
...in the antidos configuration file but I'm still seeing more and more legit IPs getting added to ad.rules. I've read that raising or lowering LN="100" is the other tweak I should try, but there simply is no such value defined in my conf.antidos file.
Another thing I noticed that, although I only got two notification mails telling me about "attackers" blocked by antidos, there are roughly 40 entries in ad.rules. As a matter of fact, I don't understand what antidos is doing there in the first place. Seems like iptables doesn't log to var/log/messages anyway, at least not on my machine - so where is antidos getting those ips from?
View 2 Replies
View Related
May 19, 2009
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_files file: './db/rootkit_files.txt'
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_trojans file: './db/rootkit_trojans.txt'
How can i 'fix' this?
View 3 Replies
View Related
Aug 2, 2009
other options over chkrootkit and rkhunter since they are pretty outdated, and so far have found:
Curuncula:
[url]
Unhide:
[url]
View 2 Replies
View Related
Nov 14, 2008
how i can install rootkit hunter on centOs?
and is it different with CHKROOTKIT?
View 5 Replies
View Related
Jan 21, 2004
What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
View 14 Replies
View Related
Jun 26, 2009
how to correct it?
Code:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites [ Warning ]
The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
View 2 Replies
View Related
May 4, 2007
My Windows VPS has come under heavy attack by hackers trying to get through MSFTPSVC for the past month and they finally managed to somehow get in 2 days ago. Somehow, the "Allow anonymous login" setting was selected in my FTP settings and they got in.
They even managed to turn off my firewall. I guessing they used a buffer overflow or some other Windows Server 2003 weakness that was fixed in SP2 (too bad SP2 is'nt supported by SWSoft yet).
The attacks began less than 1 week after I had signed up with Virpus. I did'nt even have my domain name pointing to the server or a site up when the first set of dictionary attacks began. How common is that 0_0 ?
Anyway, since I now know they've gotten in I've run a virus check and everything looks clean but I really want to run some kind of root kit detection software. I've tried everything suggested on the antirootkit website but none of them seem to work on a VPS.
View 10 Replies
View Related
Dec 22, 2007
I was thinking of getting one of our server admins to install the Rootkit Hunter.
Would this have any effect on our server resources and stability.
Im trying to be more security minded after afew weeks ago when our server was hijacked, and I dont want to go through this again.
View 1 Replies
View Related
Apr 4, 2008
How can I get rootkit hunter to email me the results?
I tried
MAILTO=me@mydomain
0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
and
MAILTO=me@mydomain 0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
But it is not sending the email, nothing even show up in my exim_mainlog.
View 2 Replies
View Related
Aug 24, 2007
For securities purposes whats best to install?
Feel free to suggest any others.
Server is running cpanel
View 4 Replies
View Related
Apr 22, 2008
How can I stop the rootkit hunter false positives?
It is alerting on these, on a fresh OS install:
Checking for prerequisites [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
View 2 Replies
View Related
Jun 30, 2007
Possible root kit, what can I do?
Sorry for the long post, but I need some feedback.
One of the main reasons that I went from a windows dedicated server to a VPS was because I had several attacks on my server that cost lots of time and money. The only reason to these attacks was that it has to be a root kit in one of the programs I used on my server.
I have used SolarVPS for over 6 months now, and have used most of the same software I used on my dedicated server. I have not had any attacks or somebody gaining access to my VPS.
Last week I got a new Windows VPS from JaguarPC. I installed the same software as always (I will list the software later) and day two of my new VPS somebody had full access, had created a new admin user, installed Utorrent, downloaded and uploaded over 10 GB of movies and music before I discovered the security issue.
Beside my normal software I had downloaded a free downloadmanager, so I could download my plesk backup files faster than on a single download connection. That was the only other software beside my normal software.
But I never used that download manager on my dedicated server, but the same thing happened there also. A user got full access, created a new admin user for remote desktop, etc. I also use different password for the different VPS/DS/hosting plans, but some parts of the main level password is the same.
Last time the user was names support, this time the user was named Dave
I change password often, this year I have changed my password 4-5 times. I have different password for different levels on my VPS/servers. On password for Admin, one for Plesk, one for FTP access to my sites, one for e-mail, one for MySQL etc etc.
I have changed OS at home from XP to Vista, and have only installed 100% secure programs at my home computer. I have not installed one free program or any cracks, warez etc. I also use different antivirus and anti spyware software at home. So the problem can most likely not be at my home computers.
My current software I use on my VPS’s are: (I have some more, but that was the software I used on new VPS)
WinRar 3.61 from [url]
Bandwidth monitor Pro from [url]
Weblog Expert 4.1 from [url]
And the only software I don’t use on my VPS at SolarVPS:
Free Download Manager from [url]
The strange thing is that last time, over 6-7 months ago when I had all the problems with my dedicated server, I traced the IP the hackers had used to login to my DS to Germany.
This time on my new VPS the person has to be from Germany or on country they speak German. The mp3s and the movies where almost all in German.
My plan for the future:
I think I will buy a new VPS plan to test my software. Install one and one software, and see when somebody get access to my VPS. I have to use a provider that offer free OS reloads, so I can reload the OS after I have tested one and one of my programs.
Do anybody know about any companies that allow me to get free OS reloads and provide a Windows 2003 server?
Or will the backup function in VZPP work as OS reload if I take a backup of my new clean VPS and then install software. If it is a rootkit, and I restore, will the rootkit go away? If yes, I can use all providers with VZPP.
And do I have to tell the company what I have planned to do? A rootkit on my VPS will not affect other VPS, so they can get the same rootkit, or the main server?
View 3 Replies
View Related
Dec 17, 2008
Do you recommend a software firewall when behind a hardware firewall?
All of our servers are behind Cisco ASA 5505 firewalls which we rent from Liquidweb. All are being managed correctly and setup to there optimal levels. With hardware firewalls firmly in place, do you still recommend a software firewall such as APF or IPTables (we're talking linux); in our opinion we see it as an extra administration overhead. If this is however untrue, we will change out thinking.
View 3 Replies
View Related
Jun 12, 2007
One of my potential client is getting DDOS occassionally. According to the DCs-PCCW and Singtel, the attacks come from China mainly and the DDOS used up all the available bandwidth.
I have asked many DC in Hong Kong. Most of them said they will only null route their IPs and wait the DDOS gone. It seems that none of the DC in HK offer any sort of Anti-DDOS solution.
My client don't want their site completely offline every time they got attacked. So, could any professional suggest what we can do?
What I am thinking of is:
1. Getting 2 connection from different bandwidth providers
2. Using Geo DNS: [url]
Then, I can separate all China users by forcing them to use 1 connection. Will this work? Is there any potential problem here?
Also, I am also thinking of using BGP. Will that make us partially visible as well?
View 0 Replies
View Related
Feb 24, 2008
login as: root
root@20*.17*.3**.1**'s password:
Last login: Fri Feb 22 15:21:26 2008 from 20*.5*.4*.2*
[root@vian ~]# yum install php-gd
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
extras 100% |=========================| 1.1 kB 00:00
updates 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Nothing to do
[root@vian ~]#
Does that mean I have installed GD? I am new to this dedi thingy.
View 8 Replies
View Related
Mar 11, 2008
I asked my host to reload/rebuild my dedicated server as I wanted to clear my entire server so that I can used it for a brand new project but I was told that it would cost me $75 per server.
Am I able to engage a freelancer to do it rather than getting my hosting provider? I would also need to change the server hostname from www1.xxx.com to www1.yyy.com and the name server to be changed to ns1.yyy.com and ns2.yyy.com instead of ns1/2.xxx.com. In short, I do not want yyy.com to be traced back to xxx.com at all. I do not want a traceroute, cpanel or other means to link the two site together.
View 9 Replies
View Related
May 12, 2007
About 4 days back i ordered and got a Xeon dedicated box from Softlayer
BUT i am stuck adding one domain. First i tried making a new account for this domain through WHM but problem was not solved, so today i parked this domain to a domain's cPanel account but after that also problem was not solved
So, let me first explain you whole problem. Suppose my domain is my-domain.com
This domain my-domain.com was added to shared hosting account at ace-host.net. But after purchasing dedicated server, i shifted whole site data to new server and changed the nameservers of my-domain.com with new ones and atlast i removed this domain from my Ace-host.net account.
Then i waited for about 2days to domain to propagate with new server's namesevers. But when nothing happened (i checked the domain whois record, they were showing my new server's nameservers), atlast i contacted Softlayer regarding this and after sometime they replied We have given the correct server alias for your domain my-domain.com in apache configuration and it was working fine that monent.
But after sometime i checked that my-domain.com is loading fine but it is taking whole data (including database and templates) from my OLD HOST ... Ace-host.net!
As i have already mentioned that i have already deleted my-domain.com from Acehost account and also updated the my-domain.com's nameservers with new dedicated server's.
And i checked many times WHOIS records from different websites at that moment. All were showing nameserver records of my new server.
I now contacted PSM and they after sometime replied that its working now as they just had to restart dns server.
BUT NOW , today again samething is happening! (on the 4th day)
so, i terminated my-domain.com's account from my server's WHM. and then parked in other domain cPanel account on same (Softlayer) server but still problem is still there!!
Domain is registered at Namecheap.com
NOTE: I am not saying anything against PSM or Softlayer and their support staff. They are both THE BEST in the market! and they have helped me a lot manytimes.
I also have two more domains on this new server and both are working fine from very first day. They are registered with local registrar not with namecheap.
View 3 Replies
View Related
Dec 6, 2007
i've purchased a dedicated box with Plesk webhosting, but i can't get the email forwarding services to work
The domain is registered with Domainsite, set in plesk to forward admin@domain.com to my gmail... and it doesn't work no matter what i try...
First settings i tried( I use domainsite's nameservers and set the dns in there, if you know a better/other way, please reply) blanked out the last 2 chars of the ip just in case
Code:
Record Type Record Host Record Answer TTL Priority (MX only) Create Date
A *.domain.com 84.244.-.- (delete) 300 2007-11-10 07:43:03
A domain.com 84.244.-.- (delete) 300 2007-11-10
well that didn't work, so i figured i needed a MX record
I added:
Code:
MX domain.com 84.244.-.- (delete) 300 10
but it still didn't work( i did wait a few days after each change)
Then i tried the domainforwarder from Domainsite itself
which added 2 records:
Code:
MX domain.com mx0.domainsite.com (delete) 300 10 2007-12-01 12:17:37
TXT domain.com v=spf1 a mx ~all (delete) 300 2007-12-01 12:17:37
but it still doesn't work
i'm also getting mails bounced back with the line: "Reverse DNS lookup for your IP address is failing."
what changes need to make?
View 0 Replies
View Related
Mar 8, 2008
Can you recommend any anti DDOS provider that can help My servers are being attacked by low bandwidth, botnet attack.
View 14 Replies
View Related
Apr 13, 2009
We have 2 servers, one running Windows 2003 Enterprise that hosts a ColdFusion app, and one running Windows 2003 Standard that hosts our SQL database that is used by the CF app. Nothing else runs on them.
Does anyone have any suggestions for anti-virus products that we could use on these? I don't want one of those elaborate and expensive "suite" programs. I just need to protect the boxes.
I use Kaspersky on our individual machines, and I really don't care much for Norton anymore.
View 5 Replies
View Related
Jul 9, 2009
it seems people tell Dos Deflate is the best basic antiddos script and tons of webhosts use it.
I think its ratter old and it doesnt work for anything these days. Why do hosts still run it? And why isnt there a better alternative?
I used Deflate some years ago and I got problems. And tried then after some years again and nothing changed, the same basic old script which counts connections and ban IPs.
The think with Deflate is that if you have a high limit, lets say ban with 150 connections per IPs, its absolutely worthless for attacks, since you are letting already 150 connections per IP.
And if you lower it at least me got with tons of problems banning real visitors. Even over 150 I had complaints about real visitors on a server telling the server blocks him. Dont ask me how someone has 150 connections to a servers but I got complaints from multiples people over the world the 1 month i had it running over a 2 years ago.
I also see a really big problem with it. Allot of ISP share IPs between users. So its really possible you get 200 connections from the same IP and they are different users. Banning an IP based on the connections you can probably shutdown a full IPS and their visitors. I wish there was a better solution but using a high value like 300 or 500 doesnt make sense in a Dos attack. And if you use a low value you start to get into problems.
We agree it will not work with distributed attacks but I dont think it can even work with single attacks since besides connection count it doesnt seem to be any more analisys behaviour.
The way I would make a script like that. Is to check all traffic and IPS all the time. And mark IPs that always access a server ass good ones. The newer the IP the more suspicious. On a attack this way real visitors would still pass but attackers will not as they are new ips. You can also match then the number of times its connecting, how long, etc.
View 2 Replies
View Related
Sep 30, 2009
Over the past number of years there has been an obvious increase in credit card fraud and identity theft.
Our policies have always tried to stay a step ahead but it seems no matter what is done the occasional fraudster manages to squeeze through, costing us a lot of money. At one some point in early 2009, it got as bad as 60% of the orders we received. It ended up eating a LOT of our time just to go through each order and verify them as best we could.
What methods do you use to fight fraud?
I'll start with some of the things we do.
- Require CVV code on the credit card
- We call the customer's telephone number and verify with them. - Verify the telephone number matches the region of the address they provide
- Require the CC issuing Bank's name and number
- We often require the customer to fax a signed credit card authorization form
- GeoIP matches location of the address in the order
Obviously the big challenge is proving that the person placing the order is the actual owner of the card. I've received the correct CVV, spoken with the customer on the phone number, had the phone number match the region... non-US so I wasn't able to verify their telephone details with the issuing bank. Had the GeoIP match and still found out it was fraud.
On a side note: Am I the only one that feels banks and those issuing credit cards need to take more responsibility for a system that's clearly broken? Even after going through the process above, it can still be fraud with a chargeback issued. In those cases, the company loses the money they made, pay a fee to the payment provider, lost time for Sales Reps and Tech Reps, and of course they lose money on hardware, electricity and bandwidth.
View 14 Replies
View Related
Feb 15, 2008
Is there any anti proxy script which can detect any proxy sites on my server and kill it?
View 4 Replies
View Related
Jun 21, 2008
I am running Win2003 server with Plesk 8.3. Antivirus running is F-Prot. Me and my clients have been getting a lot of spam emails and I am looking for suggestions on how to stop them. Plesk seems to provide some options for checking blacklisted spam servers but I was not too satisfied with the result. Maybe I was not looking up the right urls?
So, any suggestions on blocking the spam would be welcome. I am ready to pay for it too...but I am on a very tight budget. A free solution would be the best for me at the moment.
I also used SpamAssasin for a time being but it did not work out to any of my client's satisfaction even after a month's "training" of SpamAssasin.
View 8 Replies
View Related
Jun 14, 2008
I am interested in ASSP as a anti-spam tool and have heard good things, but I have 1 question I can't seem to find an answer too.
With ASSP is there a way to screen image spam like you can with FuzzyOCR? With ASSP do you even need to scan images at all? Because it waits for the sending server to respond for authentication?
I was running MailScanner / SpamAssasin / FuzzyOCR combo with a couple of chron jobs (to sweep fake bounce email out of the mail que for example) with very effective results, but it took forever to tweak all three to reduce server load. MailScanner was breaking webmail randomly so I have it disabled currently so I get a lot more spam.
View 0 Replies
View Related
Oct 4, 2007
We recently had a problem with a mail spammer. He sent over 90,000 emails and had 20,000 in the queue. Is there anyway to possibly stop this as it was really lagging the server bad. So bad the softlayer took it offline for a while...
View 4 Replies
View Related
