Box keeps getting hijacked for ddos attacks

[tellus]

Box keeps getting hijacked for dos attacks

Hey Guys, I was wondering if maybe some of you could give me some usefull information on what do to with my freebsd box since it keeps getting used in dos attacks - they put their perl stuff in /tmp (apache owner) and fire it up and drain all bandwidth.

Now since i'm just a webdesigner that runs this box for my own clients i'm pretty clueless on what to do to prevent it from happening again..

Any ideas on what to do or if I can hire someone who can help me?

 

[faris]

Hi,

I know this doesn't help you, but if you were running a redhat/fedora type OS then you could pretty much solve the problem by subscribing to ART's ASL channel, which includes a kernel and system hardening patch.

What you can still do is install mod_security. This is highly likely to stop any opportunistic use of wekanesses in your client's scripts.

www.gotroot.com/mod_security+rules

It is also possible to make /tmp readonly but I'm told that while this is nice, it doesn't really stop all hacks. In your case it may solve the problem though. Have a search for "tmp read only" or "securing my server" or something like that here on the forum. There are several good threads on the subject that should be the same or similar for freebsd.

Faris.

 

[wagnerch]

Unfortunately the root of your problems is caused by poor application design, insecure usage of variables, etc. I would definitely recommend using modsecurity as faris has mentioned, but be warned that it does require a bit of tweaking and tuning if your using the gotroot.com rules. GotRoot's rules are a bit too aggressive and break some legit applications.

I would also recommend taking inventory of the web facing applications, such as PHP scripts, perl scripts, and server services. Once you have an inventory of the scripts and their versions then I would bounce that against securityfocus.com and see if there is any vulnerabilities reported against the application. More than likely you will find one or two applications that are constantly being hacked.

You could, of course, always hire a professional to clean up a bit of the issues. Managing a server requires maintenance, constant patching, staying on top of the security mailing lists, etc. I am in the boat now where I am using Fedora Core 2 and it has been totally unsupported by everyone in the universe and I am now back porting patches from Red Hat Enterprise Linux 4 into Fedora Core 2 for myself.

 

[geeza@]

Hi Tellus,

I run a FreeBSD box with Plesk and have luckily not experienced the misfortune you are currently having. As the others have said, check there are no insecure scripts in your website folders. Also make sure that you know and trust all your hosted clients. I'd advise installing rkHunter (its an easy install although I think you can install from Ports) and doing a thorough scan of your box.

I would say that a well configured firewall (and up-to-date Plesk) may also help prevent these sort of problems. Are you using the Plesk firewall and if so could you post your config? Also is your Plesk patched up-to-date? In my opinion I would say that Mod Security is probably not necessary if you are only hosting your own design clients as it will drain your server resources and providing you make sure you install up-to-date web apps you should be fine.


Tom