Webservers... Security and OS

  Gaz 25 17:35 08 May 2004

I have been running for sometime a self-built rackmount server on an click here Enta Net business broadband package, simply for hosting my own website.

It has PHP, PHPmyAdmin, ASP, Frontpage ext., CGI etc.

Running latest versions of all, inc all patches for RedHat 9 and Apache + FTP server.

Running a kerio corporate firewall and a symantec VPN hardware firewall + Panda GateDefender HTTP virus control.

However it still has managed to be hacked, even though everything is bang secure and I am a paranoid person. Server monitoring software managed to track the IP and back-up everything before there was a problem, but how did they get in?

Now my question is, how can I prevent this in future? Should I upgrade to UNIX?

Which is the best Firewall (software version since already have hardware) for servers? I dont mind paying lots for it, long as it keeps it safe?

I CHMOD all the sites correcly, and disabled tokens and folder browsing, so how the hell did they get in, I used HTTP auth on pages that I though could decrease security, such as PHPmyAdmin. MySQL is set-up all password protected, even on localhost and root names.

I dont understand how they could have got in, they deleted all the MYsql > Data folders, and PHP folders and Apache htdocs.

Please suggest new versions of software, such as UNIX or whatever for best security?


  Taran 18:23 08 May 2004

To begin with, most large commercial web hosts, on Linux platforms anyway, run their own version of Linux which is often a very far cry from an off the peg distro you or I could download and/or purchase. Most large hosts invest a lot of time and expertise in tweaking their platforms for reliability, security, speed, low comparative resource requirements and all kinds of other things.

I can think of a few dozen ways off the top of my head that someone could have bypassed a home-grown web server, and the fact that your MySQL, data and Apache docs folders were deleted points in certain directions and indicates specific lines of attack. I'm not going to openly discuss these methods in this or any other forum though, for obvious reasons.

Think about this for a moment: in the last couple of years, Google, Yahoo and Microsoft, to name but a few, have "enjoyed" being targetted by some spectacular hacks, many of which were specfically aimed at web servers and many of which were very, very successful. And you're asking how to secure a web server ?

This is probably going to be little more than irritating to you, but my one gem of advice is this: move all of your web hosting requirements to a dedicated web server run by a third party company as soon as possible. If you need an entire server then either rent a managed server or choose to manage your own. The basic nuts and bolts of security will still be dealt with in-house and all hardware responsibility is out of your hands.

This is from someone with a great deal of server management experience and despite this background, or perhaps because of it, I wouldn't dream of running my own web host.

Upgrading to UNIX will do one thing: it will require an entire new learning curve and you'll still be wide open to the same or similar attacks until you get your head well and truly around it.

I'm not sure if you understand this concept, but if you have dynamic languages enabled on your server, unless you lock things down in some very specific ways, it is pretty easy to write or modify a script which interacts with your server and pretty much opens it up like a book.

People hack servers for a number of reasons, but even large web hosts fall foul now and then. I'd bail out ASAP and move to a dedicated web host yesterday, or sooner if you can arrange it.

The short answer to your "how can I prevent this in future ?" question is this: you can't.

  Gaz 25 18:36 08 May 2004

Heck, another long and well written post.

I have hosting with one and one, but I have always kept the server of my own running.

I tracked the IP, but will not place it here of course, and have reported it to ChinaNet.

I still like to run my own webserver, coz I dont like being beaten. So sod them, its staying there, but all my important files will be gone. Ill just put some random forum on that I couldnt care less about. ;-)

I have disabled many features in RedHat, that are not required. And simply why I moved to linux was becuase of its security. I would NEVER dream of starting webhosting from a Windows machine, no way.

I understand that webhosts take a lot of time and effort into this, and security is a prime factor.

I can think of many ways myself they could get in, starting with a simple upload script they could repalce any file in the forum area if I slipped up on CHMOD. But still I think I covered many angles of defense and the firewall did not allow connection to just any port, only ones that the webserver really required to work, like port 80. And this was blocked for any other application other than the required components.

I didnt even install samba or this that and all the other, sicne I have not use for it. So the security should be tight, RedHat is stripped down to bare, but I do know that webhosts have linux bofins modding the files to create a secure atmosphere.

I dont know, I think I will just think twice about keeping a main site on there, Il place something simply that Im not bothered about such as a discussion forum, ust to beat the idiots. I have recently asked my ISP to refresh my IP and I just changed the DNS name servers, to stop the hacker locating my server again via IP. :-(

  Gaz 25 18:42 08 May 2004

Could you e-mail me (not the method really, since Id rather not know) but the possible exploit they may have used?

  Gaz 25 18:53 08 May 2004
  Gaz 25 19:48 08 May 2004

and not to mention that IPtables are set-up correctly.

  AcidBurn7uk 13:11 09 May 2004

I run my own web server on a windows machine for testing purposes. I use apache2, and the latest versions of mySQL and PHP. Ocasionally I open port 80 so Friends and Family can test sites to see how they run performance wise. Since I started doing this their has been 2 attempted attacks on my machine, both successfully blocked by norton Internet Security. This has managed to happen despite, like you guys, being paranoid security wise. The only way to ever stop your puter getting hacked/attacked is not to have one! It will happen as long as computers are around. Remember, the software we use is designed by humans, so can easily be hacked by a slightly more inteligent human. When computers start the work, the software will simply be hacked by a slightly better computer! The joys of IT eh!?

  Gaz 25 13:21 09 May 2004

Yup. I had ASP on it too. But Ive sorta just removed it from my MIME lockdown, so it pevents that being run, as I have suspections about asp, php could be the same really.

Im using a modified version on Apache, with extra MIME protection and systemscript protection. Though why it hasnt stood up its amazing.

My home network is a rocksolid since all ports are stealth and run stateful-inspection.

But becuase its a server its a bigger target.

Anyway, my result of this I checked for more RedHat updates, downloaded a few suggested updates rather than just keep it to the critical.

I checked the installed programs in RedHat, and deleted unneeded ones. I also created a Webserver account with a extra strong password, and now leave the server locked.

Updated the hardware firewall to latest firmware,

Now if they get in this time, I will be astonished. I have just put port logging on too, so I can see.

Oh and changed some security settings to block anyone trying to access areas of the website or sever which could decrease security, such as HTTP headers where SERVER - anyone requesting these individualy rather than visiting the site and let the browser do it, will be blocked.

  Forum Editor 13:46 09 May 2004

as your attacker Gaz 25. Every word that Taran says is true - I run many sites for clients, and I wouldn't think of running my own server for a moment.

Modern web hosting facilities are incredibly secure, and even they are successfully attacked on occasion. Nevertheless, they are as safe as you can get, and because they have many servers with inbuilt protection facilities the chances of your particular server being brought down are very slim.

A couiple of years back I set up a web server in a corporate headquarters in Singapore for a Hong Kong financial institution. I was very much against running an in-house web server with online account-checking facilities, but the HK monetary authority insisted upon it it, so I spent weeks flying back and forth to both Singapore and HK, faffing over this huge compaq server, and worrying myself sick about security. We did just about everything possible to protect the server (and the back end stuff) from external attack and when we launched I spent two nights sitting up in an empty office tower, listening to the fans howling away - ready for the inevitable. Nothing happened - the server sailed on happily, and a week after launch I went home. Two weeks later the server was subjected to a massive attack in the middle of the night, and bless it's heart, it came through unscathed, but it was a scary moment. Since then it has been OK, but the day will surely come, and I'm waiting for the call.

Maybe you should consider moving your site into a more secure hosting location - now that this has happened you'll be like me, you'll find yourself wondering when it's going to come again.

  Gaz 25 13:52 09 May 2004

Yep, your correct. These people attacking sites must have nothing else better to do, its a shame, since it a good learning curve setting up a webserver, and my attack was little compaied to if they dont like you.

Ive heard many stories about even protected servers having viruses dropped and remotely executed and whole HDDs being deleted. Amazing stuff.

  AcidBurn7uk 14:14 09 May 2004

It's a real shame, these people have real talent and could be recruited by companies to make software more secure!!

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

OnePlus 5T review: Hands-on

Illustrator Andrés Lozano on his improv line work, brazen use of colours & hand sketching

iPhone X review

Comment envoyer gratuitement des gros fichiers ?