Solved

How to protect a vps server against virus and hacking?

Posted on 2014-12-01
8
304 Views
Last Modified: 2014-12-03
HI

We have a Linux Server (VPS) configured with WHM and Cpanel in order to offer hosting services, there are more than 60 sites and everything used to be working very well, but since a few months ago we have had alot of virus and hacking issues. I know this situations should be fixed by the datacenter but we need to to develop a strategy in order to prevent and/or correct those problems faster and even before than datacenter.

We would like your suggestions about a list of points to be performed during continuous monitoring in order to avoid these problems.

Thanks in advance.
0
Comment
Question by:dimensionav
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40474317
Which virus? How did you find it?
0
 

Author Comment

by:dimensionav
ID: 40474434
Well basically has been malicious code (maybe I should call it malware) and defacement (like the attached image).

In other cases the hacker could get into WHM and create new hostings.
defaced.jpg
0
 
LVL 25

Accepted Solution

by:
madunix earned 334 total points
ID: 40474576
I use rkhunter and chkrootkit. I run them regularly.
Make sure you have a good last Backup, Firewall protection, Patches, Updates Auditing and Logging.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 62

Expert Comment

by:gheist
ID: 40474737
First rule of incident handling is not to lie to people trying to help you.
0
 

Author Comment

by:dimensionav
ID: 40474862
gheist:
I am sorry if I didn't explain myself correctly, but I believe "lie" does not fit in this conversation.
0
 

Author Comment

by:dimensionav
ID: 40475842
Madunix,  how would you recommend to do the Auditing and Loggin?
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 334 total points
ID: 40475876
I think, it is essential to collect logs of various services on the server and analyse them carefully at periodic time. To enable logging all commands by a specific user I would suggest you to use audit logs by using "audit" utility, it works by allowing users to write rules that can log a wide variety of events. You can also configure more restrictive access on the server itself by having deploying tools like psad and fwsnort with firewall policy generated by APF.

Please refer to the following document carefully before implementing them on the server.
Advanced Policy Firewall: http://www.rfxn.com/projects/advanced-policy-firewall/
PSAD : http://cipherdyne.org/psad/
fwsnort : http://cipherdyne.org/fwsnort/
Securing VPS: https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 166 total points
ID: 40476109
You should look to do defense in depth.

An example program you can look into installed is Artillery from Trusted Sec. Artillery can proactively block from several different styles of attacks.

https://www.trustedsec.com/artillery/

Also follow the above guides posted by madunix.

Then the two most important pieces:
1. Consider firing up another VPS which acts as just a firewall/web app firewall. Here is an example of an open source WAF - https://www.modsecurity.org/. Configure the traffic so all traffic destined to the web server has to go through the WAF first. The WAF will be able to protect against many web application attack vectors.. and also give you ACL capabilities.

Qualys also has a cloud WAF option - https://www.qualys.com/enterprises/qualysguard/web-application-firewall/ 

2. The key piece to remember here is web application security. You can secure the OS as much as you want but if your web sites running are poorly coded, you are still open to attack. And with 60 sites running on the same VPS, the entire server is only as secure as the most insecure web site running on it. So 59 websites could be coded with best practices but that last website have security flaws and it causes everything to be compromised. So ensuring secure websites is going to be crucial to your success.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Fine Tune your automatic Updates for Ubuntu / Debian
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question