I have been trying to get some advice to secure my linux server. It seems like dozen of hackers trying to get in and some of them did get in i guess by checking the "secure log"
do anyone has any suggestion that I should do to prevent this?
I had my firewall setup and selinux on. I installed fail2ban so i guess they can't use the hacking dictionary thing to log on milliion time to guess my password. well, is there anything that i should do?
Jump to PostFirst, I would identify what service was breeched. (or services) SSH? FTP? If you do not need that specific service, shut it down and disable it for good.
Second, I would look at reviewing your firewall rules and seeing how they got past them. Maybe SNORT would be a …
First, I would identify what service was breeched. (or services) SSH? FTP? If you do not need that specific service, shut it down and disable it for good.
Second, I would look at reviewing your firewall rules and seeing how they got past them. Maybe SNORT would be a worthwhile addition?
Third, I would look up tutorials, howtos and anything else I could find on "securing a linux server". Read as much as you possibly can. This should help take you in the right direction.
Of course, once steps 1 & 2 are done, I would format/reinstall and implement those changes from the beginning. Once hacked, it is very hard to tell whether your machine is clean and safe.
I found Belarc advisor to be brilliant. it was on a win system though. i don't know if the have a linux version. but somewhere near the top it rates your security and if you go in there a whole world of scary attacks can be shut down.
If you have tcp/22 (SSH) open to the Internet, edit /etc/ssh/sshd_config and add the following line, replacing user1 with your username:
AllowUsers user1
Save your changes, and restart sshd to effect the changes. This will only allow 'user1' from logging in via SSH and sFTP - all others will be blocked, but keep in mind that this WILL NOT block any ATTEMPTS to brute force the service.
bruteforceblocker can also be used for this purpose - I use it on all of my production servers.
Of course, since I don't know much about your server or what service was compromised, I can't offer any specific suggestions or recommendations to follow. If you want to post more information, I'd be glad to offer some more suggestions.
Oh, and if the server was actually compromised, the standard best practices in this case would be to rebuild the box from scratch, as it can no longer be trusted. Even if you think it's safe, it's probably not...
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.