[Cialug] CentOS Security
Josh More
MoreJ at alliancetechnologies.net
Wed Mar 2 10:23:17 CST 2011
1) Yes it is. However, if they got in once, they can get in again. Harden as much as you can. Good tools: mod_security2, php-suhosin, greenSQL
2) Block all outbound stuff that you can. However, be aware that blocking port 80 will likely prevent you from pulling down updates.
Josh More | Senior Security Consultant - CISSP, GIAC-GSLC Gold, GIAC-GCIH
Alliance Technologies | www.AllianceTechnologies.net
400 Locust St., Suite 840 | Des Moines, IA 50309
515.245.7701 | 888.387.5670 x7701
Blog: Don't just blame the bad guys, it's your fault too
http://www.alliancetechnologies.net/blogs/morej
How are we doing? Let us know here:
http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey
________________________________________
From: cialug-bounces at cialug.org [cialug-bounces at cialug.org] on behalf of L. V. Lammert [lvl at omnitec.net]
Sent: Wednesday, March 02, 2011 10:20
To: Central Iowa Linux Users Group
Subject: [Cialug] CentOS Security
We had a web server (the only services exposed are a few web server &
php, .. not even any ssl or sensitive data) go bonkers a few days
ago, .. it appeared to be running some sort of attack code generating
a humongous amount of outbound traffic on port 80 to a server in
Romania. After finally getting a login I could find nothing unusual,
and, upon rebooting, I could find not locate any trace of a login on
the box nor any unusual changed files.
Two questions:
* Is it possible that the vector was a php attack that was memory
resident (and cleared on reboot)?
* Does it make sense to block *outbound* port 80?
Any suggestions would be appreciated, ..
Lee
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list