Originally Posted by
starz677
I think I was acceptably careful and vigilant EXCEPT for ONE thing....UPDATES.
I have to admit I was very bad with doing updates and I'm thinking there's a high probability they got me that way. Sometimes I would go months between updates. Going forward, I'll turn on automatic updates.
Or..I installed a package that left the door open. I run a Watchguard Firebox in front of the server and it's tightened down pretty tight also.
My security consisted of ipblock (with a custom list of thousands of sites including all major proxies and hundreds of lesser known proxies. I also have a paid subscription that sends me about 150 newly discovered proxies daily and I add those daily.)
I also block all countries except for Canada and Australia because there is nothing on my server relevant to other countries.
fail2ban with all the usual filters plus a few.
A Watchguard Firebox hardware firewall that perma-blocks any attempt to connect to ANY port other than 80 or 443 instantly. plus provides the normal hardware firewall security such as packet filtering, spoofing detection, icmp attacks, MIM attacks and a host of other tricks.
Firestarter set to block ALL outgoing packets.
So, however they did it, they did it via port 443 or 80.
For a long time here I had posted that my server was acting suspiciously but noone here believed it. Finally I got proof in the form of a obviously edited fail2ban jail.conf file where the haxor added an IP address to all the filters to exempt attacks from that IP address.
I can help you with that.
Do this: (open up a terminal and run sudo nano, past in the code below)
Code:
#!/bin/bash
# A script to run Aptitude and install any upgrades automatically.
# Add this to /etc/cron.daily to run the script every 24 hours.
# This prevents "TERM is not set, so the dialog frontend is not usable." error
PATH="$PATH:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin"
aptitude update
aptitude safe-upgrade -y
aptitude autoclean
Once completed hit ctrl+x to exit and save changes. Save the file as: autoupdate.sh
Do a ls -al to see your newly created file and permissions:
-rw-r--r-- 1 root root 361 2011-09-22 09:08 autoupdate.sh
You'll notice that this is not executable by default. In order for CRON to use this, we must make it executable for the Root user.
*NOTE* - If the bash script does not list (root | root) as it does in the ls -al command below run the following command:
sudo chown root:root autoupdate.sh
This changes group and user ownership to the Root group and Root user. By default, Root (Group and User) should own this bash script.
Type: sudo chmod +x autoupdate.sh
Run another command of: ls -al
-rwxr-xr-x 1 root root 361 2011-09-22 09:08 autoupdate.sh
Notice--- Permissions have been updated.
Lastly, we move the bash script to the CRON folder(s).
sudo mv autoupdate.sh /etc/cron.daily
Want to check the logs to make sure that this is running? Run this command:
sudo tail -n 30 /var/log/aptitude (Adjust the #30 by the number of lines you'd like to see listed on the tail)
Example of this:
================================================== =============================
[UPGRADE] apt 0.7.25.3ubuntu9.5 -> 0.7.25.3ubuntu9.6
[UPGRADE] apt-transport-https 0.7.25.3ubuntu9.5 -> 0.7.25.3ubuntu9.6
[UPGRADE] apt-utils 0.7.25.3ubuntu9.5 -> 0.7.25.3ubuntu9.6
[UPGRADE] landscape-common 11.02-0ubuntu0.10.04.1 -> 11.07.1.1-0ubuntu0.10.04.0
[UPGRADE] linux-headers-2.6.32-33 2.6.32-33.70 -> 2.6.32-33.72
[UPGRADE] linux-headers-2.6.32-33-server 2.6.32-33.70 -> 2.6.32-33.72
[UPGRADE] linux-image-2.6.32-33-server 2.6.32-33.70 -> 2.6.32-33.72
[UPGRADE] python-apt 0.7.94.2ubuntu6.2 -> 0.7.94.2ubuntu6.4
[UPGRADE] tzdata 2011g-0ubuntu0.10.04 -> 2011j-0ubuntu0.10.04
================================================== =============================
To check for a specific package update for aptitude:
sudo cat /var/log/aptitude | grep -A 20 -B 20 php5 (this looks for the php5 package update).
.
All of my web servers run the unattended package update and I check the logs regularly. Hope that gives you some confidence in them getting patched automatically if you use a GUI based server.
Bookmarks