We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Dedicated Server Status : Hacked


alvaroag
31-05-2015, 18:02
To prevent this from happening again:

- Put a firewall on your server. On Linux, I recommend Shorewall. Anyway, configure it in the most restrictive way you can for incoming connections(outgoing may not be a real risk), opening only ports you really need, and dropping any other traffic.
- Use a strong password. That is, at least 12 characters, mixing three of the following groups: uppercase, lowercase, numbers, symbols.
- Depending on how many places you manage your server from, you can consider disabling password authentication, replacing it by public key authentication. I read somewhere there is also possible to use dual factor authentication with password & public key.
- Google Authenticator can also be a good idea to use double factor authentication. But I've has issues with it in the past, it would no longer authenticate until I rebooted my server.
- Constantly monitor failed logins on your server, so you can build a blacklist. I do this way, and reduced login attempts from 10000+ to 500 in a day. I recommend blacklisting entire subnets, you can check it via WHOIS information.
- Someones consider changing the SSH port a good idea. It certainly helps.
- Be carefull with the apps you install. Ensure they don't have any considerable security risk. Some apps may not be run as root.
- An IPS/IDS can also be a good idea.

On your server, just reinstall it. If you reboot it into normal mode, you will be forced to reinstall it, because the hacker/bot may have installed some rootkit there. So just reinstall it after backing up your data.

GreGg
31-05-2015, 12:14
just received this in my email and my dedicated server is now in OVH anti-hack rescue mode...

Your server has been started in rescue mode so you
can recover your data.

You only have FTP access read-only with the following
login details:
- Username: *******
- Password: *******

my real question is how to prevent happening of this kind of activity in future?

(ns305334.ip-94-23-217.eu)