Lions Tigers and Bears oh my

[nolimit2]

Ok I guess i am a New BEE but whatever I am on the VPS and have been for a year no problems however i guess someone decided to report there site to search engine people and now my server is under constant attack.

The price of a successful site is that the lions tigers and bears (nigeria, china, russia hackers) will come and try to tear it apart or at the very least exploit it to their own advantage.

I am no hacker and defiantly not a webmaster for that matter but the repercussions of the lions tigers and bears in only the last 4 days have been multiple down times where server needs a restart, blacklist reference and five spam authorities, 2 phishing pages that resulted in my account getting suspended.

I take full responsibility of being ignorant of the dangers in the forest now that i am starting to develop some sites that are worth while I am scared because i could really lose thousands of dollars over these mistakes.

Where can i find the references to take my understanding of appache and web servers security to the next level as i want to be confident that not only the application web site are well designed and secure but that the server itself is secure.

Thanks in advance

[Alan B]

If you are on a VPS plan that includes fully managed support, then WHB Support should take care of security updates for you. That would include Apache, if I understand correctly how the managed support works.

It sounds, though, as if you had some scripts or boards installed that were not entirely secure, which allowed spammers and phishers access. You would have to learn how to secure those, or to choose better, more secure ones.

[Matt R]

There are no software level issues with Apache/PHP etc, we take care of that for you. It sounds like like script/application level security issues which is something you have to be careful with, and careful what your clients can install.

You can force Fantastico script updates etc from your WHM.

[nolimit2]

Well thanks for the info but how then do i go about getting rid of the problem once you get it both of you have other people developing on your machines and i am sure they are always doing silly things thus you get attacked how do you go about removing it delete the accounts and start again I am seriously asking here cause i still got the problem???

I have gone through this email issuse round and round with tech support and am so confused how it is happening tech support already said they have stoped emailing from those who dont have accounts on the server but then today i open the mail que and there they are again 1000 messages sent to 20 addresses apiece cloggin the mail system its the damn secure@commonwealth.netbank.com.au. the craziest thing is that the server is sending them back when they aren't deliverable???

I am going to delete every single account today and start over to see if that helps I have manually blocked the ip senders message it seems to stop but then they just seem to route somewhere else and start their attacks all over again.

Any way if it is insecure script then I should delete all the accounts and start over or will those lions tigers and bears just come growling back and exploit the same thing I really dont know even how to diagnose which account is the vulnerable one any ideas would be greatly appreciated

[Alan B]

If any of your accounts use form-to-mail scripts, delete them until you learn how to choose more secure ones and how to install them for maximum security.

[nolimit2]

Wow what are you doing up or where in the world are you Alen B. Ok i am going through all the sites now and will start changing all passwords and things.

What do you think of putty is there anything special i should know in terms of securing it????

[Wayne R]

Deleting all of your accounts is a little extreme, but maybe not if you don't know where to start looking for these issues. The problem is, if there is an insecure script, it will just get exploited again and now you've wasted time removing & re-adding accounts.

The mail log can tell you where these emails are being sent from (/var/log/exim_mainlog), and you can then take appropriate action - whether the offender is an actual user sending spam, or if it is an exploited script. Either way, you want to stop it ASAP or your sending IP will quickly be blacklisted. You can watch the mail log in realtime, or search it for specific message IDs to get additional information on a particular email that went out.

The option is always there to purchase Premium support, which one of our techs and help you do a thorough audit and let you know exactly what is going on and why. Not really trying to sell you on it, just letting you know the option is available and may be a time/money saver for you.

[omniuni]

Hey NoLimit

Let's take a step back, and see what we can figure out.

First, from a domain level, disable generic MX accounts. In other words, make sure that only mail sent to REAL eMail addresses gets through. If you must have a "catch all" mail account, make it something that you don't link to your main inbox.

Now, make sure SpamAssassin is turned on. You should have 10 levels; if it's on, increase the level. If it's not on, start with level 3, and increase to 5, 7, and 10 until you can see what gets rid of most of the spam without creating false positives.

Make sure that any of your scripts use some kind of session naming techniques to prevent basic attacks of that sort. In other words, instead of having a login script set $_SESSION['login'] = true; try hashing the person's IP address, and use that instead of "true". It's an easy way to make sure that the person loading the page is most likely who logged in.

Use a captcha on form eMail pages, or at least something that will keep robots from really obviously sending mails. You can make a very simple captcha by creating just 5 or 10 images with a few letters on them, warped a bit, and numbering them, and having the script randomly select one, and check the users input against what you have recorded for it. There are also several good captcha libraries and API's, such as ReCaptcha, which is a pretty cool project.

Turn off directory indexing, set a logical 404 page, and verify eMail addresses of people who register.

If you have any more questions, let us (or me) know.

Hope that helps a bit!

-OmniUni