Linux - hack proofing?

[John Adams]

My web host (a friend of mine) just discovered his ROOT account password somehow got changed, he did not change it, nor did I. So there is suspect that "something" did... but we cannot figure out what. The net result after looking through logs was him hitting the ceiling that hundreds's of thousands of "hack attempt" (much like mine noted in the other rant thread) to gain access to his SFTP services. Now, he has disabled any and all FTP/SFTP, which basically renders me unable to update squat anymore remotely...
So the question to the linux experts out there - first off, is there something on Linux that can be run to prevent these assholes from continually trying IDs/Passwords, like after 'x' attempts, block the IP completely? and just keep adding to this block list until every f**king IP in Russia, Korea and China is blocked?
Secondly, how hack-proof IS linux? (Fedora Core 6 at least) I understood linux was hard as hell to hack into, but somehow our Root pwd got changed - and unless his cats learned how to type, it wasn't from within his walls.
Of course he has the standard hardware firewalls in place, but if you poke a hole for ports 21/22, people will try to break in (because afterall, it's their right to use your shit, RIGHT?... calming...) so firewalls aside... any way to stop this from happening?
Thanks for any infos.

[LethalEncounter]

My web host (a friend of mine) just discovered his ROOT account password somehow got changed, he did not change it, nor did I. So there is suspect that "something" did... but we cannot figure out what. The net result after looking through logs was him hitting the ceiling that hundreds's of thousands of "hack attempt" (much like mine noted in the other rant thread) to gain access to his SFTP services. Now, he has disabled any and all FTP/SFTP, which basically renders me unable to update squat anymore remotely...

Enabling a root account for ftp is a no-no. Not sure is that is what got him but thats what it sounds like.

So the question to the linux experts out there - first off, is there something on Linux that can be run to prevent these assholes from continually trying IDs/Passwords, like after 'x' attempts, block the IP completely? and just keep adding to this block list until every f**king IP in Russia, Korea and China is blocked?

Yup, ipchains/iptables 4tw You can do all kinds of cool stuff with it like not allow people who failed login attempts to connect to the server for xx time, or who make xx connections per minute/hour/etc.

Secondly, how hack-proof IS linux? (Fedora Core 6 at least) I understood linux was hard as hell to hack into, but somehow our Root pwd got changed - and unless his cats learned how to type, it wasn't from within his walls.

It is only as good as the security features you enable. Just like Windows, if you don't do common sense stuff like enable the firewall and get the latest security updates you will get owned sooner or later. You also have to keep hard to crack passwords on everything.

Of course he has the standard hardware firewalls in place, but if you poke a hole for ports 21/22, people will try to break in (because afterall, it's their right to use your shit, RIGHT?... calming...) so firewalls aside... any way to stop this from happening?
Thanks for any infos.

Definitely enable the linux software firewall (iptables).

[John Adams]

Definitely enable the linux software firewall (iptables).

Is that the SELinux stuff I always disable when setting up a new OS?
As for my host buddy, it wasn't Root for FTP, it was Root for SSH (puTTy logins for me to fiddle with stuff). For my sFTP stuff it was a user account for whatever domain I happened to be editing. Passwords are Strong, like "1YouKn0w!". We're trying to figure out if any phpBB or Wordpress modules somehow allow a backdoor to change a linux servers root password - cuz honestly, we cannot understand how it could have happened.
I probably should have been applying OS updates regularly. Not sure he does that since he actually has a job and all. hah. But thanks for the info, ipchains & me go back a lonnnng way to when I first tried Linux (RedHat) back in god-knows, 1999 or so? I was so baffled then, I didn't touch Linux again for 7 years.

[LethalEncounter]

lol, well it could have been a bad configuration that caused it. For instance you should run all services as a non-privileged user. That way if something does have a backdoor in it, there is very little chance that they can cause much damage. Sometimes you have to live when a pain in the ass security system to avoid people breaking your stuff :/

[link2009]

Definitely enable the linux software firewall (iptables).

Is that the SELinux stuff I always disable when setting up a new OS?
As for my host buddy, it wasn't Root for FTP, it was Root for SSH (puTTy logins for me to fiddle with stuff). For my sFTP stuff it was a user account for whatever domain I happened to be editing. Passwords are Strong, like "1YouKn0w!". We're trying to figure out if any phpBB or Wordpress modules somehow allow a backdoor to change a linux servers root password - cuz honestly, we cannot understand how it could have happened.
I probably should have been applying OS updates regularly. Not sure he does that since he actually has a job and all. hah. But thanks for the info, ipchains & me go back a lonnnng way to when I first tried Linux (RedHat) back in god-knows, 1999 or so? I was so baffled then, I didn't touch Linux again for 7 years.

It's not so much Linux or Windows or any other operating system out there but like LE stated, it's your configuration. SELinux is the equivalent to User Control Access in Windows Vista, all it does is allows certain users to use certain applications based on access privileges. Now the SuSE firewall is equivalent to the Windows Vista Firewall (Security Center) in the sense that it restricts access to certain ports and applications on your computer.

Updates are not always necessary, like you said a long time ago...If it ain't broke, don't fix it. (Unless it's a security issue).

Don't allow root access through SSH or FTP or any other web-based service because remote attacks and exploits are prone to happen. Use root through "su" (Super-User mode) or allow specific access through sudo (Super-User Do). I suspect that your root password got leaked or your friend is playing a joke on you.

[John Adams]

Ok, time for another "I can't figure this shit out" post from JA.

Calling all Linux experts I was trying to (simply) set an .htaccess file up on one of my folders on my website, and for some reason, not getting the results I think I should get. Here's the current file content:

Code: Select all

AuthName "My Test"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
</Limit>

I thought this would deny even me trying to browse to the folder. I first started with an allow from 192.168.1. which is my internal network, and I got in ok. So I wanted to see what happened if I was blocked, and I still get into the site.

I have restarted httpd a few times, thinking it might need it - but I am pretty sure I understand .htaccess to be read on-the-fly and no need to restart services.

Do I need to set something in httpd.conf to make it use .htaccess?

[LethalEncounter]

If you have AllowOverride None in your httpd.conf file, you cannot use .htaccess files. If it is set to None, change it to All.

http://httpd.apache.org/docs/1.3/howto/htaccess.html is a great place to start when configuring .htaccess files.

[Image]

I run ubuntu - you should create regular accounts to run other applications. It is better for security and you can monitor them individually, eg. top -uusername

You can setup an iptables as well. Always keep up to date with the latest patches as well, apt-get is your friend

[John Adams]

My dev server is Fedora 10, or 9. I built the VM just before giving Ubuntu a try. Love the latter for my firewall stuff. If I ever have to rebuild, I'll probably use Ubuntu again.

[LethalEncounter]

Stay away from the 64 bit version unless you know what you are doing I had all kinds of issues with 64 bit Ubuntu, before deciding to switch back to 32 bit.

[John Adams]

Yah I built an x64 MySQL server and after a few days went back to Fedora x64 physical machine. I blamed trying to run MySQL on a VM, but maybe it was the OS/platform.