View Single Post
  #5   (View Single Post)  
Old 20th November 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,505
Default

Instead of clamscan or a rootkit detector you could use aide to check the integrity of your server. This would rather be easy to use because you have physical access to the server.

I administer a FreeBSD server in a data center. One of the first things I did was creating a suitable pf.conf to protect the server itself for malicious incoming traffic and to prevent unauthorized outgoing traffic.

Other measures that I took
  • moved ssh to another port than 22
  • disabled ssh root logins
  • disabled ftpd
  • disabled inetd

I check the pflog logs on a regular basis. I see a lot of attempts to connect to MS SQL server, MS Remote Desktop Protocol, MS NetBios and whatever the current exploit of the week is
Also bots that try the telnet , mysql , DNS, imap, smtp, and 8080 ports.

The Apache error logs show a lot of probes for phpMyAdmin and Wordpress admin

Code:
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_myadmin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/dbadmin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/myadmin
[Sun Sep 02 14:47:41 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysqladmin
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpadmin
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin.old
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin1
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin2
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/php-my-admin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/php-myadmin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmy-admin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/webadmin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysqladmin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysql-admin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/wbsadmin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpadmin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin-2.11.4
[Sun Sep 02 14:47:45 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmino-ld
By only running a static web server you already eliminate most of these attack possibilities.

I never bothered with securelevel.

At this moment I am looking into mod_security, an web application firewall. Rules for mod_security inspect the payload of the HTTP traffic and depending on the contents can block, log or deny such requests.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote