Server was hacked and needs to clean up

[renbenzhuyi]

The server was blocked (by MAC) so 'netstat -ltun' got nothing.

HTTPD and FTPD are open to internet. I was th only person who
uses SSHD at my office computer.

I'd highly recommend performing another new install. This time, before putting the box on the network, perform some basic hardening.

Post the results of netstat -ltun here after the fresh install.



Is the purpose of the box to provide those three services? If so, who (users / networks) should each be available to?

[renbenzhuyi]

Hi, could you please explain the following issues? Specifically how to do all these:
[*] Shell access is restricted/hardened.
[*] Packet filtering rules are appropriately set.
[*] MAC policies are correctly set.
[*] Suid binaries are disabled or somehow contained.
[*] Public services are hardened to great extent.
[*] Physical access is properly controlled.

Ok, you are asking about a hypothetical case (because it sounds to me like OP is running a box with several services wide open to the world). The ease at which it is getting cracked sounds like he has work to do.

Let me put it this way. If:

• All unused services are shut off.
• Shell access is restricted/hardened.
• Packet filtering rules are appropriately set.
• MAC policies are correctly set.
• Suid binaries are disabled or somehow contained.
• Public services are hardened to great extent.
• Physical access is properly controlled.
• (the theme here is that "Everything is denied unless specifically allowed")
• Auditing and logging is in place.

... then I think 99.9% of crackers will move on to a much easier target, unless you've really got something they want. Like anything in life, there is no perfect security solution. But you can increase the odds of protecting yourself so dramatically that you are not a good candidate to be targeted/compromised.

[anomie]

The server was blocked (by MAC) so 'netstat -ltun' got nothing.

I don't follow. You have MAC policies preventing netstat from doing its standard job?

HTTPD and FTPD are open to internet. I was th only person who
uses SSHD at my office computer.

...could you please explain the following issues? Specifically how to do all these...

Since you are the only person who requires ssh access, there should be firewall packet filtering rules in place that allow connections to tcp port 22 only from your client IP. And/or you should allow only pubkey authentication. And you should disable ssh protocol 1 and disallow root logins.

Since httpd and ftpd need to serve up the world, they will need to be hardened properly. A book could be written (and several have been) on this topic.

A couple basic ideas for httpd. You'll want to:

• Completely understand the (apache?) configuration directives you're using.
• Stay current with security updates.
• Blacklist abusers (with iptables or tcp_wrappers rules).

A couple basic points for ftpd. You'll want to:

• Allow only anonymous authentication.
• Serve up only non-sensitive files.
• Keep transfer directory on its own filesystem/partition.
• If your requirements include regular user authentication, then you should be looking at sftp (ssh subsystem) or require ftps (ftp over ssl) rather than plain-text logins.
• Stay current with security updates.
• Blacklist abusers.

I'm not going to get into MAC policies (not even sure what Mandriva admins prefer in that arena). That's another book.

My suggestion on suid binaries is that you search for them and remove the suid/sgid bit, unless you really need them for some reason.

Regarding packet filtering rules, if you want to post your finished ruleset here I am sure we'd be happy to review and offer suggestions.

As for physical access, the box needs to be in a trusted, secured location.

[renbenzhuyi]

I don't follow. You have MAC policies preventing netstat from doing its standard job? .

The super network administrator blocked the MAC address of this server.