If you have a web server then every day you are under attack from various automated attacks on your ssh, ftp, and web ports. These are a few of the things I do to try and curb their enthusiasm:
- Turn off unsecured ftp and telnet – these have no business in the modern world.
- Change your ssh port from the standard 22.
- Use long (16 character) and different passwords. It is easy to think you have a great password and use it everywhere, but if it does get discovered you will regret using the same one everywhere. It is a pain maintaining a list of different passwords but it is a practice I follow these days.
- Make sure you are using the standard Linux firewall iptables and augment it with apf.
- Optionally, use a brute force detection system like bfd. I say optionally, because I find once you remove ftp and change your ssh port bfd is less useful.
If you follow these basic steps you’ll cut out 90+% of the attacks. However, I have found that once you move your ssh port most of the action is on your http port 80 and this is where you need to focus. I have a simple script that looks for known patterns that show up in the web access logs. What are known patterns? Well it depends on your system and applications but things like phpMyAdmin are a great place to start. In fact phpMyAdmin, is a useful program but I restrict its use to just my IP address, it is too powerful to let other people even see it.
If you see a client trying to run a program they should not, such as phpMyAdmin, just block their IP address via apf or iptables. When it comes to server security I find it is best to act first and ask questions later. If there really is a reason why someone in China needs to access phpMyAdmin, then you can add an exception to your script. Another common pattern is /etc/passwd. If you just study your web logs for a few minutes each day you quickly see things that don’t fit with your applications. My script runs every five minutes and removes 5-20 IP addresses per day.
It continues to amaze me how many times a day hackers try to break into servers on the web. The majority are from China and Russia, but there are still plenty of others in the USA and Europe. If you install a brand new server on the internet I guarantee within 24 hours you’ll start to be flooded with break-in attempts, no matter where you are in the world. Nothing seems to stop the flood of ssh, email, and web attacks.
What does surprise me is how poorly protected most default installs of linux are. One company I was chatting with recently decided to block all IP requests from China and Russia from day one. May not be in the spirit of the Internet, but frankly I can understand why they did it. They certainly get less break-in attempts and for their primarily US based clients it does not seem to hamper their business.
Just imagine how much more we could do if these same people used their time more productively.