Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing Linux Mandrake 2

Status
Not open for further replies.
BiJae

BiJae

Programmer
Oct 1, 2002
154
US
I installed a copy of Mandrake 9.1 on a web server recently. I took what steps I thought I knew how to secure it, changing all the default passwords to more secure passwords. Today when I came in there were two additional user accounts and my root password no longer worked. Ten minutes later the Command line would not initiate from the KDE Gui. I'll be the first to admit I'm a novice, so any tips and tricks to lock down the server would be apprecaited (or other distro for a quick webserver).

I'm going to rebuild, after hours this evening.

Thank you,


"If the only prayer you said in
your whole life was, 'thank you,'
that would suffice."
-- Meister Eckhart
 
Sort by date Sort by votes
First off turn off any service you are not using. Most important is remote login and telnet. Others will have their opinions but for a web server I would have http, https and ssh but little else.

The answer is "42"
 
Upvote 0 Downvote
9.1 is quite old, I'm not sure that it's urpmi updating tool will still even work. It certainly sounds like you were hacked, but before anyone can give more specific advice (beyond a newer verion/distro), it would help to know how or why you might have been hacked - Is this machine directly on the internet? What serices are running on it besides apache? Is the firewall enabled? When installing what 'security level' did you set?
 
Upvote 0 Downvote
Other symptoms include, two new user accounts, Support and Colasi. The site has not been disfigured in any way I've been locked out of command line processes so I'm unable to backup my web files directly.

The security setting was set to standard. I had a firewall enabled at one point, but not sure if I modified it when trying to get SAMBA up to post files to the server.

The machine has a connection to the internet through our firewal with a NAT.

The other services I had installed were, SAMBA, PHP, MySQL(for web stats) and Apache. that's about all I need. Actually if I could get a better distro I'd be happy to. I tried to install UBUNTU however it's all commandline and I'm too green right now. Had to do the upgrade in an afternoon from an old windows box that was dying. I'd run Mandrake 9.1 before and had great success with it so... here I am.. exposed..

Thank you,


"If the only prayer you said in
your whole life was, 'thank you,'
that would suffice."
-- Meister Eckhart
 
Upvote 0 Downvote
Ubuntu is no longer command line, so you may want to try that again. It installs from Live CD so you could use that for recovery as well.

But before you do that, get this machine off of the Internet! I would suggest that you use KNOPPIX or another Live CD to boot your system and copy your web files off to external storage. Then start your rebuild.

If you were using Mandrake 9.1, I have not doubt that a bot was able to compromise your Apache server install without any difficulty whatsoever. Probably within minutes of getting the machine on the net.

I would check what ports are forwarded on your router as well. If you are using NAT, someone had to define port 80 to redirect to your internal web server. And I would be suspect of any of the other machines on the internal network. Run scans on them as soon as possible to be sure that they do not have any backdoors as well.


pansophic
 
Upvote 0 Downvote
I have been running a LAMP on Mandrake 9.1 since 2003 with no issues. I still run Apache 1.3 also.

Only use SSH. No VNC. No webmin. Don't allow port 22 from anywhere outside of your local network (only allow 80, and 443 depending if you use https over ssl). No FTP!!!

As far as a bot, I'd be surprised, but then again I don't know what all was running.

Ubuntu seems like a good distro. I have it installed on a drive at home, but I rarely use it. The install is very simple now.

Good luck,
Mark
 
Upvote 0 Downvote
Thank you all for your responses. I've learned quite a bit through this, using a LIVE boot CD to get the files off the server, and which ports to lock down. I've rebuilt the server and will monitor closely over the next few days.

Thank you for the help!


"If the only prayer you said in
your whole life was, 'thank you,'
that would suffice."
-- Meister Eckhart
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kristiandg
  • Locked
  • Question
Linux, "port mirror" between two boxes...
Replies
0
Views
123
kristiandg
kristiandg
Phi_1.618
  • Locked
  • Question
Linux server
Replies
2
Views
167
SamBones
SamBones
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
85
bhuv560
bhuv560
SamBones
  • Locked
  • Question
Linux 7 Installation Failures 1
Replies
3
Views
119
SamBones
SamBones
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
123
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top