Server Compromise Issues

Wesker

Well-known member
We have ongoing issues with our server being compromised and need some assistance. While we have our host helping us along with other people in the community, we really need assistance on the security side. This is really crippling on us and we're all going through a tough time here. We aren't sure how they got in and hoping for additional solutions to ensure this doesn't happen again.

Here is what the host said: There are several OS system files that has been modified and we are not sure what files been modified so that the hacker can get easy access. Using this the hacker will still login easily on the server with his own means and delete all the required data accordingly. The only option is to backup all the important data on your local end and reload OS on the server.

So we are currently working on an OS reload.

1). What recommendations do you have for installations adding maximum security
2). Since they are getting into SSH, what do you recommend we do as a setup?
3). Anything else would be most appreciated.
 

Sheratan

Well-known member
Using SSH private key is a good start. And also port 22 whitelist to only your IP is the next option. Dont forget disable root login via SSH. :)
 

Fred.

Well-known member
1). What recommendations do you have for installations adding maximum security
- Keep everything up to date at all times, Install security updates asap.
2). Since they are getting into SSH, what do you recommend we do as a setup?
- Use 2FA on your SSH and use SSH keys (I use Yubikey's for 2FA)
3). Anything else would be most appreciated.
- Use 2FA everywhere
- Use strong and unique passwords
 

fly

Active member
They are yes. There are entry logs made in SSH.
Unless I'm missing something, the following can't both be true:
* Your IP is the only one whitelisted in the firewall for SSH
* The attackers are using SSH

So are you sure that you tested the whitelisting? Although the point is probably moot, as there is no way to guarantee the integrity of the server at this point without some serious forensics.
 

Wesker

Well-known member
So are you sure that you tested the whitelisting?
Server was already compromised and as far as I know yes but it could have very well not be setup correctly.

Although the point is probably moot, as there is no way to guarantee the integrity of the server at this point without some serious forensics.
That will be one of the next steps.

Thank you.
 

Jim Boy

Well-known member
If the server is compromised - ditch it and move to a new one, you'll never recover.

On any new server always make sure your exposure is minimised, eg only ports 80 and 443 open to public, use a ssh key with no password authentication and no root login keep you system up-to-date. use a port scanning tool such as nscan to check for open ports. you could also consider an audit tool to verify
 

Marcus

Well-known member
Once a server is compromised, grab the data and ditch it. its also possible that your web application has security holes.

1. You can setup a *server for web access* (80 443) and forward requests to your xenforo server. Should cost no more like 10 usd per month. Once you setup that server, either remove 22 access or restrict 22 access to the ip of the *xenforo server*.

2. Your *xenforo server* only allows 80+443 to your web access server, and 22 to your ip.
 

Tracy Perry

Well-known member
They are yes. There are entry logs made in SSH.
Restrict SSH to specific users only, and use GOOD passwords.

Burn the image for the OS out again. Use CentOS and install CentMin with it. It's a little harder than cPanel, and unless you know what you are doing you will want to use an outside service for mail.
You want to export your DB and place it in a location you can access later (like your PC) and them also make a list of all add-ons you currently use (as you will need to manually re-install the files - NOT using any automated process). Reinstall XenForo and either import the data or just import the old DB after making sure all your add-on files are present.
If the server is compromised - ditch it and move to a new one, you'll never recover.
Actually, no you don't have to "move to a new one"... all you need to do is burn the OS image back out and then make SURE that it is secured and good password/account practices are used.
You also need to make sure that you keep it updated (this is one thing that I find MANY supposed "system admins" fail to do).
 

Set3sh

Active member
Hello,

I see all of you talking about SSH, private keys, open-closed ports, 2FactorAuth.
Most of you are missing key aspects you don't find by running Google searches: a server is as secured as its weakest chain.

Should you need a security audit done by a system engineer, feel free to contact me.

Kind regards,
George.
 

Tracy Perry

Well-known member
I see all of you talking about SSH, private keys, open-closed ports, 2FactorAuth.
Most of you are missing key aspects you don't find by running Google searches: a server is as secured as its weakest chain.
Considering that he commented
They are yes. There are entry logs made in SSH.
It's a pretty good indicator that the intrusion point involved SSH at some point. The actual vector of attack is not answered (and can easily be a piss-poorly written add-on or script being ran on the server) to the admin not keeping up with system updates (servers's are NOT a install and forget type deal unlike many amateur admins believe).
At this point, a security audit would serve no purpose other than showing where he/she screwed the pooch - the simplest thing for him to do is provision the server again THEN make sure he hardens it and keeps it updated and use basic good security practices for securing the server.
 
Top