Jump to content

Recommended Posts

Posted (edited)

 

 

1. Protecting access to the equipment.

Hopefully, your servers are not located on the home PC and the item is of paramount importance. If the server is worth home and remote access to equipment not - you can simply skip this step. 

B does not, depending on whether your server linux or windows - remote access to the server will be in any case. In OS * NIX type of protection is reduced to the closure / change / port filtering authorization server. As standard, the port ssh server on linux platforms - 22. We strongly recommend that you change the port to any of the higher ranges, complicating matters for his search. For debian like systems configuration SSH server is located in the folder / etc / ssh / file sshd-config. 

string that we need to edit is:

 

# What ports, IPs and protocols we Listen for 

Port 22

you guessed it, you can specify any port popular with you. For example - you can specify 41552. Ports in higher bands complicate the procedure probing malicious programs for ports (mostly school-hatskery limited the search to port 8000, how to set them g * contrib-soft [/ b] program.) 

After changing the port - restart the SSH server. 

Similarly, it would be nice if the hacker cheat scan ports - slip him a "fake", which he would in the future Brutus. 

This is done in exactly 3 clicks and will puzzle Hacker working on your "server".

 

iptables-INPUT-m state - state NEW-m tcp-p tcp - dport 22-j ACCEPT
after such acts, when connected to a fake port Hacker will get the message:

 

connect to host 100nt.ru port 22: Connection refused
that give false hatskery found the port is not busy by any applications for hacking. 

Regarding OS windows like - a little work with them and do not have much experience. I would like to advise - it is still installing any priproretarskogo firewall, for example of the free - comodo firewal, wipfw and others. 2. Use the minimum necessary. This point is most relevant for OS family windows. Do not use a "grunt" windows OS downloaded from the Internet under the heading "Mego vindous" and so on. Be aware - if someone distributes "crack" then he does it not because of the great feelings "free software", but solely because of their goals, since the services of botnets, proxies and other black topics will be relevant forever. Regarding minimum software - believe me, you should not put the server that it does not need to function. No need to install on windows server "program for fkontakte", "free online p ** but," and even "firefox".Know each side - this is another opportunity to get access to your hatskery equipment.Regarding linux systems I hope no one uses them for party purposes on past basic. Complete platform java, mysql is absolutely sufficient for the existence of a set of software servers. So Also, for Linux users - do not install third-party repositories for lists of the package manager apt-get, because for the software stored in such repositories nobody bears responsibility. 3.Analysis of access logs or hacking fact present. If your server is hacked so no need to despair. First your actions is certainly eliminate the attacker from the server or of any access to it. How to do it - the question is much more difficult. "Mothball" the server to the local "bank" - a very simple, but in fact it should operate in other areas. Therefore, we must determine - how the attacker had acquired access to our equipment. Consider the situation we will be exactly the proper amount of software installed on the server. A. Apache log analysis / nginx on hosting / server. This is a very common method of penetration - perhaps on your site or forum vulnerability exists for discharging over their code. On different hosting logs are located in different directories, but this hosters point you in the letter with account details. penetration important factor is finding a hosting malicious code. If you have calculated at least 1 filled or modified file - consider the case in the header, the attacker will be pleased to find the same simple. I hope the file name you cherkanul his notebook and the search will be easy. If the Web server is located on your VPS / dedicated it for example, on the type of OS debian logs (by default) is stored in the directory / var / log / folders apache2 and nginx according to the number of installed software. You just need to get the last of the logs (access.log) and open it with a text editor. After, we are looking for the text name of the file you downloaded or modified by an attacker. For example:

 

 

 

 

 

 

 

 

 

 

 

 

127.0.0.1 - [12/Jul/2010: 06:31:00 +0400] "GET / public / min / shell.php" 200 69814 

"http://la2.100nt.ru/shell.php" "Opera / 9.80 (Windows NT 6.1; U; ru) Presto/2.5.24 Version/10.53 "

The log indicates that ip-adress 127.0.0.1 was the entrance at http://la2.100nt.ru/shell.php (this inquiry we have found for example on the file named "shell.php"). 

Case - almost hat, we calculated ip attacker. Very likely, this address was used and for the most vulnerable of the script (because we need to find the source, not the result). So we are looking boldly on this ip address all requests up (such as GET and POST). Then of course, you should know at least the basics of php to understand what the user is doing. Did you calculate themselves vulnerable script (or a request for this script) and as a consequence can close this vulnerability (or rewriting vulnerable script or appending filters). 

Just search can be carried out in another way - you can see the last modified date or folder browser in your web directory, and then make a conclusion - have you changed them at this time, or did the intruder. After - you can search the logs for the date change ip address of the attacker and what he has done on the server. 

b. Analysis of server access logs - SSHD auth & mysql auth. 

greater the probability of access to the server can carry and authorization via remote access (ssh) or on the same port mysql. 

important point is before reading articles written by us to close these ports from all except you and as well all except for you and the site (for example port mysql). 

So where it stores logs authorization SSH server? Log is located at / var / log / auth.log (for Debian like systems). 

opened this log you may well find out who and when you went to (unless the attacker did not wipe the log!). 

mysql logs are stored in / var / log / mysql (if of course you are included.) 

If the attacker is accessing the mysql at the moment of your presence, you can install it using the ip address statistics netstat:

netstat-na | grep 3306

looking for in the list of all the ip and beyond your un your site. 

C. Analysis of the contents of a server for hacking. Most often, intruders ruining their greed. If the vulnerability has not been established previously - you know, most likely the attacker uses the gameplay for accomplishing their manipulations. 

Track such - is not difficult, and even just the opposite. 

Popularly, you can perform multiple sql queries to analyze this type of individual.

select owner_id from items where item_id = 'most valuable thing' AND count> 'number';

such a request, you can select a list of id players who have any items very much. For example, if you actually used on the server donate currency (for example coin of luck, id 4037) and its equivalent - 1coin = 1wmz. Really stretch - is unlikely to be more than 100 from a bona fide donator (though not actual). This request takes the form:

 

select owner_id from items where item_id = '4037 'AND count> '100';
such a request, we derive a list of all the players who have more than 100 office nail a coin.After, you can search a database of nicknames of the characters and their accounts, and as a consequence, and theirs IP addresses (in the accounts table, they are saved). So you can simply delete them and block the account ip address / mask of the network to access the server. Just request can be selected and the players who have the level of sharpening items very high or higher than the maximum.

select owner_id from items where enchant_level> 'max enchantment level';

Subsequent operations with a list of similar treatment with a coin. 

4. Brief safety tips 

a. Never use root access (administrator access for Windows) used for projects. Learn to distinguish between the right of access. 

b. After breaking any fact, after the detection and elimination of vulnerabilities replace all server data, and this - ssh username and password (for windows - the login information for remote access). 

C. Do not use the default logins (for example - root, admin) and default ports. 

D. Do not use the software or dubious origin obscure kind of scripts (including cracks and / zeros). 

e. Engaged in the analysis of logs at least once a week for the "prevention". 

F. Trust no authorization data on your server (ssh data, mysql data and etc).

I HAVE TO MENTION THAT I'VE FOUND THIS POST ON THE NET AND THOUGHT THAT WOULD HELP SOME GUYS LEARNING ABOUT SERVER PROTECTION!
Edited by Rio

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...