Author: Stephanie Royle
Stephanie Royle is a Senior Systems administrator at Lunarpages Web Hosting. She has 2 children, a Labrador a ginger tomcat and frequent headaches.
== – ==
Sadly this little phrase is seen far too often lately and from a server administrators point of view it means another trip down ”Lets educate the customer” lane, including a lengthy dip into the access_logs and a sweep around their files to pull out those tasty little IRC bots that eat up your bandwidth and proudly announce to the script kiddies community channel that they own your server, with stuff like “Greetz to own3r, h@kz0r, M@sher, Mr X” and the other malformed pseudonyms and acronyms, or maybe go replace the customers whole file structure from a backup because their index page is displaying the image of a guy in a fez with some dodgy looking words in a language you don’t understand.
Then a trip to your firewall to block the attackers IP and jump up and down on it with glee, although deep down you just know they used a proxy via a rooted box.
Then go inform the customer (politely) that they should update their scripts. Of course the customer expects you to go through the logs and inform the FBI of the attackers name, address, cellphone number and the last school grade they got. (systems admins are wonderful things huh?) we should work for the forensic squad, or at least help them out at weekends.
70% of these little treasures found their way into your customers account by way of…..you guessed it, your customer’s scripts. But of course “You are to blame” although you already hit up scripts on your servers on a regular basis to find said possible holes after having religiously going through the latest security bulletins to keep in step with the latest exploits, then mailing the customer personally to warn them of said “nasty little hole” which they conscientiously ignore and file the mail amongst the meds spam in their junk folder.
Did you ever sit and wonder just how these “Icons of the hacking world” or “Script Kiddie” for short” found these holes in the script so quickly and exploited them? The answer of course is that they read the bulletins too and within hours it is spread worldwide amongst their community via those ever so handy medias such as IRC and email. I love the getout phrase printed on the vulnerability report: “Full details of exactly how to run this injection are not included for obvious reasons. Although you can find full details at http://www.nicehackerplace.com.”
Come on; admit it, how many of you just checked out that link? And how many of you are rushing out to buy said domain?
Having ascertained they actually have a hack, they then go visit our friend the search engine and see just who is running that particular script, open up ssh on the box they rooted last week and happily spend the day causing as much mayhem as possible. This is not good and if you are unprepared you will be caught with your pants down, your boss screaming in one ear and your customer in the other, which is worse than listening to a bad metal MP3 on max volume while trying to write a thesis on dark matter for your next college exam.
Securing your server is a full time job, but there are quite a few ground rules to get you started and there are many people devoted to writing server software to prevent this kind of thing and ask for nothing but the credit for their hard work and contribution to the community as a whole. The Linux community have open source apps and advice for just about everything but shelf hanging. (offers on the latter anyone?)
How can we help to prevent this stuff?
I don’t want to bore you all with details and installation details as you may find yourself skipping this and looking for alternative reading, which may result in you missing out on the wonderful apps out there that may one day save your hide.
Here’s a few tips to start off the budding systems admin.
Mod security:
Anyone who runs apache should consider this as a “numero uno” priority, like anyone who has a horse should have a stable. It makes logging a dream and can stop web attacks quicker than Mac Donald’s can serve cheeseburgers. (the employees with 5 stars anyway)
With mod_sec you can start small and build up an excellent firewall policy and prevent the majority of the web / injection attacks.
Kernel updates:
Keeping this up to date is imperative, make sure you are aware of your current kernel version and join a mailing list for your particular operating system to make sure you know when it’s time to replace it. (Please do this carefully)
PHP:
It’s vital you keep your php versions up to date, as exploits are reported the nice guys at php.net will patch the hole and release an update.
Have your server mail you for every root login (Linux)
A quick and easy method is this:
vi /etc/.bash_profile
echo ‘WARNING – Root Access:’ `date` `who` | mail -s “Warning: Root Access from `who | awk ‘{print $6}’`” you@email.com
Simple but effective, but nobody should be accessing your server as root in the first place huh? You could of course insert a scary message into /etc/motd but then Halloween is over and nobody is really interested in server messages, they just want to root your box.
You see? I just had to go put some coding in there and bore the pants off you eh?
Firewall:
This is also essential there is a nice easy to configure one at rfxnetworks
I know there will be lots of seasoned server admins reading this muttering “You forgot to mention…” and what about…”
Yep there is a lot more stuff to consider when it comes to security and it’s way beyond the scope of one short article.
I just wanted throw a bone to the guys that don’t normally have to consider this stuff so they know what we poor people have to deal with on a day to day basis, and offer a little advice to those that are maybe just starting out, to be aware of the bad guys out there.
(Can anyone offer me a nice safe job in sales?) ;)
If your server is not secure, these guys will be in your box quicker than a hummer at a ram raiding party.
