How can I secure my Linux VPS?

[senkin]

I have noticed a SHV5 Rootkit. rkhunter in my Ubuntu server. What would you suggest to do as security precautions.

Here is a small list of things I can think of.

1.) Have a firewall and set it up
2.) Have a antivirus like ClamAV.
3.) Have a very secure password or even better locked off root user.
4.) Remove Rootkit? How?

So far I just backed up everything and re-installed the OS. Now I am finishing re-installing all the packages I want. I want to be sure I prevent this rootkit again, so what can I do?

[Edge100x]

To get a rootkit onto your server, an attacker would have either had to log in as a root user (i.e., by knowing your password) or used an exploit or backdoor in an installed application that gave him access to the machine as some user, that he could then use to gain root access via another exploit.

Do you know the original attack vector?

Were you running all the latest packages and the absolute latest kernel?

If you use frequently packages with known security problems or which have to make frequent security releases that are difficult to keep up with, have you considered running the server with grsecurity enabled?

[senkin]

I am not sure 100% where it came from, but the last password was not that strong. It was the one from the user control panel (no offence ).

apt-get -y install rkhunter clamav zip build-essential libxt-dev libxaw7-dev libgmp3-dev libbz2-dev libmysql++-dev libboost-all-dev subversion apache2 mysql-server mysql-admin php5 libapache2-mod-php5 phpmyadmin

That is most of my packages installed. I am darn sure I keep up to date and more.

apt-get -y upgrade
apt-get -y update
apt-get -y dist-upgrade
apt-get clean
apt-get autoclean
apt-get autoremove

That up to date enough for you?

P.S
Since re-install and new password from here. I have yet to have any attacks since. I have been checking with rkhunter for a few hours now.

I think it was a simple scriptkiddie that used a SSH bruteforcer. This password should hold him at bay

[Edge100x]

I am not sure 100% where it came from, but the last password was not that strong. It was the one from the user control panel (no offence ).

If it was from the control panel, it was actually pretty strong. They wouldn't have been able to brute force that remotely, due to the limits that SSHd puts on login attempts, and even a local brute force would have been extremely difficult.

On your packages, phpmyadmin is a common attack vector, so make sure to run that as a completely unprivileged user, and preferably behind a .htaccess wall. (Also, I'd actually recommend against running an antivirus unless you are using an email service, but doing so should not hurt.)

I'm not too familiar with apt-get, but is this keeping your kernel up to date? If you were hit with a rootkit, it is highly probable that either a kernel vulnerability was involved, unless this person logged in directly.

Have you also checked your personal machine to make sure that it was not compromised? We see that very commonly. And, are there any unexpected IPs or unusual usage shown in the "Access log" for your control panel?

Also, what showed in your server logs themselves? Usually attackers slip up and leave behind some evidence of how they got in. Apache logs, /var/log/messages, and .bash_history are places that should be checked.

[senkin]

Well I know the machine has yet to get a rootkit again since the re-install and password change.

I will change it so only my IP can view phpmyadmin *I suck with htaccess, but I gotta learn one day*

apt-get is Debian's version of yum. I am sure I keep the kernal up to date. I do that every re-install and each time I am doing major upgrades.

I know my personal machine is safe. It has Bullguard on it to keep it safe. Which it found nothing in the files I backed up. I don't know if it would detect Linux viruses though.

I did not check, I will next time.

[Edge100x]

I know my personal machine is safe. It has Bullguard on it to keep it safe. Which it found nothing in the files I backed up. I don't know if it would detect Linux viruses though.

Perhaps surprisingly, single products (antivirus/spyware checkers) don't do very much to protect against new vulnerabilities. Keeping as up to date as possible on Windows and software updates is the only real, effective way to go, and even that doesn't always work (there have been quite a few serious 0-day exploits that took multiple days or weeks for vendors to resolve).

You wouldn't be able to get a Linux-specific virus on Windows, but you could get Windows-specific spyware that would enable the attacker to log your keystrokes (and general behavior) and learn your passwords. The password could then be used to log in to your Linux machine. Rootkits are also available for Windows, if a determined attacker wishes to completely cover his tracks. We have seen this scenario play out for renters many times.

If you already wiped the machine, we won't ever know what really happened, though.

[senkin]

I know what you are talking about. I have read a lot on Viruses and their variants including Rootkits and Keyloggers. I have found only one company to truly be as close to on top of it as possible. They are Windows only currently though, so I only really feel safe there. I know I was not keylogged since the only computers I ever do such sensitive material is on machines with Bullguard on it.

I guess we will have to see how this new longer password plays out.

[Edge100x]

I have found only one company to truly be as close to on top of it as possible. They are Windows only currently though, so I only really feel safe there.

I'm not sure what this means.

I know I was not keylogged since the only computers I ever do such sensitive material is on machines with Bullguard on it.

Unfortunately, no AV solution is perfect (even against known, older, testable, malware variants). It is (far) more likely that your personal machine was compromised, or that the server was compromised in a different way, than for the default password to have been guessed on the server.

Wiping and reinstalling the server was a valid course of action, and using a different password than is listed in the control panel is a good plan, as well -- I would not argue with those statements. I am only pointing out that there was not a problem with the strength of the default password. I don't want other customers who read this thread to worry that their issued passwords could be easily brute-forced, because that is not the case at all.

(I should also add that if you are worried about passwords, it'd be best to turn off password-based authentication entirely, and switch to SSH keys.)

[senkin]

I meant that Bullguard is the best on protection that I have seen so far. Although they are Windows only.

I agree the default password is strong, but I also know that my computer was never compromised. I know that beyond a doubt due to it is only used by me, has a password with @ and 0 and P that is 8 characters long. That and more. I know you won't doubt me on it's security.

I guess we can just say we don't know how and the next time it happens we will read the logs and find the hacker to see how it was done. I am guessing it was a attack through PHP. I will have to read all of my scripts to find the vulnerabilities.

[senkin]

Darn can't edit posts.

Anyhow I like the SSH keys, my friend and I are moving to that today. Putty is my friend and I don't want to lose it due to some scriptkiddy