VDS/VPS questions

[BenderB]

Hello everyone, new to NFO and managing my own server. I'm having to learn fast but i like a challenge. Ive been using NFO for a little over a month now and all was going well until i started noticing in my logs what i am assuming was bots trying to brute force their way in. I had read about this so i was not surprised, then something strange happen. The logs started showing successful logins to the "Administrator" account, privileges being changed, etc.

I may be paranoid, maybe I dont understand the logs well enough but it appeared, to me, that "someone" had gained access. So i formatted, installed OS and basically spent the whole day reinstalling apache, php, mysql, etc.

A little info, i was previously using xampp but after reading about security risks had installed apache and everything else separately. I also have a teamspeak3 server that is not currently being used but it is installed.

Back to my story... after getting all software installed, i loaded my backup files for my website, mysql db and shut the vps down because it was late and i had not finished with my apache config files and i still needed a few firewall rules. I thought shutting it down would keep it safe until i could get back to it the next morning.

When i woke up i was horrified to see my server booted up about an hour after i shut it down and had been receiving more bot attacks. I checked the logs and it showed "Administrator" successfully logged on after i had gone to bed. So I immediately formatted, reinstalled, locked the firewall down, changed admin password, made a new user account and disabled "Administrator" I've also changed the remote desktop port to some random unused port. Before I reinstall apache and all that jazz I would like to know if there is anything im forgetting or overlooking as far as security goes. Do the servers reboot after a period on their own?

Ive read the security thread here on the forum but is there anything else i can do to keep this from happening again.

[kraze]

When checking your logs, you'll want to be sure that you are not mistakenly seeing your successful administrator login attempts for those. If you aren't, it very likely to be something within your webserver. It's possible your web server was the entry point, before compromising the website files themselves. If you put the old files back one it's extremely likely they continued to have access. I'd start with fresh files entirely, or at least comb over the existing ones to ensure nothing has been compromised.

If you haven't yet, I'd also recommend setting up the firewall to whitelist only, and changing your RDP port. I'm also assuming you're using a strong password?
viewtopic.php?f=47&t=9421

We also have a guide on what to do if your VDS becomes compromised.
viewtopic.php?f=46&t=5059

[BenderB]

Thanks for the reply Kraze, I will give those threads a good read.


For the logs, Im pretty sure it wasnt me since it happen after i had disconnected from the server and gone to bed. I have changed the password and port for rdc on the fresh install. As for the firewall whitelisting, should i do this in windows firewall or the firewall on my NFO control panel? I believe I have whitelisted my own ip in windows firewall using the "scope" tab for rdc but if it would be better to use the NFO firewall, i will change it.

Thanks again for the help!

[BenderB]

Just read the thread on whitelisting using the NFO firewall so I will be changing that accordingly. Thanks again!

[Edge100x]

Also make sure to follow our general recommended security steps: viewtopic.php?f=46&t=4746