VPS compromised? Configured wrong?
I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure.
Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally.
In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.
Here are the respective logs from /var/log/auth.log
that make me feel paranoid:
Oct 31 06:30:21 vultr su[24157]: Successful su for nobody by root
Oct 31 06:30:21 vultr su[24157]: + ??? root:nobody
Oct 31 06:30:21 vultr su[24157]: pam_unix(su:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd-logind[503]: New session 40 of user nobody.
Oct 31 06:30:24 vultr su[24157]: pam_unix(su:session): session closed for user nobody
Oct 31 06:30:24 vultr systemd-logind[503]: Removed session 40.
I wasn't the one to authenticate at 6:30 in the morning, so naturally I'm worried that I messed up again somewhere ...
(note: .bash_history
of root
shows nothing suspicious, and as far as I know user nobody
doesn't have a .bash_history
- correct me if I'm wrong)
Password authentication is disabled for SSH, only SSH key authentication is possible, which is why I'm really confused about what to try next since someone has still managed to get access (I think).
I've read this article about a phpMyAdmin exploit where the attacker acquired access to the 'nobody' user. However I don't think it applies to my case, because according to my Apache logs there haven't been any attempts to access the phpMyAdmin page, not to mention the article is dated 2010 and my phpMyAdmin page is not even accessible at the moment.
The type of requests, however, that Apache receives are worrying me a bit, here's an example (from /var/log/apache2/access.log
):
192.99.144.140 - - [31/Oct/2015:03:43:48 +0000] "PROPFIND /webdav/ HTTP/1.1" 405 569 "-" "WEBDAV Client"
185.25.151.159 - - [31/Oct/2015:03:59:35 +0000] "GET http://testp2.czar.bielawa.pl/testproxy.php HTTP/1.1" 404 460 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
61.228.95.69 - - [31/Oct/2015:09:07:39 +0000] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 405 536 "-" "-"
185.25.151.159 - - [31/Oct/2015:09:15:13 +0000] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
whereas I'd be expecting something more like this:
my ip - - [31/Oct/2015:14:47:58 +0000] "GET / HTTP/1.1" 200 589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36"
I don't understand what is accomplished by attempting to
"GET http://testp4.pospr.waw.pl/testproxy.php"
from my server. There is no such file or directory in /var/www/html
I'll list all the things I did to try and stay secure after the reinstall. Please point out if you think I've done something incorrectly or if I've not done something at all.
What I did:
- Fresh install of Ubuntu 15.04
- Generate public and private key pair
- Add my public key to my
authorized_keys
file on my server
Change these settings in
/etc/ssh/sshd_config
, thus disabling password authentication and only allowing SSH key authentication only
PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
Reboot
Install the things I need, in this order:
zip
unzip
apache2
mysql-server
php5 libapache2-mod-php5
openjdk-7-jdk
gcc
g++
screen
vsftpd
auditd
Remove the default
/var/www/html/index.html
Configure vsftpd to work (I have a strong password for
FtpUser
). I followed this tutorial from DigitalOcean
mkdir /home/proj
groupadd ftp-users
chown root:ftp-users /home/proj
chown root:ftp-users /var/www
useradd -g ftp-users -d /home/proj FtpUser
chown FtpUser /home/proj
passwd FtpUser (add strong password)
I changed these settings in
/etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=NO
pam_service_name=ftp
Reboot
Everything else that I didn't mention is at it's default, all software installed is up to date.
Please let me know if the logs I showed earlier are something to worry about.
I'd also be very grateful if you could tell me whether my configuration is incorrect and what I can do to improve my security further. Additionally, if you know any good articles on the matter that would be very helpful in the long run.
exploit webserver ssh ubuntu
migrated from security.stackexchange.com Nov 1 '15 at 1:19
This question came from our site for information security professionals.
add a comment |
I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure.
Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally.
In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.
Here are the respective logs from /var/log/auth.log
that make me feel paranoid:
Oct 31 06:30:21 vultr su[24157]: Successful su for nobody by root
Oct 31 06:30:21 vultr su[24157]: + ??? root:nobody
Oct 31 06:30:21 vultr su[24157]: pam_unix(su:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd-logind[503]: New session 40 of user nobody.
Oct 31 06:30:24 vultr su[24157]: pam_unix(su:session): session closed for user nobody
Oct 31 06:30:24 vultr systemd-logind[503]: Removed session 40.
I wasn't the one to authenticate at 6:30 in the morning, so naturally I'm worried that I messed up again somewhere ...
(note: .bash_history
of root
shows nothing suspicious, and as far as I know user nobody
doesn't have a .bash_history
- correct me if I'm wrong)
Password authentication is disabled for SSH, only SSH key authentication is possible, which is why I'm really confused about what to try next since someone has still managed to get access (I think).
I've read this article about a phpMyAdmin exploit where the attacker acquired access to the 'nobody' user. However I don't think it applies to my case, because according to my Apache logs there haven't been any attempts to access the phpMyAdmin page, not to mention the article is dated 2010 and my phpMyAdmin page is not even accessible at the moment.
The type of requests, however, that Apache receives are worrying me a bit, here's an example (from /var/log/apache2/access.log
):
192.99.144.140 - - [31/Oct/2015:03:43:48 +0000] "PROPFIND /webdav/ HTTP/1.1" 405 569 "-" "WEBDAV Client"
185.25.151.159 - - [31/Oct/2015:03:59:35 +0000] "GET http://testp2.czar.bielawa.pl/testproxy.php HTTP/1.1" 404 460 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
61.228.95.69 - - [31/Oct/2015:09:07:39 +0000] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 405 536 "-" "-"
185.25.151.159 - - [31/Oct/2015:09:15:13 +0000] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
whereas I'd be expecting something more like this:
my ip - - [31/Oct/2015:14:47:58 +0000] "GET / HTTP/1.1" 200 589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36"
I don't understand what is accomplished by attempting to
"GET http://testp4.pospr.waw.pl/testproxy.php"
from my server. There is no such file or directory in /var/www/html
I'll list all the things I did to try and stay secure after the reinstall. Please point out if you think I've done something incorrectly or if I've not done something at all.
What I did:
- Fresh install of Ubuntu 15.04
- Generate public and private key pair
- Add my public key to my
authorized_keys
file on my server
Change these settings in
/etc/ssh/sshd_config
, thus disabling password authentication and only allowing SSH key authentication only
PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
Reboot
Install the things I need, in this order:
zip
unzip
apache2
mysql-server
php5 libapache2-mod-php5
openjdk-7-jdk
gcc
g++
screen
vsftpd
auditd
Remove the default
/var/www/html/index.html
Configure vsftpd to work (I have a strong password for
FtpUser
). I followed this tutorial from DigitalOcean
mkdir /home/proj
groupadd ftp-users
chown root:ftp-users /home/proj
chown root:ftp-users /var/www
useradd -g ftp-users -d /home/proj FtpUser
chown FtpUser /home/proj
passwd FtpUser (add strong password)
I changed these settings in
/etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=NO
pam_service_name=ftp
Reboot
Everything else that I didn't mention is at it's default, all software installed is up to date.
Please let me know if the logs I showed earlier are something to worry about.
I'd also be very grateful if you could tell me whether my configuration is incorrect and what I can do to improve my security further. Additionally, if you know any good articles on the matter that would be very helpful in the long run.
exploit webserver ssh ubuntu
migrated from security.stackexchange.com Nov 1 '15 at 1:19
This question came from our site for information security professionals.
More information about the usernobody
: askubuntu.com/questions/329714/…
– Austin Hartzheim
Oct 31 '15 at 21:10
@AustinHartzheim Thanks for the link!
– electricity256
Oct 31 '15 at 21:36
add a comment |
I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure.
Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally.
In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.
Here are the respective logs from /var/log/auth.log
that make me feel paranoid:
Oct 31 06:30:21 vultr su[24157]: Successful su for nobody by root
Oct 31 06:30:21 vultr su[24157]: + ??? root:nobody
Oct 31 06:30:21 vultr su[24157]: pam_unix(su:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd-logind[503]: New session 40 of user nobody.
Oct 31 06:30:24 vultr su[24157]: pam_unix(su:session): session closed for user nobody
Oct 31 06:30:24 vultr systemd-logind[503]: Removed session 40.
I wasn't the one to authenticate at 6:30 in the morning, so naturally I'm worried that I messed up again somewhere ...
(note: .bash_history
of root
shows nothing suspicious, and as far as I know user nobody
doesn't have a .bash_history
- correct me if I'm wrong)
Password authentication is disabled for SSH, only SSH key authentication is possible, which is why I'm really confused about what to try next since someone has still managed to get access (I think).
I've read this article about a phpMyAdmin exploit where the attacker acquired access to the 'nobody' user. However I don't think it applies to my case, because according to my Apache logs there haven't been any attempts to access the phpMyAdmin page, not to mention the article is dated 2010 and my phpMyAdmin page is not even accessible at the moment.
The type of requests, however, that Apache receives are worrying me a bit, here's an example (from /var/log/apache2/access.log
):
192.99.144.140 - - [31/Oct/2015:03:43:48 +0000] "PROPFIND /webdav/ HTTP/1.1" 405 569 "-" "WEBDAV Client"
185.25.151.159 - - [31/Oct/2015:03:59:35 +0000] "GET http://testp2.czar.bielawa.pl/testproxy.php HTTP/1.1" 404 460 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
61.228.95.69 - - [31/Oct/2015:09:07:39 +0000] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 405 536 "-" "-"
185.25.151.159 - - [31/Oct/2015:09:15:13 +0000] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
whereas I'd be expecting something more like this:
my ip - - [31/Oct/2015:14:47:58 +0000] "GET / HTTP/1.1" 200 589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36"
I don't understand what is accomplished by attempting to
"GET http://testp4.pospr.waw.pl/testproxy.php"
from my server. There is no such file or directory in /var/www/html
I'll list all the things I did to try and stay secure after the reinstall. Please point out if you think I've done something incorrectly or if I've not done something at all.
What I did:
- Fresh install of Ubuntu 15.04
- Generate public and private key pair
- Add my public key to my
authorized_keys
file on my server
Change these settings in
/etc/ssh/sshd_config
, thus disabling password authentication and only allowing SSH key authentication only
PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
Reboot
Install the things I need, in this order:
zip
unzip
apache2
mysql-server
php5 libapache2-mod-php5
openjdk-7-jdk
gcc
g++
screen
vsftpd
auditd
Remove the default
/var/www/html/index.html
Configure vsftpd to work (I have a strong password for
FtpUser
). I followed this tutorial from DigitalOcean
mkdir /home/proj
groupadd ftp-users
chown root:ftp-users /home/proj
chown root:ftp-users /var/www
useradd -g ftp-users -d /home/proj FtpUser
chown FtpUser /home/proj
passwd FtpUser (add strong password)
I changed these settings in
/etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=NO
pam_service_name=ftp
Reboot
Everything else that I didn't mention is at it's default, all software installed is up to date.
Please let me know if the logs I showed earlier are something to worry about.
I'd also be very grateful if you could tell me whether my configuration is incorrect and what I can do to improve my security further. Additionally, if you know any good articles on the matter that would be very helpful in the long run.
exploit webserver ssh ubuntu
I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure.
Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally.
In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.
Here are the respective logs from /var/log/auth.log
that make me feel paranoid:
Oct 31 06:30:21 vultr su[24157]: Successful su for nobody by root
Oct 31 06:30:21 vultr su[24157]: + ??? root:nobody
Oct 31 06:30:21 vultr su[24157]: pam_unix(su:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd-logind[503]: New session 40 of user nobody.
Oct 31 06:30:24 vultr su[24157]: pam_unix(su:session): session closed for user nobody
Oct 31 06:30:24 vultr systemd-logind[503]: Removed session 40.
I wasn't the one to authenticate at 6:30 in the morning, so naturally I'm worried that I messed up again somewhere ...
(note: .bash_history
of root
shows nothing suspicious, and as far as I know user nobody
doesn't have a .bash_history
- correct me if I'm wrong)
Password authentication is disabled for SSH, only SSH key authentication is possible, which is why I'm really confused about what to try next since someone has still managed to get access (I think).
I've read this article about a phpMyAdmin exploit where the attacker acquired access to the 'nobody' user. However I don't think it applies to my case, because according to my Apache logs there haven't been any attempts to access the phpMyAdmin page, not to mention the article is dated 2010 and my phpMyAdmin page is not even accessible at the moment.
The type of requests, however, that Apache receives are worrying me a bit, here's an example (from /var/log/apache2/access.log
):
192.99.144.140 - - [31/Oct/2015:03:43:48 +0000] "PROPFIND /webdav/ HTTP/1.1" 405 569 "-" "WEBDAV Client"
185.25.151.159 - - [31/Oct/2015:03:59:35 +0000] "GET http://testp2.czar.bielawa.pl/testproxy.php HTTP/1.1" 404 460 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
61.228.95.69 - - [31/Oct/2015:09:07:39 +0000] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 405 536 "-" "-"
185.25.151.159 - - [31/Oct/2015:09:15:13 +0000] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
whereas I'd be expecting something more like this:
my ip - - [31/Oct/2015:14:47:58 +0000] "GET / HTTP/1.1" 200 589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36"
I don't understand what is accomplished by attempting to
"GET http://testp4.pospr.waw.pl/testproxy.php"
from my server. There is no such file or directory in /var/www/html
I'll list all the things I did to try and stay secure after the reinstall. Please point out if you think I've done something incorrectly or if I've not done something at all.
What I did:
- Fresh install of Ubuntu 15.04
- Generate public and private key pair
- Add my public key to my
authorized_keys
file on my server
Change these settings in
/etc/ssh/sshd_config
, thus disabling password authentication and only allowing SSH key authentication only
PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
Reboot
Install the things I need, in this order:
zip
unzip
apache2
mysql-server
php5 libapache2-mod-php5
openjdk-7-jdk
gcc
g++
screen
vsftpd
auditd
Remove the default
/var/www/html/index.html
Configure vsftpd to work (I have a strong password for
FtpUser
). I followed this tutorial from DigitalOcean
mkdir /home/proj
groupadd ftp-users
chown root:ftp-users /home/proj
chown root:ftp-users /var/www
useradd -g ftp-users -d /home/proj FtpUser
chown FtpUser /home/proj
passwd FtpUser (add strong password)
I changed these settings in
/etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=NO
pam_service_name=ftp
Reboot
Everything else that I didn't mention is at it's default, all software installed is up to date.
Please let me know if the logs I showed earlier are something to worry about.
I'd also be very grateful if you could tell me whether my configuration is incorrect and what I can do to improve my security further. Additionally, if you know any good articles on the matter that would be very helpful in the long run.
exploit webserver ssh ubuntu
exploit webserver ssh ubuntu
asked Oct 31 '15 at 20:26
electricity256
migrated from security.stackexchange.com Nov 1 '15 at 1:19
This question came from our site for information security professionals.
migrated from security.stackexchange.com Nov 1 '15 at 1:19
This question came from our site for information security professionals.
More information about the usernobody
: askubuntu.com/questions/329714/…
– Austin Hartzheim
Oct 31 '15 at 21:10
@AustinHartzheim Thanks for the link!
– electricity256
Oct 31 '15 at 21:36
add a comment |
More information about the usernobody
: askubuntu.com/questions/329714/…
– Austin Hartzheim
Oct 31 '15 at 21:10
@AustinHartzheim Thanks for the link!
– electricity256
Oct 31 '15 at 21:36
More information about the user
nobody
: askubuntu.com/questions/329714/…– Austin Hartzheim
Oct 31 '15 at 21:10
More information about the user
nobody
: askubuntu.com/questions/329714/…– Austin Hartzheim
Oct 31 '15 at 21:10
@AustinHartzheim Thanks for the link!
– electricity256
Oct 31 '15 at 21:36
@AustinHartzheim Thanks for the link!
– electricity256
Oct 31 '15 at 21:36
add a comment |
1 Answer
1
active
oldest
votes
Run hiawatha webserver as a reverse proxy
in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:
91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
Host: testp3.pospr.waw.pl
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Run the webserver & proxy inside separate lxc
containers to further isolate the processes.
Use the chroot
feature built into php-fpm
.
Do NOT make a shell
available inside the chroot
Stealth your ssh
port.
Mount your /var/www/public_html
as noexec nosuid nodev
.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f994501%2fvps-compromised-configured-wrong%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Run hiawatha webserver as a reverse proxy
in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:
91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
Host: testp3.pospr.waw.pl
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Run the webserver & proxy inside separate lxc
containers to further isolate the processes.
Use the chroot
feature built into php-fpm
.
Do NOT make a shell
available inside the chroot
Stealth your ssh
port.
Mount your /var/www/public_html
as noexec nosuid nodev
.
add a comment |
Run hiawatha webserver as a reverse proxy
in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:
91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
Host: testp3.pospr.waw.pl
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Run the webserver & proxy inside separate lxc
containers to further isolate the processes.
Use the chroot
feature built into php-fpm
.
Do NOT make a shell
available inside the chroot
Stealth your ssh
port.
Mount your /var/www/public_html
as noexec nosuid nodev
.
add a comment |
Run hiawatha webserver as a reverse proxy
in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:
91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
Host: testp3.pospr.waw.pl
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Run the webserver & proxy inside separate lxc
containers to further isolate the processes.
Use the chroot
feature built into php-fpm
.
Do NOT make a shell
available inside the chroot
Stealth your ssh
port.
Mount your /var/www/public_html
as noexec nosuid nodev
.
Run hiawatha webserver as a reverse proxy
in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:
91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
Host: testp3.pospr.waw.pl
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Run the webserver & proxy inside separate lxc
containers to further isolate the processes.
Use the chroot
feature built into php-fpm
.
Do NOT make a shell
available inside the chroot
Stealth your ssh
port.
Mount your /var/www/public_html
as noexec nosuid nodev
.
answered Mar 20 '16 at 8:58
Stuart CardallStuart Cardall
20615
20615
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f994501%2fvps-compromised-configured-wrong%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
More information about the user
nobody
: askubuntu.com/questions/329714/…– Austin Hartzheim
Oct 31 '15 at 21:10
@AustinHartzheim Thanks for the link!
– electricity256
Oct 31 '15 at 21:36