VPS compromised? Configured wrong?












7















I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure.



Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally.



In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.



Here are the respective logs from /var/log/auth.log that make me feel paranoid:



Oct 31 06:30:21 vultr su[24157]: Successful su for nobody by root
Oct 31 06:30:21 vultr su[24157]: + ??? root:nobody
Oct 31 06:30:21 vultr su[24157]: pam_unix(su:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd-logind[503]: New session 40 of user nobody.
Oct 31 06:30:24 vultr su[24157]: pam_unix(su:session): session closed for user nobody
Oct 31 06:30:24 vultr systemd-logind[503]: Removed session 40.


I wasn't the one to authenticate at 6:30 in the morning, so naturally I'm worried that I messed up again somewhere ...



(note: .bash_history of root shows nothing suspicious, and as far as I know user nobody doesn't have a .bash_history - correct me if I'm wrong)



Password authentication is disabled for SSH, only SSH key authentication is possible, which is why I'm really confused about what to try next since someone has still managed to get access (I think).



I've read this article about a phpMyAdmin exploit where the attacker acquired access to the 'nobody' user. However I don't think it applies to my case, because according to my Apache logs there haven't been any attempts to access the phpMyAdmin page, not to mention the article is dated 2010 and my phpMyAdmin page is not even accessible at the moment.



The type of requests, however, that Apache receives are worrying me a bit, here's an example (from /var/log/apache2/access.log):



192.99.144.140 - - [31/Oct/2015:03:43:48 +0000] "PROPFIND /webdav/ HTTP/1.1" 405 569 "-" "WEBDAV Client"
185.25.151.159 - - [31/Oct/2015:03:59:35 +0000] "GET http://testp2.czar.bielawa.pl/testproxy.php HTTP/1.1" 404 460 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
61.228.95.69 - - [31/Oct/2015:09:07:39 +0000] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 405 536 "-" "-"
185.25.151.159 - - [31/Oct/2015:09:15:13 +0000] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"


whereas I'd be expecting something more like this:



my ip - - [31/Oct/2015:14:47:58 +0000] "GET / HTTP/1.1" 200 589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36"


I don't understand what is accomplished by attempting to



"GET http://testp4.pospr.waw.pl/testproxy.php"



from my server. There is no such file or directory in /var/www/html



I'll list all the things I did to try and stay secure after the reinstall. Please point out if you think I've done something incorrectly or if I've not done something at all.



What I did:




  1. Fresh install of Ubuntu 15.04

  2. Generate public and private key pair

  3. Add my public key to my authorized_keys file on my server


  4. Change these settings in /etc/ssh/sshd_config, thus disabling password authentication and only allowing SSH key authentication only



    PermitRootLogin without-password
    RSAAuthentication yes
    PubkeyAuthentication yes
    PasswordAuthentication no


  5. Reboot



  6. Install the things I need, in this order:



    zip 
    unzip
    apache2
    mysql-server
    php5 libapache2-mod-php5
    openjdk-7-jdk
    gcc
    g++
    screen
    vsftpd
    auditd


  7. Remove the default /var/www/html/index.html



  8. Configure vsftpd to work (I have a strong password for FtpUser). I followed this tutorial from DigitalOcean



    mkdir /home/proj
    groupadd ftp-users
    chown root:ftp-users /home/proj
    chown root:ftp-users /var/www
    useradd -g ftp-users -d /home/proj FtpUser
    chown FtpUser /home/proj
    passwd FtpUser (add strong password)


    I changed these settings in /etc/vsftpd.conf



    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    chroot_local_user=NO
    pam_service_name=ftp


  9. Reboot



Everything else that I didn't mention is at it's default, all software installed is up to date.



Please let me know if the logs I showed earlier are something to worry about.
I'd also be very grateful if you could tell me whether my configuration is incorrect and what I can do to improve my security further. Additionally, if you know any good articles on the matter that would be very helpful in the long run.










share|improve this question













migrated from security.stackexchange.com Nov 1 '15 at 1:19


This question came from our site for information security professionals.



















  • More information about the user nobody: askubuntu.com/questions/329714/…

    – Austin Hartzheim
    Oct 31 '15 at 21:10











  • @AustinHartzheim Thanks for the link!

    – electricity256
    Oct 31 '15 at 21:36
















7















I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure.



Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally.



In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.



Here are the respective logs from /var/log/auth.log that make me feel paranoid:



Oct 31 06:30:21 vultr su[24157]: Successful su for nobody by root
Oct 31 06:30:21 vultr su[24157]: + ??? root:nobody
Oct 31 06:30:21 vultr su[24157]: pam_unix(su:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd-logind[503]: New session 40 of user nobody.
Oct 31 06:30:24 vultr su[24157]: pam_unix(su:session): session closed for user nobody
Oct 31 06:30:24 vultr systemd-logind[503]: Removed session 40.


I wasn't the one to authenticate at 6:30 in the morning, so naturally I'm worried that I messed up again somewhere ...



(note: .bash_history of root shows nothing suspicious, and as far as I know user nobody doesn't have a .bash_history - correct me if I'm wrong)



Password authentication is disabled for SSH, only SSH key authentication is possible, which is why I'm really confused about what to try next since someone has still managed to get access (I think).



I've read this article about a phpMyAdmin exploit where the attacker acquired access to the 'nobody' user. However I don't think it applies to my case, because according to my Apache logs there haven't been any attempts to access the phpMyAdmin page, not to mention the article is dated 2010 and my phpMyAdmin page is not even accessible at the moment.



The type of requests, however, that Apache receives are worrying me a bit, here's an example (from /var/log/apache2/access.log):



192.99.144.140 - - [31/Oct/2015:03:43:48 +0000] "PROPFIND /webdav/ HTTP/1.1" 405 569 "-" "WEBDAV Client"
185.25.151.159 - - [31/Oct/2015:03:59:35 +0000] "GET http://testp2.czar.bielawa.pl/testproxy.php HTTP/1.1" 404 460 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
61.228.95.69 - - [31/Oct/2015:09:07:39 +0000] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 405 536 "-" "-"
185.25.151.159 - - [31/Oct/2015:09:15:13 +0000] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"


whereas I'd be expecting something more like this:



my ip - - [31/Oct/2015:14:47:58 +0000] "GET / HTTP/1.1" 200 589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36"


I don't understand what is accomplished by attempting to



"GET http://testp4.pospr.waw.pl/testproxy.php"



from my server. There is no such file or directory in /var/www/html



I'll list all the things I did to try and stay secure after the reinstall. Please point out if you think I've done something incorrectly or if I've not done something at all.



What I did:




  1. Fresh install of Ubuntu 15.04

  2. Generate public and private key pair

  3. Add my public key to my authorized_keys file on my server


  4. Change these settings in /etc/ssh/sshd_config, thus disabling password authentication and only allowing SSH key authentication only



    PermitRootLogin without-password
    RSAAuthentication yes
    PubkeyAuthentication yes
    PasswordAuthentication no


  5. Reboot



  6. Install the things I need, in this order:



    zip 
    unzip
    apache2
    mysql-server
    php5 libapache2-mod-php5
    openjdk-7-jdk
    gcc
    g++
    screen
    vsftpd
    auditd


  7. Remove the default /var/www/html/index.html



  8. Configure vsftpd to work (I have a strong password for FtpUser). I followed this tutorial from DigitalOcean



    mkdir /home/proj
    groupadd ftp-users
    chown root:ftp-users /home/proj
    chown root:ftp-users /var/www
    useradd -g ftp-users -d /home/proj FtpUser
    chown FtpUser /home/proj
    passwd FtpUser (add strong password)


    I changed these settings in /etc/vsftpd.conf



    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    chroot_local_user=NO
    pam_service_name=ftp


  9. Reboot



Everything else that I didn't mention is at it's default, all software installed is up to date.



Please let me know if the logs I showed earlier are something to worry about.
I'd also be very grateful if you could tell me whether my configuration is incorrect and what I can do to improve my security further. Additionally, if you know any good articles on the matter that would be very helpful in the long run.










share|improve this question













migrated from security.stackexchange.com Nov 1 '15 at 1:19


This question came from our site for information security professionals.



















  • More information about the user nobody: askubuntu.com/questions/329714/…

    – Austin Hartzheim
    Oct 31 '15 at 21:10











  • @AustinHartzheim Thanks for the link!

    – electricity256
    Oct 31 '15 at 21:36














7












7








7


1






I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure.



Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally.



In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.



Here are the respective logs from /var/log/auth.log that make me feel paranoid:



Oct 31 06:30:21 vultr su[24157]: Successful su for nobody by root
Oct 31 06:30:21 vultr su[24157]: + ??? root:nobody
Oct 31 06:30:21 vultr su[24157]: pam_unix(su:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd-logind[503]: New session 40 of user nobody.
Oct 31 06:30:24 vultr su[24157]: pam_unix(su:session): session closed for user nobody
Oct 31 06:30:24 vultr systemd-logind[503]: Removed session 40.


I wasn't the one to authenticate at 6:30 in the morning, so naturally I'm worried that I messed up again somewhere ...



(note: .bash_history of root shows nothing suspicious, and as far as I know user nobody doesn't have a .bash_history - correct me if I'm wrong)



Password authentication is disabled for SSH, only SSH key authentication is possible, which is why I'm really confused about what to try next since someone has still managed to get access (I think).



I've read this article about a phpMyAdmin exploit where the attacker acquired access to the 'nobody' user. However I don't think it applies to my case, because according to my Apache logs there haven't been any attempts to access the phpMyAdmin page, not to mention the article is dated 2010 and my phpMyAdmin page is not even accessible at the moment.



The type of requests, however, that Apache receives are worrying me a bit, here's an example (from /var/log/apache2/access.log):



192.99.144.140 - - [31/Oct/2015:03:43:48 +0000] "PROPFIND /webdav/ HTTP/1.1" 405 569 "-" "WEBDAV Client"
185.25.151.159 - - [31/Oct/2015:03:59:35 +0000] "GET http://testp2.czar.bielawa.pl/testproxy.php HTTP/1.1" 404 460 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
61.228.95.69 - - [31/Oct/2015:09:07:39 +0000] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 405 536 "-" "-"
185.25.151.159 - - [31/Oct/2015:09:15:13 +0000] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"


whereas I'd be expecting something more like this:



my ip - - [31/Oct/2015:14:47:58 +0000] "GET / HTTP/1.1" 200 589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36"


I don't understand what is accomplished by attempting to



"GET http://testp4.pospr.waw.pl/testproxy.php"



from my server. There is no such file or directory in /var/www/html



I'll list all the things I did to try and stay secure after the reinstall. Please point out if you think I've done something incorrectly or if I've not done something at all.



What I did:




  1. Fresh install of Ubuntu 15.04

  2. Generate public and private key pair

  3. Add my public key to my authorized_keys file on my server


  4. Change these settings in /etc/ssh/sshd_config, thus disabling password authentication and only allowing SSH key authentication only



    PermitRootLogin without-password
    RSAAuthentication yes
    PubkeyAuthentication yes
    PasswordAuthentication no


  5. Reboot



  6. Install the things I need, in this order:



    zip 
    unzip
    apache2
    mysql-server
    php5 libapache2-mod-php5
    openjdk-7-jdk
    gcc
    g++
    screen
    vsftpd
    auditd


  7. Remove the default /var/www/html/index.html



  8. Configure vsftpd to work (I have a strong password for FtpUser). I followed this tutorial from DigitalOcean



    mkdir /home/proj
    groupadd ftp-users
    chown root:ftp-users /home/proj
    chown root:ftp-users /var/www
    useradd -g ftp-users -d /home/proj FtpUser
    chown FtpUser /home/proj
    passwd FtpUser (add strong password)


    I changed these settings in /etc/vsftpd.conf



    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    chroot_local_user=NO
    pam_service_name=ftp


  9. Reboot



Everything else that I didn't mention is at it's default, all software installed is up to date.



Please let me know if the logs I showed earlier are something to worry about.
I'd also be very grateful if you could tell me whether my configuration is incorrect and what I can do to improve my security further. Additionally, if you know any good articles on the matter that would be very helpful in the long run.










share|improve this question














I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure.



Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally.



In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.



Here are the respective logs from /var/log/auth.log that make me feel paranoid:



Oct 31 06:30:21 vultr su[24157]: Successful su for nobody by root
Oct 31 06:30:21 vultr su[24157]: + ??? root:nobody
Oct 31 06:30:21 vultr su[24157]: pam_unix(su:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
Oct 31 06:30:21 vultr systemd-logind[503]: New session 40 of user nobody.
Oct 31 06:30:24 vultr su[24157]: pam_unix(su:session): session closed for user nobody
Oct 31 06:30:24 vultr systemd-logind[503]: Removed session 40.


I wasn't the one to authenticate at 6:30 in the morning, so naturally I'm worried that I messed up again somewhere ...



(note: .bash_history of root shows nothing suspicious, and as far as I know user nobody doesn't have a .bash_history - correct me if I'm wrong)



Password authentication is disabled for SSH, only SSH key authentication is possible, which is why I'm really confused about what to try next since someone has still managed to get access (I think).



I've read this article about a phpMyAdmin exploit where the attacker acquired access to the 'nobody' user. However I don't think it applies to my case, because according to my Apache logs there haven't been any attempts to access the phpMyAdmin page, not to mention the article is dated 2010 and my phpMyAdmin page is not even accessible at the moment.



The type of requests, however, that Apache receives are worrying me a bit, here's an example (from /var/log/apache2/access.log):



192.99.144.140 - - [31/Oct/2015:03:43:48 +0000] "PROPFIND /webdav/ HTTP/1.1" 405 569 "-" "WEBDAV Client"
185.25.151.159 - - [31/Oct/2015:03:59:35 +0000] "GET http://testp2.czar.bielawa.pl/testproxy.php HTTP/1.1" 404 460 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
61.228.95.69 - - [31/Oct/2015:09:07:39 +0000] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 405 536 "-" "-"
185.25.151.159 - - [31/Oct/2015:09:15:13 +0000] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"


whereas I'd be expecting something more like this:



my ip - - [31/Oct/2015:14:47:58 +0000] "GET / HTTP/1.1" 200 589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36"


I don't understand what is accomplished by attempting to



"GET http://testp4.pospr.waw.pl/testproxy.php"



from my server. There is no such file or directory in /var/www/html



I'll list all the things I did to try and stay secure after the reinstall. Please point out if you think I've done something incorrectly or if I've not done something at all.



What I did:




  1. Fresh install of Ubuntu 15.04

  2. Generate public and private key pair

  3. Add my public key to my authorized_keys file on my server


  4. Change these settings in /etc/ssh/sshd_config, thus disabling password authentication and only allowing SSH key authentication only



    PermitRootLogin without-password
    RSAAuthentication yes
    PubkeyAuthentication yes
    PasswordAuthentication no


  5. Reboot



  6. Install the things I need, in this order:



    zip 
    unzip
    apache2
    mysql-server
    php5 libapache2-mod-php5
    openjdk-7-jdk
    gcc
    g++
    screen
    vsftpd
    auditd


  7. Remove the default /var/www/html/index.html



  8. Configure vsftpd to work (I have a strong password for FtpUser). I followed this tutorial from DigitalOcean



    mkdir /home/proj
    groupadd ftp-users
    chown root:ftp-users /home/proj
    chown root:ftp-users /var/www
    useradd -g ftp-users -d /home/proj FtpUser
    chown FtpUser /home/proj
    passwd FtpUser (add strong password)


    I changed these settings in /etc/vsftpd.conf



    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    chroot_local_user=NO
    pam_service_name=ftp


  9. Reboot



Everything else that I didn't mention is at it's default, all software installed is up to date.



Please let me know if the logs I showed earlier are something to worry about.
I'd also be very grateful if you could tell me whether my configuration is incorrect and what I can do to improve my security further. Additionally, if you know any good articles on the matter that would be very helpful in the long run.







exploit webserver ssh ubuntu






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Oct 31 '15 at 20:26







electricity256











migrated from security.stackexchange.com Nov 1 '15 at 1:19


This question came from our site for information security professionals.









migrated from security.stackexchange.com Nov 1 '15 at 1:19


This question came from our site for information security professionals.















  • More information about the user nobody: askubuntu.com/questions/329714/…

    – Austin Hartzheim
    Oct 31 '15 at 21:10











  • @AustinHartzheim Thanks for the link!

    – electricity256
    Oct 31 '15 at 21:36



















  • More information about the user nobody: askubuntu.com/questions/329714/…

    – Austin Hartzheim
    Oct 31 '15 at 21:10











  • @AustinHartzheim Thanks for the link!

    – electricity256
    Oct 31 '15 at 21:36

















More information about the user nobody: askubuntu.com/questions/329714/…

– Austin Hartzheim
Oct 31 '15 at 21:10





More information about the user nobody: askubuntu.com/questions/329714/…

– Austin Hartzheim
Oct 31 '15 at 21:10













@AustinHartzheim Thanks for the link!

– electricity256
Oct 31 '15 at 21:36





@AustinHartzheim Thanks for the link!

– electricity256
Oct 31 '15 at 21:36










1 Answer
1






active

oldest

votes


















0














Run hiawatha webserver as a reverse proxy in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:



91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
Host: testp3.pospr.waw.pl
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate


Run the webserver & proxy inside separate lxc containers to further isolate the processes.



Use the chroot feature built into php-fpm.



Do NOT make a shell available inside the chroot



Stealth your ssh port.



Mount your /var/www/public_html as noexec nosuid nodev.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f994501%2fvps-compromised-configured-wrong%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown
























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Run hiawatha webserver as a reverse proxy in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:



    91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
    Host: testp3.pospr.waw.pl
    Proxy-Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate


    Run the webserver & proxy inside separate lxc containers to further isolate the processes.



    Use the chroot feature built into php-fpm.



    Do NOT make a shell available inside the chroot



    Stealth your ssh port.



    Mount your /var/www/public_html as noexec nosuid nodev.






    share|improve this answer




























      0














      Run hiawatha webserver as a reverse proxy in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:



      91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
      Host: testp3.pospr.waw.pl
      Proxy-Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: pl,en-US;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate


      Run the webserver & proxy inside separate lxc containers to further isolate the processes.



      Use the chroot feature built into php-fpm.



      Do NOT make a shell available inside the chroot



      Stealth your ssh port.



      Mount your /var/www/public_html as noexec nosuid nodev.






      share|improve this answer


























        0












        0








        0







        Run hiawatha webserver as a reverse proxy in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:



        91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
        Host: testp3.pospr.waw.pl
        Proxy-Connection: Keep-Alive
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: pl,en-US;q=0.7,en;q=0.3
        Accept-Encoding: gzip, deflate


        Run the webserver & proxy inside separate lxc containers to further isolate the processes.



        Use the chroot feature built into php-fpm.



        Do NOT make a shell available inside the chroot



        Stealth your ssh port.



        Mount your /var/www/public_html as noexec nosuid nodev.






        share|improve this answer













        Run hiawatha webserver as a reverse proxy in front of your webserver. It will block exploits such as this (they will be blocked as "garbage") in the logs:



        91.196.50.33|Sat 19 Mar 2016 21:12:15 +0000|GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1
        Host: testp3.pospr.waw.pl
        Proxy-Connection: Keep-Alive
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: pl,en-US;q=0.7,en;q=0.3
        Accept-Encoding: gzip, deflate


        Run the webserver & proxy inside separate lxc containers to further isolate the processes.



        Use the chroot feature built into php-fpm.



        Do NOT make a shell available inside the chroot



        Stealth your ssh port.



        Mount your /var/www/public_html as noexec nosuid nodev.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 20 '16 at 8:58









        Stuart CardallStuart Cardall

        20615




        20615






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f994501%2fvps-compromised-configured-wrong%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Probability when a professor distributes a quiz and homework assignment to a class of n students.

            Aardman Animations

            Are they similar matrix