Getting hacked.... need help!!!

rbhkamal · #1 27th August 2007, 07:30 PM

Hi all,
Few days ago I set up an ocsp server using openssl; that service was running as ROOT all the time...
Today I noticed that the server is not responding to some of my ocsp requests. So I started the sniffer to see what the hell is going on. It turned out that someone from Japan is trying to hack my server using port 80 (OCSP).

What should I do next? Should I create a dedicated user and group for that service? if so can someone help me out?

I really need help on this one. please

Regards,
RK

artiomix · #2 27th August 2007, 09:08 PM

There are some recommendations that are to be done first:

1) get ocsp server running under regular user (if it's possible of course)
2) get ocsp server running in chroot (use google for more information)
3) change ocsp port from 80 port to some other one
4) block suspected IP addresses with iptables:
iptables -A INPUT -s 123.45.67.89 -j DROP

Hope it helps.

rbhkamal · #3 29th August 2007, 03:39 PM

Thanks, I'm still working on it.
That dumass keeps changing his source IP address.... he's probably using a proxy.

Zotter · #4 31st August 2007, 02:58 AM

If it's port 80 attacks - it's likely from all over the place. Common scan port, bot port, mal ware port.

If you've never run a server on 80 before, it can be a bit surprising to see the volume of attack traffic - but, sadly, it's rather normal.

taken a look at mod_security yet? http://www.modsecurity.org/

rbhkamal · #5 8th September 2007, 07:56 PM

Thanks for the link, I didn't know about this.
My OCSP server is done using openssl ocsp and not Apache. Will it still work?

I've already tried chroot jail and I feel a little safer, but there is always room for more security

Crito · #6 9th September 2007, 09:57 AM

Quote:

Originally Posted by rbhkamal

.. but there is always room for more security

In that case you should enclose your computer in concrete and sink it to the bottom of the ocean.

Security is a balancing act with usability; the more of one you have the less of the other.

***Firewing1*** · #7 10th September 2007, 03:54 AM

Code:

yum install mod_ssl mod_security pam_tally

Firewing1

rbhkamal · #8 10th September 2007, 06:30 AM

Thanks, I'll try it out first thing Monday.

btw
Any other cool ideas on securing web servers? Something new?

Regards,
RK

rbhkamal · #9 10th September 2007, 07:05 AM

I'm going to install DenyHosts as well