Security Guideance

Joe Conlin jconlin at axsne.com
Tue Feb 23 15:15:12 CST 2010


>From personal experience you will likely not find much help from
Parallels. We provide webhosting here on the Plesk 8.x and 9 platforms
and in similar situations I have found good results using a combination
of OSSEC (http://www.ossec.net/ BIG shout out to these guys, this
project makes my life so much easier), and enabling Apache mod_status.
Netstat, lsof, and ntop (www.ntop.org) are also useful. 

Also, the default PHP configs in a Plesk deployment should to be
reviewed; I once had an IRC bot written in PHP being remotely included
into a customer's site because of a server mis-configuration (make sure
php.ini has "allow_url_fopen = Off" and "allow_url_include = Off").

Seeing as how your server is generating UDP traffic, it's possible that
your DNS (Bind) configs are allowing recursion and this is what's being
abused (Plesk is bundled with Bind to handle the vhost DNS hosting).
Either it is allowing public recursion or a local user may be abusing
local recursion abilities.... a helpful tool for monitoring DNS queries
on your server is "dnstop"
(http://dns.measurement-factory.com/tools/dnstop/). 

You should also check out #plesk on freenode for a wealth of Plesk
security knowledge. Hope this helps

Joe Conlin
Access Northeast
jconlin at axsne.com
www.axsne.com

"Your Partner for IP Network Solutions"
-----Original Message-----
From: Paul Stewart [mailto:pstewart at nexicomgroup.net] 
Sent: Tuesday, February 23, 2010 2:47 PM
To: nanog at nanog.org
Subject: Security Guideance

Hi folks...

 

We have a strange series of events going on in the past while.... Brief
history here, looking for input from the community - especially some of
the security folks on here.

 

We provide web hosting services - one of our hosting boxes was found a
while back with root kits installed, un patched software and lots of
other "goodies".    With some staff changes in place (don't think I need
to elaborate on that) we are trying to clean up several issues including
this particular server.  A new server was provisioned, patched, and
deployed.  User data was moved over and now the same issue is coming
back....

 

The problem is that a user on this box appears to be launching high
traffic DOS attacks from it towards other sites.  These are UDP based
floods that move around from time to time - most of these attacks only
last a few minutes.

 

I've done tcpdumps within seconds of the attack starting and to date
been unable to find the source of this attack (we know the server, just
not sure which customer it is on the server that's been compromised).
Several hours of scanning for php, cgi, pl type files have been wasted
and come up nowhere...

 

It's been suggested to dump IDS in front of this box and I know I'll get
some feedback positive and negative in that aspect.  

 

What tools/practices do others use to resolve this issue?  It's  a
Centos 5.4 box running latest Plesk control panel.

 

Typically we have found it easy to track down the offending script or
program - this time hasn't been easy at all...

 

Thanks,

 

Paul

 

 

 




 

------------------------------------------------------------------------
----

"The information transmitted is intended only for the person or entity
to which it is addressed and contains confidential and/or privileged
material. If you received this in error, please contact the sender
immediately and then destroy this transmission, including all
attachments, without copying, distributing or disclosing same. Thank
you."




More information about the NANOG mailing list