I had that happen, once. It was fairly odd, because all it would do is input some script tags linking to something on a spammy bank’s site. I never looked at what the script wrought, but I imagined it was an ad of some sort.
I had thought it was some sort of PHP injection or something that let them rewrite the file. As it turned out, they had somehow gotten the FTP password. I changed that, and nothing more happened.

It seemed strange to me that they had full access to all my files and only inserted a bit right at the end. Wouldn’t it have been better to load a completely new site with some advertisements for them?
The only reason I had found out was that Google mailed me and told me that my site was trying to make their spiders execute malicious code. Oops!

Just a few thoughts on the ones you posted:
2. Or better yet, disable root login
3. Disable FTP and only allow SFTP
6. Authorized keys are secure–but only as secure as the physical security to getting to your personal computer that has the keys on it.
—
And how about some more!
11. Install fail2ban on Linux. It will ban connections from IPs that have multiple unauthorized attempts in a row.
12. Change your SSH port
13. Set your IP Tables to only allow the ports and types of connections you need (HTTP, SSH, SMTP, etc)
14. Subscribe to your operating systems security mailing list to find out when security patches are available.
15. Only allow MySQL connections from localhost

In a shared hosting environment where there are other users on the same machine as you, file permissions are of critical importance. It can be trivially easy for somebody else to modify your data/code if your permissions are set to world writable, or if they are group writable and belong to the wrong group.

For PHP in shared hosting environments, make sure your PHP code runs as your own user (using PHP-CGI or such). If your PHP runs as the same user as everybody else, they can likely read and/or write to your files.

If you find that you’ve been hacked you have to seriously consider the possibility that:

1. the code you have written is the vulnerability
2. the hacker has installed a back door to get back into your system

If either of those are the case, then you could do everything listed in this article and in the comments and you wouldn’t have fixed anything. The hacker could still get back in.

These days, almost all hackers get in because you haven’t upgraded the apps you have installed, you have a security hole in your own app, or your password has been compromised. You should definitely secure your server using tips like this, but you also have to write secure web app code. Your code takes into consideration SQL injection attacks and malicious file names right?

After being hacked, if you can, it is best to wipe out your server OS and start over from scratch from a hopefully clean backup of your site/app.

Another useful note: if your entire site/web app is version controlled with git or svn or whatever… you can easily run status/diff against your site and see any new files or files that have been changed. That will instantly let you spot any shenanigans with your code/file data. (It won’t however help you with database data or system files.)

You can also change the port in which SSH is accessible, which blocks nearly all attempts from that direction.

Thx very much for that list! Since I am more User Interface guy there are some really new things there for me :)

cheers,
Thomas

I would suggest not using the root account at all – use sudo to divy up priviledges to various accounts, and lock the password for root. Allowing only certain users to ssh in and forcing login by publickey also does wonders.

For my ftp setup, I have users chrooted into their home directories, and then I’ve mounted (with —bind) directories they need to access into their ~, so they can access only those folders. Pretty nifty.

Wow! Thanks for the info.. Speaking of hacking, my email address, ym and twitter account is hacked by a single hacker..Selling some stuff that can drop your weight. I am only using my personal computer, so i guess nobody had took advantage with my email or other accounts left un-logged out.. I am just wondering if it is safe to engage in online banking?? I am also worried with my online bank accounts..thanks.

Thanks.

This is a nice site!!

A good selection of tips, changing your security of your root from SHA1 to Blowfish is also a good idea.

Hi there,
Obviously, these are some of the most important and prominent tips that provide higher level of security to any web hosting server.
Thanks for sharing these effective tips…………….

you can also shutdown the machine and go get some sleep :-)

I saw a couple of suggestions for changing the ssh port, witch isn’t a bad idea, but a simple scan will find that quite easily.

If you want to talk about security there are a few things you need to point out.

Your server is only as secure as the applications running on it. If you allow sql injections without serverside checking, no amount of ssh protection will help people from doing bad things (if that is their intent).

But let us assume you have that secure, or that you have only static content showing on your server. Now we can go on to the real server security issue.

for your “chmod -R 755 YOUR_WEB_PATH” , it’s usually better to have a script for setting your rights, that has +x rights on your folders, and removes those rights on the files. Servers don’t usually need the file to be an executable, except some servers with cgi.

now on to the more fun topic: ssh security!
1. disabling root login and passwordless login is the basic,
2. next step would be changing the port number, but that’s really not doing much if someone is trying to get on your computer, he may need a few more minutes scanning those couple thousand ports.
3. for even better safety, its good just just have a RSA encryption for authentication, and disabling passwords all together (you should still have your RSA private key under a good password)
4. taking the “change port” tactic a bit further with port knocking. This involves actually closing the port for the ssh connection, until the client makes the correct knock sequence, and then the server unlocks the port, on witch the client can log onto with his RSA key. Figuring there are 65k ports and a knock sequence with 4 knocks is in the order of 10 to the power of 20.

Now how far you want to take it, just depends on how valuable your stuff is. But even all of this can’t guarantee your servers safety.