1) Web file integrity: Run a job that informs you of web systems level file changes every day. It's a simple one liner, find -R /var/www/htdocs/* -mtime 1day Or run a diff between another backed up tree and current file system that alerts you via email if one of the files has been changed. With an if/then statement that matches only changed content and alerts you when/if something changes via either a diff to a backed up tree in /root/htdocs or /usr/local/src/htdocs 2) IDS/Snort Run snort on your system to ensure known packet signatures are dropped. This is generally needed for PHP/Mysql. 3) Create an initial dd iso of your build and restore it to three drives during build. Every six months restore original dd iso drive. Requires 5 minutes downtime to replace the drive. Restore the drive you removed to dd iso of original build so you always have at least two servers ready for DR and one spare drive to swap in. 4) Run standard layered firewall that includes bottom up network protection. 5) Expect they will get it, so run different passwords on every system, be ready to restore databases and web content quickly. It's easy really. 6) As soon as you see any evidence of exploit, take it offline immediately and rebuild. 7) Take a list of every single version and platform you are using and compare patch levels and versions against the CERT and OWASP exploit databases. If there are no exploits for it, you are safer, some exploits can be mitigated, but at the very least expect to patch your server regularly. Don't just build it and forget it. -- Office: (602)239-3392 AT&T: (503)754-4452 http://it-clowns.com “These capitalists generally act harmoniously and in concert, to fleece the people” --Abraham Lincoln On Tue, Sep 7, 2010 at 2:32 PM, James Mcphee wrote: > Harden your server intelligently and keep it up to date with patches. > > Also, keep yourself informed. I'm sure people can suggest various > resources that have all the latest exploit info, etc. > > On Tue, Sep 7, 2010 at 2:07 PM, keith smith wrote: > >> >> I was just talking with the guy who manages our servers and he was telling >> me about some exploits and some of the things he sees. >> >> He was telling me about one gang that might exploit a server and other >> gang finds it and takes it over, fixes the exploit and them creates a back >> door. >> >> How does one keep up on exploits and current security issues? >> >> Thanks! >> >> ------------------------ >> Keith Smith >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > > -- > James McPhee > jmcphe@gmail.com > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > 1) Web file integrity: Run a job that informs you of web systems level file changes every day. It's a simple one liner, find -R /var/www/htdocs/* -mtime 1day Or run a diff between another backed up tree and current file system that alerts you via email if one of the files has been changed. With an if/then statement that matches only changed content and alerts you when/if something changes via either a diff to a backed up tree in /root/htdocs or /usr/local/src/htdocs 2) IDS/Snort Run snort on your system to ensure known packet signatures are dropped. This is generally needed for PHP/Mysql. 3) Create an initial dd iso of your build and restore it to three drives during build. Every six months restore original dd iso drive. Requires 5 minutes down -- Office: (602)239-3392 AT&T: (503)754-4452 http://it-clowns.com “These capitalists generally act harmoniously and in concert, to fleece the people” --Abraham Lincoln