SoylentNews is people
SoylentNews
from the cat-and-mouse-and-dogged-determination dept.
A couple years ago I set up a simple brochure-ware site for the School Board in the district here in Brooklyn, hosted on a VPS instance on Linode, to publicize the dates of public meetings, meeting minutes, etc. The VPS doesn't contain any sensitive information so I locked down the ports to 80, 443, and 22, hardened the SSH with measures like fail2ban, kept the system updated every week or so, and called it a day.
Last week, though, the site was compromised. Blowing the instance away and re-creating it from physical backups is not a problem, but in poring through the system to figure out how it was breached I realized both that my own security chops aren't deep enough and that standard best security practices might not be good enough anymore, anyway, given the many vulnerabilities exposed in the last year and realities like the NSA trove that Shadow Brokers leaked.
So the question for the more experienced security professionals in the Soylent community is, can they recommend a good guide and/or site to hone linux security chops and forensic skills that's current?
(Score: 2) by kaszz on Sunday June 04 2017, @01:30AM
Some ideas:
* Prevent Apache and SSH exploits by using a stream filter ahead of them that deny any features not used.
* Firewall the ssh port to only work from sites you will login from.
* Setup one server to produce the pages which then uploads it to a disposable server that only serves them via http(s).
* Implement port knocking.
As for investigating. First step is to verify if the computer has one of those Intel backdoors.. then do boot sectors have the right checksum? system kernel? binaries? look for recent bugs, review logs, file system links. If core has been dumped maybe a fileless malware can be detected?