I'm new to the server management realm and I'm sure my server is very insecure. I've gone through the WHM CPanel security check but I'm sure to the real gurus, that check is stupid and nowhere near what it needs to be. What are a few things I should look out for?

  • 23,440
  • 2
  • 57
  • 69
  • 3,630
  • 17
  • 62
  • 93

4 Answers4


I answered a similar question the other day here:

Secure LAMP server for production use

To check for compromise..

Suspicious files in /tmp. Files in the Web tree unexpected.

Kernel modules loaded that look suspicious. (lsmod)

Processes running that shouldn't be. (ps aufx)

Active network connections. (netstat)

Currently open file descriptors. (lsof)

Ultimately, if the server is compromised, the proper thing to do is to isolate, image, and rebuild.

Edit 1

Bart brought up very good points; especially that you can't trust the local system at all if believed to be compromised.

Once imaged, you can manipulate the image (and filesystems) using known trusted utilities for further forensics.

Dumping traffic on a switch or running a tcpdump on the local system could be useful as well.

Edit 2

I've actually copied utilities from a known good system and used on a remote server before. Not ideal, but better than nothing.

  • 23,440
  • 2
  • 57
  • 69
  • 2
    This is assuming that if it was compromised, the binaries weren't replaced with binaries that hide the rootkit or processes doing bad things, right? ;-) – Bart Silverstrim Mar 09 '10 at 18:09
  • 2
    The only other ways to check: unusual network traffic from the odd machine, use a read-only filesystem (devil linux I think is the one that's CD based) so it can't be altered, or boot from a bootable disk to check with hashed file lists kept on read-only media, kind of like what Tripwire does...those are the ones I know of. – Bart Silverstrim Mar 09 '10 at 18:10
  • I'd also add that best practices say you shouldn't run as root or with privileges unless you have to for particular tasks, and you shouldn't allow other users to have your root access; limit what they can do through sudo (where at least it's logged, unless they wipe the logs). – Bart Silverstrim Mar 09 '10 at 18:16
  • 1
    Hmm...what else...install chkrootkit and rkhunter to check for common rootkits, maybe clamav but it's not really suited for catching non-emailed and spam type malware on Linux systems (it's ideal for plugging into mail servers...) – Bart Silverstrim Mar 09 '10 at 18:21

I already made some points in comments, but to consolidate some thoughts...

You're asking about what, potential attack vectors?

Out of box, there's not a lot on today's Linux installs that you normally need to worry about right away. Most people introduce holes in their Linux systems by installing new programs and altering configs.

In order to give you better advice, you need to clarify what you're doing. A home server? A database server? Web server? Workstation?

A system with all patches and updates will still expose information if you're running a database server that doesn't clean up input and manages to have an SQL injection attack against a backend database.

Generally, you do what you need to do on any other system. Update regularly. Use the least privileges necessary to do something (don't run as root all the time). Don't login with cleartext passwords (use SSH to remotely administer the system). Don't run unnecessary services (turn off remote desktop/VNC if you're not using it, don't run a web server if you're not using it, etc.) Use strong passwords. Check logs regularly for unusual behavior. Get to know how your system acts so you know what's "weird". Monitor logs for unusual access attempts. Install denyhosts and configure it to lock out IP's that try knocking on SSH for login access, or move it a few ports so it's not open to bot attack. Use NMAP to check what ports you have open (from another machine). Audit your machine with something like SAINT (google for vulnerability auditing tools). Don't leave your workstation logged in when you walk away.

Things like chkrootkit and rkhunter help give some guidance and peace of mind, as do hashing utilities like tripwire, but they add to your maintenance. You need to sit down and balance usability with security needs, and apply them as needed (is it worth the extra hash generation and storage each time you alter a set of files or run system updates, vs. what you have to potentially lose in time and money if the server is lost?)

Make sure you have a good backup routine. A copy of live data is no good if someone compromises the server and your oldest backups contain the compromise.

Never trust a system if you think it has been compromised. I like using devil linux for appliance purposes because it is impossible to crack outside of data scratch areas (things like proxy servers); it boots and runs from CD, so no one can replace the binaries. I suppose they can patch them in memory, but a reboot clears it.

If you are dealing with heavier security needs, echo your logs to another server. Don't use the same password for everything. If your server is compromised, they get access to all passwords (I read once about someone setting up a porn site, then watching logins and email addresses and such coming into the logs...they figured they could then turn around and use those same passwords to crack into other sites, since most people use the same password scheme in the workplace and home as they do for commercial sites).

Those are the big ones. Again it's all a matter of balancing usability with security and how much you have to lose if you lose the server, but also things on your network. If someone takes over a humble little file server or hardly used in-house web server, Linux can easily be used to redirect ARP requests and act as a router to sniff traffic so it can see other things on your network, so even an insignificant server can become a significant threat. Since you didn't say what the server and role was or what the location is, it's hard to tell you specifics (like, "Whoa! you don't want to touch credit card information storage if you have to ask about it! That stuff is heavily regulated!" or, "Never store passwords unhashed. Never store as plain text, ever.")

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87

chkrootkit and rkhunter

  • 27,124
  • 2
  • 26
  • 45

While this is wildly complicated (Dont say i didn't warn you). NeXpose has a Community Edition[rapid7.com] you can use to scan for vulnerabilities. You can also integrate it with Metasploit[www.metaploit.com]. Be prepared to do some heavy reading. But if you wade through it, you will be wiser. These are even tools used by some security professionals.

Engage the community and study! Being compromised (and to compromise) can be very intricate.

Best bet if you are or suspect that you are compromised, reinstall from backups or make a clean install. Use sources that provides checksums[en.wikipedia.com] for downloads

If they know what they are doing, they could even modify compilers on your system to compile in "malware" on new compiles.

EDIT: These are tools to check if you can be exploited. They will not check if you are compromised.

  • 1,634
  • 1
  • 17
  • 22