-1

I got hacked yesterday, and for some reason i think this thing I've been doing on my servers over and over might have some disadvantages, Might this question be deprecated but i need simple answer as this practice i used to do, and in case it's bad why there are answers got a lot of upvotes for this practice?

sudo chown www-data:www-data /var/www -R
cd /var/www
sudo find . -type f -exec chmod 664 {} \;
sudo find . -type d -exec chmod 755 {} \;

so i just need something as simple as these commands to protect my server. Thanks

The question is marked as duplicated but it's not my compromised server is over, i'm talking about another server and specific subject.

john
  • 38
  • 4
  • Possible duplicate of [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Dennis Nolte Apr 03 '19 at 11:55
  • The question is marked as duplicated but it's not my compromised server is over, i'm talking about another server and specific subject. – john Apr 03 '19 at 11:58
  • the linked question first line: This is a Canonical Question about Server Security - Responding to Breach Events (Hacking) which directly is the question you are asking in my opinion. – Dennis Nolte Apr 03 '19 at 12:20

3 Answers3

5

i just need something as simple as these commands to protect my server.

The only minimal effort command that will protect your server is "poweroff" or similar.

Good security takes a serious amount of effort and simply copying commands from the internet without understanding them won't help you.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • you didn't understand me well, i'm not looking to do things without efforts but i want something true i don't want that to happen again, i've found an answer on https://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver?rq=1 tell me your opinion on the Malono's answer – john Apr 03 '19 at 12:19
  • That answer gives a good background and starts immediately with the crux of the matter *"you need to know exactly who your users are and what they need."* – HBruijn Apr 03 '19 at 12:26
4
sudo chown www-data:www-data /var/www -R
cd /var/www
sudo find . -type f -exec chmod 664 {} \;
sudo find . -type d -exec chmod 755 {} \;

is bad because the user the webserver is running under should not have write access to anything under the doc root. If there is a flaw in the software then one can usually write/change arbitrary files (e.g. index.php) which make compromising the web servers incredibly easy.

[Why have] answers got a lot of upvotes for this practice?

The solution solves the problem but the security implications are ignored.

Even (some) web host providers recommend this terrible practice. Why? They make more money this way even given the number of sites that get compromised (and noticed by the customer that they are compromised).

Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
  • Thanks that was really useful information to hear, I've followed Malono's answer here https://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver?rq=1 and i think it's good after long research, but thanks again for clarification of this bad practice and why it's common between top answers. – john Apr 03 '19 at 19:45
3

Server security is a multifaceted issue. Since many processes on your server CAN be compromised in some way, it is important to run your updates, eliminate unused services and then do security on what is left.

You can have a rock solid apache, mysql, ssh configuration, but if you are running a Wordpress server that has security holes, you are going to get hacked - repetitively. You can grep through looking for exec commands, base64_decode, but if you don't understand coding, then you may not see where you are vulnerable.

fail2ban may be a good starting point since it will teach you what to look for in log files to know if you are getting hacked.

If you must run insecure apps because you are a startup and simply can't afford the alternative, make sure you sandbox your environment by utilizing separate VPS servers and make frequent backups. Then practice your restore process till you know you can get everything back up and running.

Alan
  • 543
  • 2
  • 6
  • 18
  • Running insecure apps is a great way to ensure that a startup will fail. It doesn't take many security incidents to start driving customers away. Security is much harder to implement after the product is done so it should be budgeted into the development cycle from the beginning. – doneal24 Apr 03 '19 at 16:27
  • I started what ended up being a multi million dollar business for under $200. I used Vbulletin and VBTube. Neither was ideal for an online e-learning platform, but it let me first find out that people actually liked my business, which then funded development. Sometimes a good idea stays only a good idea because people are too afraid to launch anything till it is perfect. – Alan Apr 03 '19 at 21:52
  • Your apps does not need to be perfect from the beginning but where would your business be now if it had exposed the names and SSNs of the users shortly after you launched? Alternatively, how would it have affected the business if you found out after the launch that you would have to re-write the entire database backend to secure the system adequately? Security is not an all-or-nothing metric but there has to be a certain level of initial security and planning for future features. – doneal24 Apr 05 '19 at 16:11
  • Very true Doug. I am not at all discounting the value of security, but as stated in other posts, you have to know your audience, and the value of the data you possess. I think the only truly absolutely secure server is an HTML only server with no open ports - and even then, someone will somehow figure out a way to hack it if the information in it is valuable enough :) – Alan Apr 07 '19 at 05:28