VPS container proactive security - recommendations

Discussion in 'Hosting Talk & Reviews' started by drmike, Jan 14, 2015.

  1. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    I have a VPS out there which over time has become a repetitive problem with hack / something getting into container / misuse thereafter.  

    Big picture unsure why.  Previously isolated post-event to PHP compromise.  Scrapped PHP and went different direction and months later, a second compromise.

    Container is literally empty and no fun for anyone.  Contemplating turning it into a honeypot to draw out the activity on said network and see if I can learn more (may go that route).

    Big question though, because this must happen quite a bit to VPS providers here -

    What do you recommend to VPS customers to monitor activity of their VPS instances?  What tools should customers be running in containers to try to get ahead of problems like this before your network level monitors or other reporting externally label the IP for external abuse?  Nature of this now twice was exploit used in common software stack with all current updates and then perps used such to send email spam.
     
    Geek likes this.
  2. RTGHM

    RTGHM New Member

    220
    64
    Nov 29, 2014
    Rootkits.... backdoors....

    Reinstall the VPS.

    As for monitoring, I log all events incoming/outgoing, and any "unusual" events as per defined in a pattern it notifies me with a urgent email and a text message.
     
    Last edited by a moderator: Jan 14, 2015
  3. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    No doubt it's reinstall time. :)

    The logging solution you are using, something homebrewed or something you available out there that you can recommend?
     
  4. RTGHM

    RTGHM New Member

    220
    64
    Nov 29, 2014
    I'm doing a homebrewed solution right now.
     
  5. DomainBop

    DomainBop Dormant VPSB Pathogen

    2,260
    2,190
    Oct 11, 2013
    There's always the basics like logwatch, rkhunter, chkrootkit, etc. and then your favorite monitoring tools to monitor load, traffic, etc

    setup a cron with sleddog's script for starters to monitor email volume:
     
    drmike likes this.
  6. ModyDev

    ModyDev New Member

    60
    9
    Dec 4, 2014
    #1 set a daily or weakly cron to keep the system updated

    crontab -e


    0 0 * * * apt-get update
    0 0 * * * apt-get upgrade


    #2 use something like monit

    #3 using ssh keys

    Regards.
     
    Last edited by a moderator: Jan 14, 2015
    drmike likes this.
  7. howardsl2

    howardsl2 New Member

    61
    31
    Jan 28, 2014
    Use AIDE intrusion detection system (aide.sourceforge.net) to make sure no one has made unauthorized changes to your files.

    Two important considerations:

    1. Be sure to start with a "clean" VPS at the time of installing AIDE.

    2. Keep a copy of the AIDE database (/var/lib/aide/*) elsewhere, in case it is modified by malware.

    For Ubuntu, run "apt-get install aide" and then "aide.wrapper --init" to initialize.
     
    Last edited by a moderator: Jan 14, 2015
    drmike likes this.