VPS container proactive security - recommendations

[drmike]

I have a VPS out there which over time has become a repetitive problem with hack / something getting into container / misuse thereafter.  

Big picture unsure why.  Previously isolated post-event to PHP compromise.  Scrapped PHP and went different direction and months later, a second compromise.

Container is literally empty and no fun for anyone.  Contemplating turning it into a honeypot to draw out the activity on said network and see if I can learn more (may go that route).

Big question though, because this must happen quite a bit to VPS providers here -

What do you recommend to VPS customers to monitor activity of their VPS instances?  What tools should customers be running in containers to try to get ahead of problems like this before your network level monitors or other reporting externally label the IP for external abuse?  Nature of this now twice was exploit used in common software stack with all current updates and then perps used such to send email spam.

 

[RTGHM]

Rootkits.... backdoors....

Reinstall the VPS.

As for monitoring, I log all events incoming/outgoing, and any "unusual" events as per defined in a pattern it notifies me with a urgent email and a text message.

 

[drmike]

Rootkits.... backdoors....

Reinstall the VPS.

As for monitoring, I log all events incoming/outgoing, and any "unusual" events as per defined in a pattern it notifies me with a urgent email and a text message.

No doubt it's reinstall time.

The logging solution you are using, something homebrewed or something you available out there that you can recommend?

 

[RTGHM]

No doubt it's reinstall time.

The logging solution you are using, something homebrewed or something you available out there that you can recommend?

I'm doing a homebrewed solution right now.

 

[DomainBop]

What do you recommend to VPS customers to monitor activity of their VPS instances?

There's always the basics like logwatch, rkhunter, chkrootkit, etc. and then your favorite monitoring tools to monitor load, traffic, etc

twice was exploit used in common software stack with all current updates and then perps used such to send email spam.

setup a cron with sleddog's script for starters to monitor email volume:

 

[ModyDev]

#1 set a daily or weakly cron to keep the system updated

crontab -e


0 0 * * * apt-get update
0 0 * * * apt-get upgrade


#2 use something like monit

#3 using ssh keys

Regards.

 

[howardsl2]

Use AIDE intrusion detection system (aide.sourceforge.net) to make sure no one has made unauthorized changes to your files.

Two important considerations:

1. Be sure to start with a "clean" VPS at the time of installing AIDE.

2. Keep a copy of the AIDE database (/var/lib/aide/*) elsewhere, in case it is modified by malware.

For Ubuntu, run "apt-get install aide" and then "aide.wrapper --init" to initialize.