Hi there, we've had a few debian/ubuntu servers hacked over the past year or so, ultimately each instance was traced to shoddy client code. Most of our servers are kept well away from third party code but some have to have it. We do what we can to secure the servers but sometimes a client says "oh we have to have this gaping php security hole otherwise my code won't work" so we put barbed wired around it and wait for those friendly indonesian chaps to hack it to pieces (seems most of our hackers are indonesian for some strange reason) anyways, I was thinking that maybe we can be more pro-active with detecting hacks, in many cases there seems to have been several days between the inital server compromise and the clients sites turning to mush. I was thinking maybe a cron job to run rkhunter and email the output, but this would mean a bunch of emails that need manually checked every day. Anyone got any suggestions for a better method?
rkhunter and chkrootkit are a good options (rkhunter is much better). A fs integrity check like tripwire can be very useful. apache mod_security together with owasp CRS is wonderful. Security is very important and you can do so much but how the hell you are hacked so frequently man?
thanks for your reccomendations, tripwire looks particularly handy. As for the hacks, the servers with our code are fine, the problems come when a client uses a dodgy cms to manage their site and have a password like "hackme" (that actually happened)
