Restore server after devastating attack?


New Member
Hi everyone, I'm sorry if I'm posting in the wrong place or if this has already been covered...

Could someone please explain what I would need to do in the event of a security breach or DOS attack? Due to budget restrictions I am the only person left "in house" to manage our website :eek:. We will be migrating to a knownhost VPS in the future, and I need to be prepared to get the site back up and running within a couple hours of an attack.

I am learning more and more, but I could use some help with this one... I also plan on going to Barnes and Noble tomorrow anyone have any tips on good server admin books?

Thanks in advance!
I don't know about restoring a server, but having dealt with websites that were hacked, I do have a few bits of advice.

If you use PHP on the server, do not allow certain functions to be available to be called. My top priority has been to lock out the eval() and dl() functions. I am sure there are others, and a good list can probably be found in KH's support knowledgebase.

As for DOS attacks, I am assuming those fall into the category of Brute Force Attacks. Look at the full article on Preventing Brute Force Attacks in KH's support knowledgebase. It is right on the front page under Popular Articles. I haven't had problems with those yet, as I am still on shared hosting elsewhere, but it is a good reference.

The most important thing is on a server is a firewall and anti-virus. Lock down any port you don't absolutely need to be open. I haven't had a single problem with a virus or attack on my home Linux system since I locked down the firewall to only allow email, ftp, and web browsing.

I hope that helps.
@zamirathe - Thanks for the advice about php, I will definetely be googling that one!

I have read the article on preventing brute force attacks, it was very helpful...additionally, there is a great post (wont let me post links yet) about securing your server, if you search for the title "HOW TO: Secure and Optimize your VPS". However, I did an nmap of my server and I don't feel its security posture is up to par.

I have these ports open:
21/tcp open tcpwrapped (ftp) - I plan on making this TLS
25/tcp open smtp?
53/tcp open domain?
80/tcp open http?
110/tcp open pop3?
143/tcp open imap?
443/tcp open https?
993/tcp open imaps?
995/tcp open pop3s?

I don't plan on using any email for this server, any advice on how to shut these ports down? I tried disabling them on Power Panel...but there must be some way through ssh.

Can anyone explain the difference between csf firewall and the power panel firewall? Do I need to use both or just configure one? How do I change my settings so I can deny everything and open only the services I need?

Also, if I do have a security breach what should be my first course of action? Contact knownhost? Check log files? Try to restore to a backup?

Thank for help on this!

If you use PHP on the server, do not allow certain functions to be available to be called. My top priority has been to lock out the eval() and dl() functions. I am sure there are others, and a good list can probably be found in KH's support knowledgebase.

UPDATE: I found out how to disable php functions like the ones discussed above (I'm pretty sure). Under your php.ini file in home/local/lib/php.ini, you can edit this line to be:
disable_functions = dl,system,exec,passthru,shell_exec

However, if you happen to use some of these functions for image magick commands, I'm not sure what to do...I guess just allow exec()

Also, if you are running in safe mode, enable_dl is disabled.
I don't know how you would do on the server, but I use iptables. I set all ports to not allow incoming or outgoing traffic. Then I research which ports I'll actually use and allow incoming and outgoing traffic. Otherwise, all other connections are denied. Each host has their own set up, so you would need to find out what your host is using. I know the email here, from what I have read, is in the 2k like 2600. I'm not sure though. I don't know where, but somewhere in these forums I found a post with a list of all of the ports KH uses and why.

Yes, that is the list of functions you need to block PHP from using. However, if you need one for ImageMagick, you don't have to list it. You will take a risk that you may get attacked that way. In fact, the last time I helped repair a site that had been hacked, it was a javascript insertion but started in php by using eval() to insert the script into all index.php files within 2 subdirectories of public_html. Took about 3 hours to clean the entire site and check all 5k pages. I would say if you need ImageMagick and not just GD, then you can take the risk if you feel you need it.

As for the firewall, I found a good post in the General Linux forum. As I can't post the link yet, I will quote.

KH Paul said:

I would suggest not to use firewall management in the Power Panel - this is one of the ugliest things done by Parallels - firewall management in the Power Panel delivers extremely basic functionality and is very limited in what can be done there. I would suggest to use iptables directly if you have knowledge of iptables rules/config syntax or install CSF to build iptables rules based on few easy to define options. Also, if you use cPanel or DirectAdmin CSF can be managed right through the web based control panel.

Iptables rules defined on the backend won't show up in the Power Panel. And any kind of firewall changes made in the Power Panel will completely wipe out any iptables rules defined on the backend.

If I find the post with all the ports KH uses, assuming it is still true, I will quote it also.

Edit: Ok, I found it. It doesn't have everything, like pop3/imap/smtp ports but it gives a good deal of info.

As I can't quote or post a link to it, go to CPanel HOWTOs and Tutorials and then the thread KnownHost Cpanel logins and ports.

I would suggest doing a search for security in the forums. I found a number of good posts while researching in the forum. Some are years old, but give a good idea of what needs to be done.
Power Panel Firewall

@Zamirathe - any idea how to stop using the power panel firewall once selected? Yesterday, I selected normal mode, I have not been able to deselect all the settings since. Is there a way to "not use" the powerpanel firewall once you have set it up?

EDIT: Thanks for the post on "ports," even though its not comprehensive it contains some very useful information.
Most serious DoS attacks will probably get someone's attention at the data center and they'll stop it one way or another.

ModSecurity and ModEvasive will handle just about everything else. There's an excellent book on the former:
To be honest, I haven't used PowerPanel, so I don't know how to deselect from using its firewall settings. I am sure one of the KnownHost support team could tell you how to keep from using it. On my Linux system at home, using Ubuntu, I have a simple GUI to manipulate the iptables. I am assuming, but not positive, that is what the CPanel controls would do. I assume from the quote I posted that if you edit the iptables via SSH, it will stay but not show up on PowerPanel. Again, I would make sure with them.

As for what I would do if I suspected, or did get shut down, due to a DOS attack: 1) Check the access logs. Are there a bunch of attempted logins into the server? Are there a bunch of attempted logins for users on the site that are suspicious? 2) Check the IP trying to access. Is it the same IP trying to access several different users or accounts on the site/server? Does it look like they are fishing for usernames and passwords? 3) Block the IP any access to your server, especially if they have gotten in. Notify the hosting immediately of the IP so they are aware of the attack from this IP. In shared hosting, this is especially essential as a breach in one account could mean a breach in all accounts. 4) Keep an eye on ftp account access, especially fishing for usernames and passwords on them. All the hacks I have had to deal with have dealt with unused ftp accounts that had full access to the account. On another note, do not let someone have an ftp account named admin. That is how the last attack on my site happened. It was supposed to be an ftp account with full access for all of our site admin, but was never used. Actually, add root to that as well. Admin and root will be the main accounts that will be attempted to be hacked.

The best thing to keep away a hacker is to make sure that all passwords are hard to guess. Most probably already know this, but passwords with no full words, capital and lowercase letters, numbers, and symbols are the best. I am sure there is someway to set this up in CPanel so they cannot set a password that doesn't have at least 1 capital letter and 1 symbol.

If you do get attacked, my priorities would be: 1) Take the site or server down if possible for clean up. 2) For a server, get rid of any unused server access accounts. You shouldn't need more access than one root and one user. For a site, get rid of any ftp/email/cpanel users that are not being used by anyone and could've been compromised. 3) Change all passwords to any users that are being used but have been compromised. 4) Block any IPs that made the attack, if you can figure out specifics from the access logs. 5) For a server, block any open port that shouldn't be open that they might have gotten through. 6) For a site, clean up any code insertions. For a server admin reselling shared hosting, notify any client of the security changes and especially if their site has been compromised. 7) Block any php functions that are being used to set up the attack, if it is a hack. 8) Once everything is cleaned, firewall checked, bring the server/site back up.

In most cases, taking the server down is not an option. For a site though, it is the best thing that can done. Especially since most of the "kiddie hacks" are script inserts that will only continue as long as one page with the hack is being viewed. Many forums, CMS, have the ability for the admin to go in and take the site offline, preventing any page from being available.

Sorry for the late reply on your question about first course of action.

Edit: Oh! Looks like I have another book I need to pick up. Thank you khiltd!
Hello newe1344,

There is a post in the cPanel tutorials section about installing APF and it covers ports used by cPanel. I would currently recommend using CSF rather than APF since it is still being updated/maintained. I am pretty certain that the ports list in that post is still current. It will not include the email ports you are asking about though so if you want to block them you will need to add them to the list.

You can use the gui in WHM for editing the CSF configuration or you can edit the csf.conf file in SSH and add them that way, whichever you prefer.

Hope that helps!
CSF for a firewall

@Dan - Thanks, I read the post about APF, it was very informative.

I will use csf, and post when I get a reply from support on disabling or atleast ignoring the power panel firewall. Thanks for the information on /etc/csf/csf.conf, I will add some ports to the list of blocked ones.

@zamirathe - Thanks for the description on what to do if an attack occurs. I will keep daily backups, and rotate the logs...I'm thinking of using dan's amazon s3 storage advice for log files.