Site hacked, looking for security advice [duplicate]
Possible Duplicate:
My server's been hacked EMERGENCY
Last weekend my company's site was hacked.
They did the nicest thing of doing that on a Friday evening so we only noticed the attack on Monday morning.. The funny thing is that we switched from Windows to Linux recently because it was supposed to be more stable and secure. Go figure. And yes, we got us blacklisted on Firefox and Chrome.
Since I am not a Linux expert, I am looking for advice on how to avoid problems like this in the future. What steps do you take to protect your systems? It seems we had weak passwords, but shouldn't Linux block the account after a few failed logins? They tried more than 20 combinations...
In addition to that, I am looking for a tool (or service) similar to pingdom but applied to security. If my site is ever hacked, alert me. Is that such a thing? A Hacking monitor? :)
Another thing, how do you notify your clients about such issues? Do you just ignore and hope no one noticed? Email explaining what happened?
*posting as anonymous to avoid more bad exposure to my company, which is bad already...
Solution 1:
As far as a service similar to pingdom, but applied to security, I will suggest Sucuri's free Network integrity monitor.
What it does? It monitors your web site (and domains) on real time and alert you if they are ever defaced, blacklisted, hacked, etc. Link: http://sucuri.net
As the name implies, it monitors the integrity of your 'internet' presence.
*disclaimer: I developed it.
Solution 2:
An operating system is not "stable and secure". A properly configured and well-administered infrastructure can be made more secure than one that isn't, but security isn't a boolean. You can't "buy security" or "install security" by using a particular product / technology.
You're not a "Linux expert", so it makes sense that you need to hire / contract with someone who can configure your servers well, from a security perspective. It's not something you can do one and "be done". Patches are being released all the time for newly found vulnerabilities and bugs. If you don't have an employee who has the job of keeping up you really need to consider subscribing to some type of "managed" service to maintain your server computers. This is an ongoing concern, and needs to be factored into the budget / TCO of the system as a whole.
There are "hacking monitors", to some extent. Intrusion detection systems (IDS), intrusion prevention systems (IPS), etc, fill that niche. It's an arms race, though. You can't just purchase an off-the-shelf IDS/IPS product, pay somebody to put it in, then sit back and feel smugly secure. Just like keeping operating system software and application software patched, the "hacking monitor" infrastructure must be kept up to date, too.
You need to talk to a lawyer. You may have clients located in places where you are bound to disclose such occurrances by law. Even if you're not, it sure seems slimy to me not to let your clients know if their data was placed at risk. There's the damage to "your good name" now in disclosing the hack, but there's a multiplicity of that damage if it comes out later that you tried to cover it up-- especially if you're breaking the law by doing it.
Practical Stuff:
Your hacked machine(s) are trash. They need to be reloaded from a known-good backup or, better yet, reloaded from clean OS binaries and re-populated with data. This is like "malware cleanup" except worse, because your adversary is much more likely a thinking being instead of a dumb piece of software (though you may have been hacked by a 'bot). The chance that there are "back doors" in your servers is real.
The data on the server computers should be considered to have been disclosed to the public. Even if it's not now, it could be.
Any credentials to other computers stored on the hacked computers are public. Start getting those passwords to other computers changed NOW and make sure that the other computers are intact. (Does anybody user Tripwire anymore? That'd sure be nice in this occasion...)
You've got a mess. Handle it well and you will come out better. Handle it poorly and, next time, you may not have a company.
In the future, you should be using strong authentication and encrypted management protocols (SSH, public-key based authentication). I've already suggested that you get a "Linux expert", even if it's just on contract, to get you started down the right track. I can't encourage that enough. You'll get to see, with this breach, how that would have "paid for itself".
All the common stuff applies:
- Don't run services you don't need to.
- Disable default credentials.
- Follow the principle of least privilege.
- Have tested, offline, and off-site backups.
- Know your legal requirements re: breach disclosure.
- Keep your systems / applications updated.
Solution 3:
It seems we had weak passwords...
...we switched from Windows to Linux recently because it was supposed to be more stable and secure. Go figure.
Weak passwords are platform independent.
Linux is more flexible than Windows in many scenarios, and thus can be made more secure when those certain situations arise. Switching from Windows to Linux for no real reason, especially when you're unfamiliar with the environment, is a bad call. If you run an internet-facing server and don't understand how the services on that server work, whether it be Windows, Solaris, RHEL, or BSD, you're asking for trouble.
As for how to tell your clients, if any of their data was exposed or even POTENTIALLY exposed, AT ALL, call them ASAP. No email, no hope it goes away. Use your phone that's sitting on your desk.
Besides legal repercussions, you were providing a service to them that they were undoubtedly using to provide services for others in some way. You owe it to them to disclose any potential breach of data so they can adjust their workflow accordingly and notify anyone else downstream from them that it may affect.
Solution 4:
Linux like any platform is only as secure as the people who administrate the systems. If you were more experienced with Windows then moving to Linux probably wasn't the best idea. You can setup Windows to be just as secure as Linux provided that you take the correct steps to secure the environment which includes firewalls between the public internet and your internal network, and secure VPNs for connecting from your home to the internal network.
Depending on the level of the breach will determine what you tell your customers. If no customer data was taken then you can give your customers just some basic information about what happened. However if Customer data was accessed you now have some state notification laws to deal with depending on the state that your company is in, and the states your customers are in.