Best way to perform pentest

[proggR]

My server was hacked a while ago and I'm still in the interim of setting up/configuring a new server (they're VPS so I just deleted and recreated it). I'm wondering where would be a good place to start with securing it when I set it back up. I'm going to start by disabling all ports except 80 and 22 (I stupidly didn't even think to block ports before) but aside from that I don't really know what else would be a good idea. How do I test my own code for vulnerabilities? How do I test my system? Security has always been one of my weaker points of knowledge so I'm not sure the best route to take.

 

Any help/direction would be much appreciated. Thanks in advance.

[PFMaBiSmAd]

There's at least a dozen different ways someone could break into a web based site/server. Without specific information about how someone accomplish it in your case or without specific code that you want someone to look at, it is kind of hard to answer in a few hundred words in a forum reply.

 

Short-answer, if the hacking was accomplished through external data: All external data that your script receives - post, get, cookie, files, and some server variables - can contain anything and cannot be trusted. The solution is to validate/filter the data so that your code only uses the data if it has an expected value.

[proggR]

I know the possibilities are staggering and unfortunately I don't know how they got in. I know they had open connections to an IRC server but I don't know how they got code running on my server in the first place. I'm going to redo all my validation and read anything I can in the meantime on secure server configurations.

 

I'm working on a new project that I really don't want to have any downtime on and will probably pay someone to test my server to try to remove most vulnerabilities. I'm sure a server is never 100% safe but I want that one to be as close as I can get it.

[Daniel0]

I'm sure a server is never 100% safe [...]

 

Sure it is. Just ask Sony

[thehippy]

Given that you have a fresh VPS to start with, here are a few things you can do.

 

Restrict network access with a firewall, block all services that don't need to be public and only allow access to services from where you want.  For example only allow access from your IP/subnet to the service only you use (ssh/sftp)

 

Backup!

 

Down all the services you don't need or use, better yet uninstall everything you don't need.  Deny local access to services except for the users that need them.  Does bob need to access to mysql locally? no, deny him then

 

OS hardening, use chroot jails for everything you can restricting what your webserver process has access to or your smtp server has access to can make a difference.  One of the simpler things you can do is to force complex passwords on the server.  Try hardening the OS with something like grsecurity and/or the bastille hardening tool, it'll be a headache until you get used to a more restrictive environment but well worth it.

 

Don't trust anyone with access to anything, give them access to their own little places if you have to.  Become a permissions ninja, know who and what has access to what and who.

 

Install a host intrusion detection system, which is mostly a fancy file integrity monitor, if file.ext changes, alert the admin.  Samhain is nice for this, has some other good features aswell.

 

Backup regularly!

 

Your webserver is probably the most public service you have so harden your webserver, trim down its loaded extensions, be a bit stricter with file/directory access.  mod_security is pretty standard extension you can add to apache, configuration can be a bit crazy and over zealous at times, you'll need to test out your webapp against its configuration to make sure everything works okay.  Next up harden PHP, suhosin is a good patch for this.  Configure PHP to not display errors to users, log everything privately.

 

Give yourself the tools to monitor who's accessing your webserver, enable verbose access logging on Apache for instance.  You might give thought to using a network intrusion detection/prevention system (like snort); it'll give you a bunch of cpu overhead but it'll give you a clear idea of who/what is trying to access your server.

 

Keep current with patches and security announcements, get on announcement and security mailing lists for the applications your server uses so you can get info quickly and can patch your server quicker.

 

As for PHP security, here's a pretty good intro to php security.  You might look at the security related classes such as session management, validation, filtering, etc from existing sources (PEAR, ZF, etc) to give you a jump ahead in your coding.

 

Have you made a backup today yet?

[monkeytooth]

A site being secure is nothing more than how secure the software on the server is. Blocking ports, etc isn't going to stop someone from ravaging your stuff if your stuff is insecure. Anything from a simple variable in your domain ie: mydomain.com/index.php?myvar=something if not secured properly can mess up your whole day.