Life After Being Hacked

This website has been hacked by =cipher= by Salim Virji on flickr
Being hacked sucks. Not only do you have to deal with the shame of being hacked but, it's a lot of work to recover from it well. This month my web server was hacked and someone used about 2 TB (2,000 GB) of outgoing bandwidth to do something shady. My best guess is that some site had a DDOS attack courtesy of my shamed server.

Here is an opportunity for my loss to be your gain. As part of my effort to make it hard for something like this to happen again I’ve been implementing security solutions to my server and habits. The kinds of things you would hope would be implemented by default by a hosting company but rarely are.

Turn Off FTP And Use SFTP Instead

FTP is old and ugly. It should have gone away a long time ago. FTP sends usernames and passwords as clear text. That means someone can sniff your web connection and get your connection info. No decryption or special techniques needed to read them. They are just plain text.

SFTP is entirely different. It uses SSH (with encryption) to transfer the files. Not only do you get encryption but with SFTP you can compress what’s being transferred for faster transfers. A double win.

Crazy Passwords and Keys

We were hacked by a brute force attack that guessed a simple and common password. I've seen this type of attack happen numerous times. The simplest way around this is to have a password with no dictionary words, upper and lowercase letters, numbers, and symbols in them. It's a pain to remember these so I recommending using something like 1password to save them.

If you need help creating the terribly long and hard to crack passwords there’s the GRC Password generator.

Because I can’t remember these terribly long passwords I’ve setup SSH keys to access the server. That means when I connect, via ssh, I don’t have to enter a password. My computer uses a key instead.

Firewall Rules

Back when I used to manage my own servers I had a firewall rule that seemed like a no brainer. If someone failed to enter the password correctly 3 times in a row they were blocked from connecting to the server for 5 minutes. This wouldn't stop someone whose legitimate or anyone really interested in trying to crack the system. But, it would deter (or at least make it difficult) for your standard hacker or bot.

There’s a simple explanation and tutorial over at http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ if you’d like to learn more.

These aren’t an all inclusive measure or a guarantee to stop a hacker. But, these things will sure make it harder for them.