as you was breached through a script vulnerability there is not alot you can fix with it except making sure that the latest version is used ect...
BUT
I would suggest you do the following;
thats all i can think of right now but PM me and ill be more than willing to give you any help you need
I think you're right on here.
There's an distinction that's important - people talk about changing your "attack surface" - this isn't really about changing your attack surface, is about adjusting your threat model.
If you leave SSH on port 22 your threat model needs to include script kiddies and bots pounding on SSH, and then password policies and use of key based authentication are front-line for these threats. Admittedly, these aren't much of a threat, mostly they are an annoyance, but sheer probability means, if password based auth is enabled, someone somewhere is going to get lucky at some point. Odds are in your favor, but there's still a possibility.
If you move SSH to an alternate port, your attack surface is the same, but you threat model can bypasses the junk traffic that always pounds 22 and it's easier to see real threats.
After moving SSH if someone hits your new SSH port, you know someone's probably playing with NMAP against you and you should probably be paying attention to them.
FWIW - generally I'm a fan of (CSF)[http://configserver.com/cp/csf.html] instead of Fail2ban. It has a lot more from a features perspective, though it can be a bit noisy if you haven't tuned it right.
I've used CSF(http://configserver.com/cp/csf.html) on all my linux instances in digital ocean.
It automatically whitelists the IP you're initially connecting from but all config is handled in /etc/csf config files.
It uses IPtables under the hood but it's very simple to use and very much like running AV on your linux server just with a simple script + daemon.
my output for iptables -L is enormous and has blocked a lot of traffic that may have built over time if I otherwise did not have it for my little 1 GHZ 512 MB server.
It all depends on what was done. Most of the time they won't know unless the hacker breaks the site. SQL injections can be tricky to track down but they're also easy to avoid. For other types of attacks you could use a program like Snort which analyizes packets or a tool like csf which tracks a plethora of things. I personally run csf and it seems to cover my needs at the moment.
loadbalancing has been supported under iptables since time immemorial so it'd be pretty easy just to install linux and some baby script to get iptables going. Maybe CSF would do the trick. http://configserver.com/cp/csf.html Though if there are bsd drivers that could be easy as well. That'd be my first step if I wasn't familiar with linux. Although I wouldn't do that now because bsd annoys me with its shit in different locations and numerous slight differences. Then op gets the HUGE bonus of having a linux server that actually does something and can add a big feather in his cap. Then it's down the rabbit hole on everything else linux can do too.
Quite possibly also a xmlrpc.php attack?
Also, a brute force plugin for protecting the admin area may be useful if you admin the site while on the road or from multiple ip addresses.
Annnnd csf is great: http://configserver.com/cp/csf.html Get your admin buddy to ensure something like this is in place.
I am fairly certain, seeing that we were making comparison with fail2ban. I use CSF myself for my email server. http://configserver.com/cp/csf.html it can be set to watch for failed logins on ssh as well as postfix/dovecot and i believe a few others
Take a look at http://configserver.com/cp/csf.html it should simplify the process of managing iptables for you. TL;DR install it, edit /etc/csf/csf.conf and add your TeamSpeak ports to TCP_IN etc.., save the file and then do "csf -r".
I strongly suggest against ufw. I tried using it for 3 months and had nothing but problems. I found a much simpler solution that is much easier to configure: csf http://configserver.com/cp/csf.html .
Block an ip? csf -d x.x.x.x
Unblock an ip? csf -dr x.x.x.x
Whitelist an ip? csf -a x.x.x.x
Throw a t in there and you get temporary versions:
csf -ta x.x.x.x
(temp white list)
Now the beautiful part, you can block with a simple list of IPs in /etc/csf/csf.deny
, you can configure specific alerts and block by country in /etc/csf/csf.conf
, and so much more! I'm on mobile right now, so I'd rather not go on my csf rant. Main point is you can do so much more with csf, I highly recommend the tool.
Nothing in the logs to say the server created the duplicate message, but I do see you are using boxtrapper for spam, and by itself there is nothing wrong with that, but consider cfs/lfd as a firewall instead of cPhulk which is well intentioned but a big pile of steaming *
http://configserver.com/cp/csf.html
Here is a small script to install all configserver plugins, just create a file and sh filename as root http://pastebin.com/zYyjWB8B
Then if you install cfs/lfd, in the plugin, check server security and decide if you want what is recommended
For learning, it's great. If you are going to run sites on it and leave it powered on all the time, you may want to figure out a good firewall. I like configserver stupid easy to use.
Im a big CSF fan, especially with the webmin module. It packs intrusion detection, firewall and other rules.
http://configserver.com/cp/csf.html
edit: Also remember that a server is not a Ronco Rotisserie cooker, you cannot "set it and forget it" :) Always go through logs, looks for odd behavior, look at running services. There are many ways to automate this, but it helps to know what to look for.
I will need help with so much stuff…
My host gave me a dump file from my account, generated by cPanel. So, unless I get something with cPanel — and on VPS it seems to cost extra — I'll need help scavenging things from that file.
I got a suggestion about using CSF to fend off DoS attacks. I wonder if I can run that.