Centminmod Security

I was wondering, how secure is CMM out of the box ? What are the first few steps/things one should do after installing CMM to properly secure the server and prevent any hacking attempts ?
Any shortcut way of setting the CSF to log and ban unsuccessful SSH login attempts/port scans ? Any other security tips ?

Thanks a lot in advance.

 

Thanks, already did Step 4 (I did read the GSG). Was just getting paranoid because I saw some weird entries in access logs. Should I post them here for further discussion ?

 

Ok, here we go.

var/log/messages

Code:

Jan  9 20:53:20 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=118.69.191.106 DST=myserverip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=60748 DF PROTO=TCP SPT=42199 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
Jan  9 20:53:21 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=118.69.191.106 DST=myserverip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=60749 DF PROTO=TCP SPT=42199 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
Jan  9 20:53:23 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=118.69.191.106 DST=myserverip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=60750 DF PROTO=TCP SPT=42199 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
Jan  9 20:58:28 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=5.39.222.196 DST=myserverip LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=1260 PROTO=TCP SPT=49234 DPT=3389 WINDOW=1024 RES=0x00 SYN URGP=0
Jan  9 21:02:47 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=162.222.185.165 DST=myserverip LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=15187 PROTO=TCP SPT=40050 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  9 21:07:17 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=183.60.48.25 DST=myserverip LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=12215 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  9 21:11:01 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=190.252.96.234 DST=myserverip LEN=56 TOS=0x00 PREC=0x20 TTL=52 ID=53502 DF PROTO=TCP SPT=34015 DPT=23 WINDOW=5440 RES=0x00 SYN URGP=0
Jan  9 21:11:04 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=190.252.96.234 DST=myserverip LEN=56 TOS=0x00 PREC=0x20 TTL=52 ID=53503 DF PROTO=TCP SPT=34015 DPT=23 WINDOW=5440 RES=0x00 SYN URGP=0
Jan  9 21:12:55 Impact kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=121.171.85.200 DST=myserverip LEN=29 TOS=0x00 PREC=0x00 TTL=51 ID=43921 DF PROTO=UDP SPT=52501 DPT=53413 LEN=9
Jan  9 21:13:02 Impact kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=121.171.85.200 DST=myserverip LEN=29 TOS=0x00 PREC=0x00 TTL=51 ID=43922 DF PROTO=UDP SPT=52501 DPT=53413 LEN=9
Jan  9 21:13:10 Impact kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=42.112.238.37 DST=myserverip LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=32244 DF PROTO=TCP SPT=48090 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0

Code:

2016/01/09 09:16:36 [error] 32481#32481: *11127 open() "/usr/local/nginx/html/cgi-bin/php-cgi" failed (2: No such file or directory), client: xxx.xxx.xxx.xx, server: serverhostname, request: "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1", host: "172.110.22.46"
2016/01/09 09:16:36 [error] 32481#32481: *11128 open() "/usr/local/nginx/html/cgi-bin/php.cgi" failed (2: No such file or directory), client: xxx.xxx.xxx.xx, server: serverhostname, request: "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1", host: "172.110.22.46"
2016/01/09 09:16:37 [error] 32481#32481: *11129 open() "/usr/local/nginx/html/cgi-bin/php4" failed (2: No such file or directory),client: xxx.xxx.xxx.xx, server: serverhostname, request: "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1", host: "172.110.22.46"
2016/01/09 12:43:16 [error] 32481#32481: *13660 open() "/usr/local/nginx/html/MIB/index.aspx" failed (2: No such file or directory),client: xxx.xxx.xxx.xx, server: serverhostname, request: "GET http://www.mingjingnews.com/MIB/index.aspx HTTP/1.1", host: "www.mingjingnews.com"

var/log/nginx/localhost.access.log

Code:

xx.xx.xx.xx - - [29/Dec/2015:14:44:14 +0000] \x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01 "400" 166 "-" "-" "-" "-" "3" "1" "5.000"
xx.xx.xx.xx - - [29/Dec/2015:23:52:55 +0000] c\xE3\x91%\xBB\xFDY\xF1\xE0\xF0g<\x9C\x1Cn\xDA\x8D\x08\xEC\x1A\x02\xE6\xFC\x94\xEF'\xE5]~\xFE\xB2I\xC6#K\xC6U\x04\x16'!\xC8\x91{\xF5F\xE7\xBA\x89\x80\xD0\xDA,sx\x00\x102\xC6\xAEo\x05\xCC\xE6 "400" 166 "-" "-" "-" "-" "1" "1" "0.000"
151.217.177.200 - - [30/Dec/2015:03:53:40 +0000] DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0 "400" 166 "-" "-" "-" "-" "2" "1" "0.200"
xx.xx.xx.xx - - [30/Dec/2015:06:49:24 +0000] \x18);\xD4\xE7\xD6\xC4+Rv\xA81\xC9\xE0\x02\x87\x8B{\x13\xA7\x9Ae\x06\xCFzi\xAA\xDF\xAE\x875~\x10!i\x80\x84\xF4b\x1A$\xF9 "400" 166 "-" "-" "-" "-" "3" "1" "0.000"
xx.xx.xx.xx - - [31/Dec/2015:23:12:37 +0000] \x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01 "400" 166 "-" "-" "-" "-" "17591" "1" "0.200"
xx.xx.xx.xx - - [01/Jan/2016:05:35:13 +0000] GET 
/server-status?HTTP_POST=%\x22%6346#%#/&#736%\x22#423|;&HTTP_CGI_GET=GRESYYK\x22K&J\x22#L523D2G23H23 HTTP/1.0 "404" 162 "-" "apache 0day by @hxmonsegur" "-" "-" "19567" "1" "0.300" 

 

Great. So nothing to worry about, right ?

 

great. as long as it is safe, all good.

Thanks a lot people I will be visiting more often now, as I will be using centminmod to host sites I make for my clients

Thumbs up.