I am hosting several sites (on another host) and moving to a dedicated server on Lunarpages.  Some of these sites are being attacked in a variety of ways.

First it was DDoS attacks, but moving to a dedicated server and vigorously tuning the performance of the sites seems to have mitigated that problem.

Now they are doing some form of attack that eats up all the CPU and memory on the system.  I'm not sure what it is, but there are no SSH logins to the root (other than me), I have the tmp directory stuff done (see other thread), I believe I have all the directories protected correctly, but clearly the machine is compromised.  It just grinds to a halt, and the memory is just slammed.

So, my question is, can anyone give me a pointer to some security best practices?  What could someone be doing that's slamming the machine like that?  Is there some way to audit a machine to see if I have anything open that would allow this kind of thing?

I want to protect this new Lunarpages machine the best I can before I move the sites there.  I appreciate any help you can offer.

Here are some links to security resources:

For MS Windows:  Microsoft Baseline Security Analyzer
http://technet.microsoft.com/en-us/security/cc184924.aspx

From SANS.org here is a pdf on general system administration security best practices:
http://www.sans.org/reading_room/whitepapers/bestprac/system_administrator_security_best_practices_657?show=657.php&cat=bestprac

In a nutshell:

1. keep software patched and up to date
2. disable unused services
3. enable and audit system logs for suspicious activity and errors aon a regular basis
4. configure a firewall, block IPs that attack for a finite period of time (like a month)
5. use complex passwords and change them every 90 days
6. run scheduled anti-virus (on windows) and rkhunter (on linux) checks
7. make backups of your data (user directory, database, system config files, website document root, application data) and do not store backup archives on server
8. only install applications that are well known and trusted, ** this applies to PHP and other CGI scrips in particular **
9. monitor Technical Cyber Security Alerts ( http://www.us-cert.gov/cas/techalerts/index.html ) for new security issues that might affect software you are running
10. apply these best practices to workstations used to log into server and/or develop applications for server

Free online scan for Windows systems:
http://housecall.trendmicro.com/

Free standalone virus scanner, stinger:
http://vil.nai.com/vil/stinger/

Remember, security is an ongoing process -- not something you achieve and can forget about!

Microsoft's MBSA can also be run from the command line.  Here is a great article from Techrepublic.com:
http://articles.techrepublic.com.com/5100-10878_11-5230268.html

FAQ for MBSA 2
http://technet.microsoft.com/en-us/security/cc184922.aspx

FAQ for MBSA 1
http://technet.microsoft.com/en-us/library/dd277352.aspx

List of recent Microsoft security updates
http://www.microsoft.com/protect/computer/updates/bulletins/default.mspx

I found a good link from Microsoft about detecting SQL injection vulnerabilities:

http://blogs.technet.com/srd/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx

the page links to a great windows scanner by HP:  scrawlr

https://download.spidynamics.com/Products/scrawlr/