|
|||||||
|
Try this command as one of the method to check if your server is under doss attack
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
You can block ips using apf -d ipnumber
MySQL is one of the most important programs on a server, unfortunatly it is also pretty resource intensive. One a server it is not uncommon for a single user or even a query to take up the bulk of the servers cpu cycles. Mytop is a very useful program to see what queries a server is currently processing as well as which user is executing them. Think of mytop as top for mysql. If you see a lot from a user that means they are probably the hog. Mytop can also be useful for figuring out exactly which queries are causing the problem in the case of a self-designed website. The following is how to install mytop on the server and run it. Thanks to carlos for the actual commands
We are going to install 2 perl modules in addition to mytop to ensure that it will work.
Install TermReadKey:
cd /usr/local/src
wget http://search.cpan.org/CPAN/authors/id/J/JS/JSTOWE/TermReadKey-2.30.tar.gz
tar -zxf TermReadKey-2.30.tar.gz
cd TermRead*
perl Makefile.PL
make test
make
make install
cd ..
Now install DBI:
wget http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-1.48.tar.gz
tar -zxf DBI-1.48.tar.gz
cd DBI*
perl Makefile.PL
make test
make
make install
cd ..
Finally install mytop:
wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.4.tar.gz
tar -zxf mytop-1.4.tar.gz
cd mytop*
perl Makefile.PL
make test
make
make install
Now simply run “mytop” and your done!
Thanks to eth0 
Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems.
Installing:
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
tar -zxvf rkhunter-1.2.7.tar.gz
cd rkhunter-1.2.7
./installer.sh
Now you can run a test scan with the following command:
/usr/local/bin/rkhunter -c
How to setup a daily scan report?
pico /etc/cron.daily/rkhunter.sh
add the following replacing your email address:
#!/bin/bash
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “Daily Rkhunter Scan Report” email@domain.com)
chmod +x /etc/cron.daily/rkhunter.sh
Updating rkhunter
gets the latest database updates from their central server and matches your OS better to prevent false positives.
rkhunter –update
I just got a false positive!! What do i do?
False positives are warnings which indicates there is a problem, but aren’t really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn’t yet aware of these new files and while scanning it resports some “bad” files. In this case we have a false positive. You could always have your datacenter or a system administrator check out the server to verify that it is not compromised.
More information on rkhunter can be found here: http://www.rootkit.nl
1. SSH into your server as ‘admin’ and gain root access by su
2. Copy and paste this line to edit the file for SSH logins
pico -w /etc/ssh/sshd_config
3. Find the line
Protocol 2, 1
4. Uncomment it and change it to look like
Protocol 2
5. Next, find the line
PermitRootLogin yes
6. Uncomment it and make it look like PermitRootLogin no
7. Save the file Ctrl+X then Y then enter
8. Now you can restart SSH
/etc/rc.d/init.d/sshd restart
Now, no one will be able to login to root with out first loggin in as admin and ‘su -’ to root, and you will be forcing the use of a more secure protocol. Just make sure you remember both passwords!
1. Login to your server and su to root.
2. cd /root
3. pico .bashrc
4. Scroll to the end of the file then add the following:
echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address
5. Crtl + X then Y
Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.
Telnet sends clear text passwords and usernames through logins and should be disabled on all web servers and replaced with SSH.
Some hosting providers are not disabling telnet by default but you should ensure that it has been turned off as it’s a great security risk to your servers. TELNET server listens for incoming messages on port 23, and sends outgoing messages to port 23.
1. Login to your server through SSH and su to root.
2. Type pico /etc/xinetd.d/telnet
3. Look for the line: disable = no and replace with disable = yes
4. Now restart the inetd service: /etc/rc.d/init.d/xinetd restart
5. Turn off it through chkconfig as well because it can still start through that.
/sbin/chkconfig telnet off
6. Scan your server to ensure port 23 is closed.
nmap -sT -O localhost
Also run ps -aux | grep telnet and if you find anything other than “grep telnet” as result kill the process.
What is shoutcast?SHOUTcast is Nullsoft’s Free Winamp-based distributed streaming audio system. Thousands of broadcasters around the world are waiting for you to tune in and listen. You can start your own radio station and stream music and live shows. See an example of hundreds of world-wide stations at shoutcast.com
How do we install shoutcast?
Generally you dont want to run shoutcast as root as that can be really bad and a security issue, instead we’ll create a shoutcast user:
1.) Login to root through SSH on the server.
2.) adduser shoutcast
3.) passwd shoutcast
Now it will ask for a new password set this and remember it.
Now login as the new shoutcast user, or you can su to the user. (Or you can logout completely and log in under the shoutcast user).
su shoutcast
Installing shoutcast
Lets grab shoutcast from nullsoft:
1) wget http://www.shoutcast.com/downloads/sc1-9-2/shoutcast-1-9-2-linux-glibc6.tar.gz
Lets extract shoutcast:
2) tar -zxvf shoutcast-1-9-2-linux-glibc6.tar.gz
Lets tidy up the directory:
3) rm -rf shoutcast-1-9-2-linux-glibc6.tar.gz
mv shoutcast-1-9-2-linux-glibc6 shoutcast
cd shoutcast
Shoutcast has now been installed!
How to configure shoutcast?
Now we need to edit the configuration file.
pico sc_serv.conf
or you can use vi which I prefer, a bit more advanced to use.
vi sc_serv.conf
Ok lets set some important configureation options. Change these settings in the file:
MaxUser
Password
PortBase
uncomment AdminPassword and set an admin password.
Now at this point you can go threw the settings and change them to what you want or you can save and start shoutcast and it will work perfectly.
to save crtl+x (if using pico) or :wq if using vi
How do i start shoutcast?
./sc_serv sc_serv.conf
What is BFD (Brute Force Detection)?
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php
This guide will show you how to install and configure BFD to protect your system from brute force hack attempts.
Requirements:
- You MUST have APF Firewall Installed before installing BFD – it works with APF and requires some APF files to operate.
- Root SSH access to your server
Login to your server through SSH and su to the root user.
1. cd /root/downloads or another temporary folder where you store your files.
2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
3. tar -xvzf bfd-current.tar.gz
4. cd bfd-0.7
5. Run the install file: ./install.sh
You will receive a message saying it has been installed
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
6. Lets edit the configuration file: pico /usr/local/bfd/conf.bfd
7. Enable brute force hack attempt alerts:
Find: ALERT_USR=”0″ CHANGE TO: ALERT_USR=”1″
Find: EMAIL_USR=”root” CHANGE TO: EMAIL_USR=”your@yourdomain.com”
Save the changes: Ctrl+X then Y
8. Prevent locking yourself out!
pico -w /usr/local/bfd/ignore.hosts and add your own trusted IPs
Eg: 192.168.1.1
Save the changes: Ctrl+X then Y
BFD uses APF’ cli insert feature
and as such will override any allow_hosts.rules entries users have in-place.
So be sure to add your trusted ip addresses to the ignore file to prevent
locking yourself out.
9. Run the program!
/usr/local/sbin/bfd -s
APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server. We’ll guide you through DENY ALL with APF firewall.
PROBLEM:
You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.
APF SOLUTION:
1) Login to your server as the root user.
2) cd /etc/apf
3) Use vi or nano to edit the /etc/apf/allow_hosts.rules file
EG: vi /etc/apf/allow_hosts.rules
4) Scroll down until after their last comment with the ##
Add the following in:
tcp:in:d=22:s=YOURHOMEIPHERE
out:d=22:d=YOURHOMEIPHERE
The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.
Save the changes.
5) Edit the /etc/apf/deny_hosts.rules file
EG: vi /etc/apf/deny_hosts.rules
Scroll down until the last default comment ## then below it add the following:
tcp:in:d=22:s=0/0
out:d=22:d=0/0
Save the changes.
6) Restart APF firewall
apf -r
Your server is now only allowing connections to the SSH service from one IP using APF. To add more than one IP repeat the steps in 4) adding a new tcp and out line for each IP.
Happy Bloging
