Một số câu lệnh kiểm tra server khi bị tấn công DDoS

Một số câu lệnh kiểm tra server khi bị tấn công DDoS

– Kiểm tra số connection trên port 80:

Code:

netstat -n | grep :80 |wc -l

– Kiểm tra số lượng connection đang ở trạng thái SYN_RECV:

Code:

netstat -n | grep :80 | grep SYN_RECV|wc -l

– Hiển thị tất cả các IP đang kết nối và số lượng kết nối từ mỗi IP:

Code:

netstat -an|grep :80 |awk '{print $5}'|cut -d":" -f1|sort|uniq -c|sort -rn

Nếu muốn kiểm tra IP nào mở nhiều SYN thì thêm vào:

Code:

netstat -an|grep :80|grep SYN |awk '{print $5}'|cut -d":" -f1|sort|uniq -c|sort -rn

– Đối với server có nhiều IP, để kiểm tra IP nào đang bị tấn công:

Code:

netstat -plan  | grep  :80 | awk '{print $4}'| cut -d: -f1 |sort |uniq -c

Bài viết trên sẽ có vài trường hợp ra kết quả không đúng nếu như sử dụng kernel mới , IP có dạng ‘::ffff:192.168.1.1:80’ . Để tổng quát hơn các bạn nên dùng như sau cho mọi trường hợp :

– Hiển thị tất cả các IP đang kết nối và số lượng kết nối từ mỗi IP:

Code:

[root@localhost~]# netstat -an | grep ':80' | awk '{print $5}' | sed s/'::ffff:'// | cut -d":" -f1 | sort | uniq -c

Đồng thời mình bổ xung thêm :
– Hiển thị số lượng kết nối mỗi loại (kiểm tra xem có phải bị SYN_FLOOD hay DDoS hay ko) :

Code:

root@localhost [~]# netstat -an | grep :80 | awk '{print $6}' | sort | uniq -c
61 ESTABLISHED
13 FIN_WAIT1
17 FIN_WAIT2
1 LISTEN
25 SYN_RECV
298 TIME_WAIT

Trong trường hợp đang bị tấn công , cần phải quan sát các tham số trên một các real time => dùng lệnh ‘watch’ :

– Hiển thị tất cả các IP đang kết nối và số lượng kết nối từ mỗi IP:

Code:

[root@localhost~]#watch  "netstat -an | grep ':80' | awk '{print \$5}' | sed s/'::ffff:'// | cut -d\":\" -f1 | sort | uniq -c"

– Hiển thị số lượng kết nối mỗi loại :

Code:

root@localhost [~]# watch "netstat -an | grep :80 | awk '{print \$6}' | sort | uniq -c"

Install mod_spamhaus Apache module to fight comment spam

mod_spamhaus is an Apache module for DNS Block Listing that protects web services by denying access to particular IP addresses. It can stop spam relaying via web form URL injection, and block HTTP DDoS attacks from bot-nets.

It queries sbl-xbl.spamhaus.org, taking advantage of the Spamhaus Block List (SBL) and the Exploits Block List (XBL).

1. Download the latest mod_spamhaus deb package from sid package repository (mod_spamhaus is not available for lenny but we can use the sid package)

wget http://ftp.us.debian.org/debian/pool/main/m/mod-spamhaus/libapache2-mod-spamhaus_0.7-1_i386.deb


This package is for i386. If you are using other architecture, you can find a suitable package on the bottom of this page: http://packages.debian.org/sid/libapache2-mod-spamhaus

2. Install the package

dpkg -i libapache2-mod-spamhaus_0.7-1_i386.deb


Apache is automatically restarted and the module is enabled. If you would like to test the module you can add a line to your hosts file to make it think that your IP address is blocked (pico /etc/hosts)

127.0.0.4 1.0.168.192.sbl-xbl.spamhaus.org


Replace 1.0.168.192 with your IP address and reverse it. The IP address 192.168.0.1 should read 1.0.168.192.

By default, only POST, PUT, OPTIONS, CONNECT methods are blocked. You can add GET to the list of methods blocked in /etc/apache2/mods-enabled/mod-spamhaus.conf to block the spammers from seeing your website.

Installing HAVP (HTTP Antivirus Proxy)

HAVP (HTTP Antivirus Proxy) is a proxy with a ClamAV anti-virus scanner. The main aims are continuous, non-blocking downloads and smooth scanning of dynamic and password protected HTTP traffic. Havp antivirus proxy has a parent and transparent proxy mode. It can be used with squid or standalone.

1. Install HAVP

apt-get install havp


2. Start HAVP if it didn’t start after the installation

/etc/init.d/havp start


It’s ready, by default HAVP listens on port 8080. You can configure your web browser to use the server as a proxy.

You can customize the error pages by editing the html files in this directory: /etc/havp/templates/en/

Running Apache2 virtual hosts as different users with mpm-itk

apache2-mpm-itk is an MPM (Multi-Processing Module) for the Apache web server. mpm-itk allows you to run each of your vhost under a separate uid and gid — in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts.

1. Install the apache2-mpm-itk package

apt-get install apache2-mpm-itk


2. Configure user and group for each virtual host by adding the following line somewhere between <VirtualHost *:80>…</VirtualHost>

AssignUserId [user] [group]


Replace [user] and [group] with a username and group name that already exists on the system.

3. Change the owner of the web root

chown [user].[group] [location]


Replace [user] and [group] with the username and group name configured on the virtual host. Replace [location] with the location specified as DocumentRoot for the virtual host, eg. /var/www

4. Make sure the location isn’t accessible by other users (optional)

chmod o= [location]


Replace [location] with the location specified as DocumentRoot for the virtual host, eg. /var/www

5. Restart apache

/etc/init.d/apache restart

Prevent brute force attacks using fail2ban

fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.

1. Install fail2ban

apt-get install fail2ban


2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log


Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started
2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18


3. (optional) Specify a list of IP addresses ignored by fail2ban. This can be useful to avoid getting locked out (pico /etc/fail2ban/jail.conf)

ignoreip = 127.0.0.1 192.168.1.0/24


Modify the ignoreip property and type a list of IP addresses or networks seperated by a space.

4. Restart fail2ban (only required if you modified the ignoreip property)

/etc/init.d/fail2ban restart

Top 20 OpenSSH Server Best Security Practices

OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero dayexploit. Here are a few things you need to tweak in order to improve OpenSSH server security. (more…)

Ngăn chặn leech link ảnh từ hosting của bạn sử dụng mod_rewrite trong Apache

Website của bạn lưu trữ và sử dụng rất nhiều hình ảnh trong các bài viết. Và một số website khác copy các bài viết từ website của bạn, sử dụng link (hot link) của các bức ảnh đó. Điều này khiến bạn tiêu tốn rất nhiều băng thông hàng tháng, và hạn chế tốc độ của website bạn. Vậy làm sao để ngăn cản việc “leech link” này?. Có rất nhiều cách để chặn lấy link trong trường hợp trên: bạn có thể sử dụng file .htacess hoặc cấu hình lại file httpd.conf bằng cách thêm các dòng code bên dưới đây vào.

Chú ý: Mod Rewrite của Apache cần được bật nhé.
Bạn tiến hành mở file httpd.conf hoặc file .htaccess trên server/hosting.

1	# vi httpd.conf

(more…)

Connecting To a Remote MySQL Server Securely Using SSH Port Forwarding

Connecting Securely

Often times utilizing remote MySQL databases is as simply as opening a SSH session to the remote machine and typing ‘mysql -u username -p’ and using the MySQL command line client. Sometimes, however, this can be cumbersome and you might wish to use a GUI based management tool. This becomes a problem however if the remote database is behind a firewall that won’t allow remote MySQL port connections (MySQL accepts connections on port 3306 by default) or if you’re worried about your password being transmitted in clear text. This short article describes how to connect to a remote MySQL server securely. By default, MySQL clients issue passwords in clear text to the server (meaning if they are intercepted they aren’t secured at all). In order to connect to a remote server you can use port forwarding. Using this method you can also bypass firewalls that allow remote SSH connections (i.e. open port 22), but block remote MySQL connection (i.e. closed or blocked port 3306). (more…)

Creating a Robots.txt Honeypot

One standard form of information discovery and reconnaissance used by malicious attackers is to scan a target website and search for robots.txt files. The robots.txt file is designed to provide instructions to spiders or web crawlers about a site’s structure and more importantly to specify which pages and directories the spider should not crawl. Often these files are used to keep a spider from crawling sensitive areas of a website, such as administrative interfaces, so that search engines don’t cache the existence of such pages and functionality. It is precisely for this reason that a malicious attacker will look in a robots.txt file – they often provide roadmaps to sensitive data and administrative interfaces. (more…)

Hardening PHP from php.ini

PHP’s default configuration file, php.ini (usually found in /etc/php.ini on most Linux systems) contains a host of functionality that can be used to help secure your web applications. Unfortunately many PHP users and administrators are unfamiliar with the various options that are available with php.ini and leave the file in it’s stock configuration. By utilizing a few of the security related options in the configuration file you can greatly strengthen the security posture of web applications running on your server.

Safe Mode

(more…)