Archive for the ‘Linux Security’ Category

h1

Automated Process monitoring during high server load

August 26, 2010

root@myServer [/root]# cat load-process-monitor.sh
#!/bin/bash

# Define Variables
DT=`date +”%A %b %e %r”`
HOSTNAME=`hostname`

# Create dir to store data
mkdir -p /opt/loadcheck/

# Retrieve the load average of the past 1 minute
LAVG=`uptime | awk {‘print $10}’ | cut -d. -f1`
LCURRENT=`uptime | awk {‘print $10,$11,$12}’`

# Define Threshold. This value will be compared with the current load average. Set the value as per your wish.
LIMIT=-1

# Compare the current load average with Threshold and email the server administrator if threshold is greater.

if [ $LAVG -gt $LIMIT ]
then

#Save the current running processes in a file
/bin/ps -auxf >> /opt/ps_output

echo “Current Time :: $DT. >> /tmp/loadmon.txt
echo “Current Load Average :: $LCURRENT. >> /tmp/loadmon.txt
echo “current processes list attached with the email 1 instance. >> /tmp/loadmon.txt
echo “Also check loadps.txt :: loadtop.txt :: netstat_all.txt :: netstat_port80.txt inside /opt/loadcheck/ on the server” >> /tmp/loadmon.txt
# Send email to support
/usr/bin/mutt -s “Server Load ALERT!!! High 1 minute load average on ‘$HOSTNAME'” -a /opt/ps_output support@somedomain.com > /opt/ps_output

echo “Current Time :: $DT” >> /tmp/loadmon.txt
echo “Current Load Average :: $LCURRENT” >> /tmp/loadmon.txt
echo “current processes list attached with the email 1 instance” >> /tmp/loadmon.txt
echo “Also check loadps.txt :: loadtop.txt :: netstat_all.txt :: netstat_port80.txt inside /opt/loadcheck/ on the server” >> /tmp/loadmon.txt
# Send email to support
/usr/bin/mutt -s ” Server Load ALERT ::: High 1 minute load average on ‘$HOSTNAME’ ” -a /opt/ps_output support@integrityhost.com > /opt/loadcheck/loadps.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadps.txt
/bin/top -c -n1 >> /opt/loadcheck/loadtop.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadtop.txt
/bin/netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_all.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_all.txt
/bin/netstat -alntp | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_port80.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_port80.txt

/bin/ps -auxf >> /opt/loadcheck/loadps.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadps.txt
/bin/top -c -n1 >> /opt/loadcheck/loadtop.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadtop.txt
/bin/netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_all.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_all.txt
/bin/netstat -alntp | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_port80.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_port80.txt

/bin/ps -auxf >> /opt/loadcheck/loadps.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadps.txt
/bin/top -c -n1 >> /opt/loadcheck/loadtop.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadtop.txt
/bin/netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_all.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_all.txt
/bin/netstat -alntp | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_port80.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_port80.txt

/bin/ps -auxf >> /opt/loadcheck/loadps.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadps.txt
/bin/top -c -n1 >> /opt/loadcheck/loadtop.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadtop.txt
/bin/netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_all.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_all.txt
/bin/netstat -alntp | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_port80.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_port80.txt

/bin/ps -auxf >> /opt/loadcheck/loadps.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadps.txt
/bin/top -c -n1 >> /opt/loadcheck/loadtop.txt
echo “#########################################################################################################################” >> /opt/loadcheck/loadtop.txt
/bin/netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_all.txt
echo “#########################################################################################################################” >> /opt/loadcheck/netstat_all.txt
/bin/netstat -alntp | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n >> /opt/loadcheck/netstat_port80.txt
echo ” ######################################################################################################################### ” >> /opt/loadcheck/netstat_port80.txt

fi

# Remove residue logs
/bin/rm -f /tmp/loadmon.txt
/bin/rm -f /opt/ps_output

root@myServer [/root]#

Add a cron to run load-process-monitor.sh ( * * * * * /bin/sh /path-to/load-process-monitor.sh ) every min and when server load goes beyond 4, it will send you email and log some important details, which can help to some extent to find some pointers to load issue from process and netstat listings.

h1

NMAP

September 23, 2008

echo ” ========== Installing NMAP network Scanner ================= ”
echo “…………………………………………………………………………………………………………………..”
echo “…………………………………………………………………………………………………………………..”

echo “Cleaning old nmap installation, if any ”

yum -y remove nmap
echo “…………………………………………………………………………………………………………………..”
echo “Install beings ”
yum -y install nmap

if [ -f /usr/bin/nmap ]
then

echo ” Nmap successfully installed”
sleep 2
echo ” Testing Nmap ”
echo ” ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
sleep 3
/usr/bin/nmap localhost -v
sleep 5
else
echo ” Nmap faield to install”
fi

echo ” =========== Install NMAP network Scanner process completed  ===============”
echo “…………………………………………………………………………………………………………………..”
echo “…………………………………………………………………………………………………………………..”
echo “…………………………………………………………………………………………………………………..”

h1

iptables string match to drop malicious urls

August 5, 2008

iptables string match to drop malicious urls

==================================

Usually modsecurity rules can help filter many malicious url attack patterns combined with apache on apache port (http|https).  But what if a malicious attack using a vulnerable url pattern, that exposes or tries to break into your system is coming onto another port?

This is where iptables string match comes in handy.

/usr/local/sbin/iptables -I INPUT -p tcp -s 0.0.0.0/0 -m stringstring “download?file=%2e%2e” –algo bm -j DROP

[root@server ~]# iptables -L -v | grep STR
73 49908 DROP       tcp  —  any    any     anywhere             anywhere            STRING match “download?file=%2e%2e” ALGO name bm TO 65535

[root@server ~]#

The above iptable rule will block any url  that has the string “download?file=%2e%2e” on any port on your server.

Note: your iptables binary path may be /sbin/iptables

Say http://yourserverIP:9132/blah/download?file=%2e%2e

h1

Prevent non-root users from logging

May 9, 2007

Prevent non-root users from logging

Imagine that for some reason (i.e. maintenance tasks) you want to prevent non-root users from logging into the system. The next tip is a very simple way to achieve this goal.

If a file called /etc/nologin exists login will disable the begin of a session in this system. If you put some text into the file, users will be shown this text and their login attempts will be refused.

vi /etc/nologin

Server under maintenance. No access allowed at this moment.

h1

Tips and tricks

August 11, 2006

———————————————————————–

Q:- Find out top 10 directories eating up your disk space:
A:- du -csh * –max-depth=0 | sort -rn | head -10
———————————————————————–

Q:- Find Harddisk Capacity on the box.
A:- fdisk -l | grep -iE ‘mb|gb|tb’
———————————————————————–

Q:- Find out performance of your hard disk with following command:
A:- hdparm -t -T /dev/hda
———————————————————————–

Q:- You can block all login access with following command:
A:- touch /etc/nologin
———————————————————————–

Q:- It is good idea to encrypt backup made with tar command:
A:- tar -zcvf – *| openssl des3 -salt -k PASSWORD | dd of=mybackup.tbz
tar zcvf – /home |openssl des3 -salt -k PASSWORD | dd of=/dev/st0
To extract encrypted tar file use command:
dd if= mybackup.tbz |openssl des3 -d -k PASSWORD| tar zvxf –
dd if=/dev/st0|openssl des3 -d -k PASSWORD | tar xzf ————————————————————————

Q:- Delete a file securely, first overwriting it to hide its contents.
A:- $ shred -n 200 -z -u personalinfo.tar.gz
A:- srm filename
A:- wipe filename
—————————————
Q:- Delete file by inode:
A:- $ find . -inum 782263 -exec rm -i {} \;
————————————————————————

Q:- Forcefully unmount CD/DVD Rom or any other mounted partitions with
fuser command:
Ans:- fuser -km /dev/cdrom
fuser -km /mnt/cdrom\n
fuser -km /data2
————————————————————————

Q: List open files under user nobody

A:- lsof -u nobody
————————————————————————-

h1

How do I Drop or block attackers IP with null routes?

July 4, 2006

Someone might attack on your system. You can drop attacker IP using IPtables. However one of our sr. sys admin highlighted something new for me. You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):

Suppose that bad IP is 65.21.34.4, type following command at shell:

# route add 65.21.34.4 127.0.0.1

You can verify it with following command:

# netstat -nr

This is cool, as you do not have to play with iptables rules.

h1

Dynamic DNS Setup

July 2, 2006

Notes on setting up a dynamic dns for home with bind-9.x

  1. Generating Secure DNS Keys
  2. On the home/client machine:

    # mkdir /etc/bind/tsig
    
    # cd /etc/bind/tsig
    
    # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST host.domain.tld.

    Note the “.” after the tld. This generates the public and the private keys.

  3. named.conf
  4. On the remote server:

    Edit “/etc/named.conf” and add the generated key to the conf. (Note the trailing dot):

    key host.domain.tld. {
    
    algorithm hmac-md5;
    
    secret "qUSfVtkYf7WLxiZaOTN3Ua==";
    
    };

  5. Grant Authority
  6. Still on the remote server:

    Edit the “/etc/bind/zone.domain.tld” file, and modify the current allow-update line to include the key.

    allow-update   { key "default_key."; key "host.domain.tld."; };

    This allows full authority to modify any record within the domain (Be Warned).

    Restart named and make sure nothing is broken.

  7. nsupdate
  8. Back to the client machine:

    Run nsupdate to test that the client can now make updates.

    # nsupdate -k /etc/bind/tsig/Khost.domain.tld.*.key
    
    > update delete host.domain.tld A
    
    > update add host.domain.tld. 600 A 1.2.3.4
    
    > send
    
    > quit

    It first deletes host.domain.tld if it already exists, then recreates it with the given TTL, type, and IP address. The TTL is the time-to-live, which is a value used by other DNS servers to determine how often they refresh the entry for this host. A smaller values means they’ll refresh more often, which is what you want for a dynamic entry. “send” tells nsupdate to send the updates to the server.

  9. Automate
  10. Create a script and put it in a 10 minute cron to check for changes in the wan ip address and run nsupdate automagically.

    # cat /etc/cron.d/ddns
    
    SHELL=/bin/sh
    
    */10 * * * * root /etc/bind/ddns

    Below is an example script that gets the info from a Belkin wireless router within the home lan.

    #!/bin/bash
    
    # ddnsHOSTNAME="host.domain.tld"
    
    KEYFILE="/etc/bind/tsig/Khost.domain.tld.*.key"
    
    TTL=600
    
    #LOG="/tmp/ddns_log"
    
    LOG="/dev/null"
    
    IP_FILE="/tmp/ddns_ip"
    
    NEW_IP=`wget -q -O - 192.168.2.1 | grep "Up.*dw" | tr "\n" " " | awk -F "'" '{print $12}'`
    
    function do_nsupdate {
    
    echo "New IP address (${NEW_IP}) found. Updating..." >> $LOG
    
    echo $NEW_IP > $IP_FILE
    
    nsupdate -k $KEYFILE >> $LOG << EOF
    
    update delete $HOSTNAME A
    
    update add $HOSTNAME $TTL A $NEW_IP
    
    send
    
    quit
    
    EOF
    
    }
    
    if [ ! -f $IP_FILE ]; then
    
    echo "Creating $IP_FILE..." >> $LOG
    
    do_nsupdate
    
    else
    
    OLD_IP=`cat $IP_FILE`
    
    if [ "$NEW_IP" = "$OLD_IP" ]; then
    
    echo "new and old IPs (${OLD_IP}) are same. Exiting..." >> $LOG
    
    exit 0
    
    else
    
    do_nsupdate
    
    fi
    
    fi
    
    exit 0