Chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification.
Installation:– Login to your server as root. (SSH)
cd /usr/local/src
– Down load the chkrootkit.# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
- Unpack the chkrootkit you just downloaded.# tar -xvzf chkrootkit.tar.gz
- Change to new directory# cd chkrootkit*
- Compile chkrootkit# make sense
- Run chkrootkit# ./chkrootkit
How to setup a daily scan report?
- Load crontab# crontab -e
- Add this line to the top:==========================================================================
0 1 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s “chkrootkit output” email@domain.com)
==========================================================================
This will run CHKROOTKIT at 1am every day, and e-mail the output to root. (you need change the time whenever you want it to run and the email id according to your needs.)
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.
Requirements:
- Root SSH access to your server
Install
Login to your server through SSH and su to the root user.
cd /root/downloads or another temporary folder where you store your files.
Configure the firewall: (i mostly use nano editor) nano /etc/apf/conf.apf
General configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
You may like to use DShield.org's "block" list of top networks that have exhibited suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"
Configuring Firewall Ports:
Cpanel Servers
recommended settings for Cpanel Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Ensim Servers
recommended settings for Ensim Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Plesk Servers
recommended settings for Plesk Servers
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,4643,5224,8443,8447,10000,
35000_35999"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,5224,8443,10000,35000_35999"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,37,53,123,1040"
# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
Save your changes! Ctrl + X then y (nano editor)
Starting the firewall
apf -s
Other commands:
usage /usr/local/sbin/apf [OPTION]
-s|--start ............. load firewall policies
-r|--restart ........... flush & load firewall
-f|--flush|--stop ...... flush firewall
-l|--list .............. list chain rules
-st|--status ........... firewall status
-a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
After everything is fine, change the DEV option
nano /etc/apf/conf.apf
# Set firewall cronjob (devel mode)
# 1 = enabled / 0 = disabled
DEVEL_MODE="0"
It is recommended changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.
Save your changes! Ctrl + X then y
Restart the firewall: apf -r
Make APF Start automatically at boot time
To autostart apf on reboot, run this:
chkconfig --level 2345 apf on
To remove it from autostart, run this:
chkconfig --del apf
If the server load is high then do the following tricks:
1) top or top -n1
check for the server load and watch for process
2) free -m
it will display the memory status
# vmstat : (virtual memory status)
# mymem : (which services are consuming memory)
3)if a perticular user is causing a high server laod then use “ps U username”: it will display the process that are running by the user . Then you can take action against that user.
4) netstat -an |grep :80 |wc -l :
Show how many active connections there are to apache (httpd runs on port 80)
5) netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n
it will display the no of connections form a certain ip
6)if there is MYSQL taking cpu usage then check for mysql status
# watch mysqladmin proc
# mysqladmin -u root processlist
check for the databases and suspend that user if any database is using high resources.
7)check /tmp if there is any process taking high resources : chown to root for that process and chmod 000 also if .sh process is running then chown it t0 root:root
8)if exim is taking high resources then check for exim logs : use this command :
replace :blackhole: : fail: — /etc/valiases/*
w : Current users
exim -bp | exiqsumm
ps aux | head -1;ps aux –no-headers| sort -rn +3 | head :
Use below mentioned command to get top memory consuming processes
ps aux | head -1;ps aux –no-headers | sort -rn +2
ps aux | head -1;ps aux –no-headers | sort -rn +2
———————————————————————————————————-
If Exim causes
exim –bpc
shows the total no of email in qmail
eximstats -nr -ne /var/log/exim_mainlog
Total mail server report
pidof exim
shows no of exim pids running
exim -bpr | grep frozen | wc -l
Shows no of frozen emails
exiqgrep -z -i | xargs exim –Mrm
exim -bp | exiqgrep -i | xargs exim -Mrm
it deletes the FROZEN mails from the server
tail -f /var/log/exim_mainlog | grep public_html
check for spamming if anybody is using php script for sending mail through public_html
tail -f /var/log/exim_mainlog | grep /tmp
Used for checking for who is spamming through the /tmp
tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F\[ '{print $2} '|awk -F\] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5
It will display the IP and no of tries done by the IP to send mail but rejected by the server.
netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
shows the connections from a certain ip to the SMTP server
exim -bp | exiqsumm | more
It shows the domain name and the no of emails sent by that domain
If spamming from outside domain then you can block that domain or email id on the server
pico /etc/antivirus.exim
Add the following lines:
if $header_from: contains “name@domain.com”
then
seen finish
endif
eximstats -nr -ne /var/log/exim_mainlog
Catching spammer
exim -bp | exiqsumm | more
exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
Check if any php script is causing the mass mailing with
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to check which script is here causing problem for you.
Use below mentioned command to get top memory consuming processes”
ps aux | head -1;ps aux –no-headers| sort -rn +3 | head
Use below command to get top cpu consuming processes:
ps aux | head -1;ps aux –no-headers | sort -rn +2 |more
You can check if any backup is going on, run the following commands:
# ps aux | grep “pkg”
# ps aux | grep “gzip”
# ps aux | grep “backup”
If any backup process is going on, kill that process.
We can trace the user responsible for high web server resource usage by the folowing command
cat /etc/httpd/logs/access_log | grep mp3
cat /etc/httpd/logs/access_log | grep rar
cat /etc/httpd/logs/access_log | grep wav etc
cat /etc/httpd/logs/access_log | grep 408
Can be used to check for DDOS attacks on the server.
cat /etc/httpd/logs/access_log | grep rar
Port scanning :
root@ [/tmp]# nmap localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-10-04 13:22 MYT
Interesting ports on localhost (127.0.0.1):
Not shown: 1664 closed ports
PORT STATE SERVICE
1/tcp open tcpmux
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
465/tcp open smtps
631/tcp open ipp
783/tcp open spamassassin
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
Nmap finished: 1 IP address (1 host up) scanned in 0.125 seconds
root@ [/tmp]#
netstat -anp |grep :3306
DDOS ATTACK :
ps -aux|grep HTTP|wc –l : It will show you no of http connections to the server
netstat -lpn|grep :80 |awk ‘{print $5}’|sort : It will helpful to check the no of connections from a certain ip
Check for the ips and block them with firewalls as apf/csf/iptables
For iptables : iptables -A INPUT -s -j DROP
For apf : apf –d ip_address
For CSF : csf -d ip_adrress
If load due to SPAMD:
Issue
The load issues on a cpanel 11 box (later versions too) because of spamd are quite common, sometimes they may take more than 90% of the CPU. Here are some ways to resolve it.
[edit] Solution
We can use the following steps to resolve the issue in a considerable manner.
1. Edit the /etc/mail/spamassassin/local.cf file
vi /etc/mail/spamassassin/local.cf
then add the following lines to it
a) use_bayes 0 (this will disable some spamassassin functionalities)
b) lock_method flock
(Uncomment these options, if they are commented)
2) Run scripts2/autofixer/spamd_dbm_fix
a) Log into WHM and use another URL as “http://your server IP:2086//scripts2/autofixer”
then type the script name “spamd_dbm_fix” and run
b) Or you can also do the same from server back end as follows.
NOTE : If the load issue is related to a particular user then there is no need for running this,
you can simply enter into the ‘.spamassassin/’ directory for that user and delete the
files ‘__db.bayes_toks.new’ and *.lock.
Shows every process, their pid, % of cpu, memory size, name, and what syscall they are currently executing. Nifty.
whereis locates source/binary and manuals sections for specified files. The supplied names are first stripped of leading pathname components and any (single) trailing
extension of the form .ext, for example, .c. Prefixes of s. resulting from use of source code control are also dealt with. whereis then attempts to locate the desired program in
a list of standard Linux places. For example find out where is ls command?
$ whereis ls
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
To see the number of total Apache connections and then the total number of SYN_RECV:
netstat -an|grep :80|wc -l
netstat -an|grep SYN_RECV|wc -l
The lsof to see which existing connections that were not defunct were showing and all of the ones still connecting were those doing SYN_RECV status (You can check the IPs against the SYN_RECV IPs):
lsof -i :80
How to get all the connection to your webserver?
netstat -an | grep :80 | wc -l
as you can see in the above the port that has been specified is 80 that means the port that a webserver is using
so whether it would be apache or lighttpd or lightspeed or all the rest.
How to get all of the ips and number of their conection to the server
To prevent DDos attacks you should install some kind of third party programs. There are other programs that can Defend against DDOS Attacks such Dos_Deflate that their method is to count the number of total connections of each ip address and preventing them from accessing your server in specific ammount of time.
DOS_Defalte Can Help you protect your Server from DDos Attacks
Dos_Deflate is a shell program that can ban the ips that have reached the specific amount of connections you specified and also they will be banned until the time you have specified in the configuration of Dos_deflate shell program.
Dos_Deflate Installation Guide:
To install first ssh to your server, download it to your server
you can configure dos_defalte to email you and make you notified of whicdh ips have been banned or had more connection than limit that you specified.just go down and assign an email infront of the equal sign in quotation.
EMAIL_TO=”your_email@domain.com”
Frequncy Check
you can configure to test ip connections how much in miniute.let say if you had it configured 5 then by dividing 60 to 5 this means that dos_defalte will be ran every 12 seconds.have this variable configured with between 3 to 5 times per minute that is the best configration.
FREQ=5
Specify the number of maximum connection of each ip address
you can specify how many connections will define a bad ip address to be blocked fro myuor server.it depends on your apache timeout and other ports such as ftp that is a connection hungry.I recommend you configure dos_defalte to test only prot 80 that is mostly subject to DDOS attacks and provide between 100 to 200 connections.all the value you would define is mostly depends on your other configration factors of your server.
NO_OF_CONNECTIONS=
APF Ban Variable in Dos_Deflate
If you have APF installd change this value to 1,otherwise to have iptables to drop ips assign this variable the 0 value
APF_BAN=0
Killor Not,Test Mode or Active mode
you can configure to bann those suspicous ips or not, this will help you to have dos_deflate in testing mode for debuging purpuoses .to have it enabled to ban ip addresses have it 1,otherwise change it to 0
KILL=1
Define How much time bad ipaddress to be banned with dos_deflate
with this option you can define the time that an ip addresss that has beenknown as bad ip address to be banned from accessign to the server.Ideal times are between 300 to 1200 miniute period.
