Jul 20
Jul 01
You have to verify if the box is really compromised.
Check etc-passwd and verify the uid of the user news
#grep -i news /etc/passwd
:: Result: news:x:0:0:news:/etc/news:/bin/bash
Shows that the user news is having gid and uid 0 thus have all root privileges and has also got full shell access.
Check the /tmp directory for any suspicious files
#ls -al /etc/tmp
Check the process tree and find if there are any suspicious process
#ps aux –forest
Check for any established connections
#netstat -plan
You will get the description of FIN_WAIT2 & TIME_WAIT in the man page of netstat. Type ‘man netstat’ in the shell. You can minimize those FIN_WAIT2 & TIME_WAIT states by doing the below things :-
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Put following in /etc/sysctl.conf
# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
Then execute the command :-
# /sbin/sysctl -p
Using IPtables
==============
You can also execute the following commands to minimize the syn attack in the future :-
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
service iptables save
service iptables restart
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp –syn -j syn_flood
iptables -A syn_flood -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j LOG –log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute:
iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP –sport 513:65535 –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 600 –hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 –sport 22 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT
=================================
the following command should aid you in isolating which
site was responsible for this injection:
find /usr/local/apache/domlogs/ -exec egrep -H ‘(wget|curl|lynx|wget)%20′ {} \;
========================================================
A quick and usefull command for checking if a server is under ddos is:
#### netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
#### netstat -anp | grep SYN | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
#### netstat -anp | grep FIN | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
That will list the IPs taking the most amount of connections to a server.
=========================================================
to kill perl processess;-
ps auxww | grep perl | awk ‘{print $2}’ | xargs kill -9
Jul 01
It is working for me [ some times]. also you can modify the command with the most used attacking words like wget, etc
find /usr/local/apache/domlogs/ -exec egrep -H ‘(wget|curl|lynx|wget)%20′ {} \;
Jun 26
The –bwlimit option limit I/O bandwidth. You need to set bandwidth using KBytes per second.
You need to set bandwidth using KBytes per second. For example, limit I/O banwidth to 10000KB/s (9.7MB/s), enter:
# rsync –delete –numeric-ids –relative –delete-excluded –bwlimit=10000 /path/to/source /path/to/dest/
For more details you can check http://www.cyberciti.biz/faq/throttle-disk-io-rate-limit-disk-io
Jun 26
To disable ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
To enable ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Jun 23
Type mount command to display filesystem type such as ext2, ext3 and so on…
Quote:
mount
Sample output:
Quote:
/dev/sdb1 on / type ext3 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
/sys on /sys type sysfs (rw,noexec,nosuid,nodev)
/dev/sdb5 on /media/docs type ext3 (rw)
/dev/sdb3 on /media/isomp3s type ext3 (rw)
/dev/sdc1 on /media/backup type ext3 (rw)
/dev/sdb1 is mounted on / and type is ext3 fs.
u can also use command
Code:
less /proc/mounts
Jun 23
is it ok to clean up all directory n files on /tmp?
clean all I think no, becoz some are used by the system and your user.
You may need to use a command called tmpwatch which removes files which haven’t been accessed for a period of time. Normally, it’s used to clean up directories which are used for temporary holding space such as /tmp.
Following code will remove all files/dirs from /tmp if they are not accessed in last 2 weeks (24 * 14 days = 336)
tmpwatch –mtime –all 336 /tmp
also
tmpwatch -auv 1 /tmp
Make sure that you have installed “tmpwatch” in the server using yum or rpm method.
Jun 23
After installing a new Linux system or after configuring a new network services/server, you may need to verify which ports are listing on systems network interface including binding.
Use any one of the following command to find this information:
Code:
lsof -i
nmap localhost
netstat -an
netstat -tulpn
nmap -sT -O localhost
If you find or see unwanted open port, it can be confirmation of an intrusion or cracker in your system.
For more advance usage or adventure with these commends read man pages of corresponding commands.
Jun 23
New user often gets confused with Linux security permissions. Simple mounting of a USB flash drive as a normal user (non-root) can be hard task.
Truth:
The mount command can be issued only as the root user.
Solution:
Give permission to normal user to mount a USB pen or flash drive.
#1: Create a directory
# mkdir /mnt/usbpen
#2: Find out USB pen drive name
# fdisk -l
Output of fdisk -l command:
Disk /dev/hdb: 80.0 GB, 80060424192 bytes
255 heads, 63 sectors/track, 9733 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/hdb1 * 1 2432 19535008+ 83 Linux
/dev/hdb2 2433 2554 979965 82 Linux swap / Solaris
/dev/hdb3 2555 6202 29302560 83 Linux
/dev/hdb4 6203 9733 28362757+ 5 Extended
/dev/hdb5 6203 9733 28362726 83 Linux
Disk /dev/sda: 256 MB, 256901120 bytes
8 heads, 62 sectors/track, 1011 cylinders
Units = cylinders of 496 * 512 = 253952 bytes
Device Boot Start End Blocks Id System
/dev/sda1 1 1011 250697 b W95 FAT32
In the above output, /dev/sda1 is my flash drive.
#3: Open /etc/fstab file
Append following line:
/dev/sda1 /mnt/usbpen auto noauto,user,rw,exec 0 0
#4: Save the file and login as the normal user:
$ mount /mnt/usbflash
Jun 23
Recently I decided to use my old TV card with linux. So Here are quick commands to get start with it.
First make sure your card is suppored and listed in Linux kernel /usr/src/linux/Documentation/video4linux/CARDLIST.tuner or in /usr/src/linux/Documentation/video4linux/CARDLIST.bttv files and support compiled in kernel.
Turn off computer and add Tv Tuner card.
Turn on computer and boot into Linux
Make sure your card is listed and understood by Linux
lspci | less
dmesg | less
If you can see your card listed then you can move to next step i.e. load the drivers for TV Tuner card with following commands
modprobe bttv
modprobe tuner
Start to watch tv
xawtv &
Note if xawtv is not installed then use apt-get or yum to load it
apt-get install xawtv
If u have a fedora or redhat then use yum:
yum install xawtv
Jun 22
history
history | less
#history
is the command to see all the commands enter by the terminal
it is stored in
/root/.bash_history file
for user root
and similarly for other users
in their home directory
keep in mind that smart user can delete history file or just link it back to /dev/null, a better way is to configure process and command auditing
Jun 22
How to keep a detailed audit trail of what’s being done on your Linux systems?
Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as ~/.bash_history) but you can monitor all user executed commands.
It is recommended that you log user activity using process accounting. Process accounting allows you to view every command executed by a user including CPU and memory time. With process accounting sys admin always find out which command executed at what time 
The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.
* The ac command displays statistics about how long users have been logged on.
* The lastcomm command displays information about previous executed commands.
* The accton command turns process accounting on or off.
* The sa command summarizes information about previously executed commmands.
Task: Install psacct or acct package
Use up2date command if you are using RHEL ver 4.0 or less
# up2date psacct
Use yum command if you are using CentOS/Fedora Linux / RHEL 5:
# yum install psacct
Use apt-get command if you are using Ubuntu / Debian Linux:
$ sudo apt-get install acct OR # apt-get install acct
Task: Start psacct/acct service
By default service is started on Ubuntu / Debian Linux by creating /var/account/pacct file. But under Red Hat /Fedora Core/Cent OS you need to start psacct service manually. Type the following two commands to create /var/account/pacct file and start services:
# chkconfig psacct on
# /etc/init.d/psacct start
If you are using Suse Linux, the name of service is acct. Type the following commands:
# chkconfig acct on
# /etc/init.d/acct start
Now let us see how to utilize these utilities to monitor user commands and time.
Task: Display statistics about users’ connect time
ac command prints out a report of connect time in hours based on the logins/logouts. A total is also printed out. If you type ac without any argument it will display total connect time:
$ acOutput:
total 95.08
Display totals for each day rather than just one big total at the end:
$ ac -dOutput:
Nov 1 total 8.65
Nov 2 total 5.70
Nov 3 total 13.43
Nov 4 total 6.24
Nov 5 total 10.70
Nov 6 total 6.70
Nov 7 total 10.30
…..
..
…
Nov 12 total 3.42
Nov 13 total 4.55
Today total 0.52
Display time totals for each user in addition to the usual everything-lumped-into-one value:
$ ac -pOutput:
vivek 87.49
root 7.63
total 95.11
Task: find out information about previously executed user commands
Use lastcomm command which print out information about previously executed commands. You can search command using usernames, tty names, or by command names itself.
Display command executed by vivek user:
$ lastcomm vivekOutput:
userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58
userhelper S vivek pts/0 0.00 secs Mon Nov 13 23:45
rpmq vivek pts/0 0.01 secs Mon Nov 13 23:45
rpmq vivek pts/0 0.00 secs Mon Nov 13 23:45
rpmq vivek pts/0 0.01 secs Mon Nov 13 23:45
gcc vivek pts/0 0.00 secs Mon Nov 13 23:45
which vivek pts/0 0.00 secs Mon Nov 13 23:44
bash F vivek pts/0 0.00 secs Mon Nov 13 23:44
ls vivek pts/0 0.00 secs Mon Nov 13 23:43
rm vivek pts/0 0.00 secs Mon Nov 13 23:43
vi vivek pts/0 0.00 secs Mon Nov 13 23:43
ping S vivek pts/0 0.00 secs Mon Nov 13 23:42
ping S vivek pts/0 0.00 secs Mon Nov 13 23:42
ping S vivek pts/0 0.00 secs Mon Nov 13 23:42
cat vivek pts/0 0.00 secs Mon Nov 13 23:42
netstat vivek pts/0 0.07 secs Mon Nov 13 23:42
su S vivek pts/0 0.00 secs Mon Nov 13 23:38
For each entry the following information is printed. Take example of first output line:
userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58
Where,
* userhelper is command name of the process
* S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
o S — command executed by super-user
o F — command executed after a fork but without a following exec
o D — command terminated with the generation of a core file
o X — command was terminated with the signal SIGTERM
* vivek the name of the user who ran the process
* prts/0 terminal name
* 0.00 secs - time the process exited
Search the accounting logs by command name:
$ lastcomm rm
$ lastcomm passwdOutput:
rm S root pts/0 0.00 secs Tue Nov 14 00:39
rm S root pts/0 0.00 secs Tue Nov 14 00:39
rm S root pts/0 0.00 secs Tue Nov 14 00:38
rm S root pts/0 0.00 secs Tue Nov 14 00:38
rm S root pts/0 0.00 secs Tue Nov 14 00:36
rm S root pts/0 0.00 secs Tue Nov 14 00:36
rm S root pts/0 0.00 secs Tue Nov 14 00:35
rm S root pts/0 0.00 secs Tue Nov 14 00:35
rm vivek pts/0 0.00 secs Tue Nov 14 00:30
rm vivek pts/1 0.00 secs Tue Nov 14 00:30
rm vivek pts/1 0.00 secs Tue Nov 14 00:29
rm vivek pts/1 0.00 secs Tue Nov 14 00:29
Search the accounting logs by terminal name pts/1
$ lastcomm pts/1
Task: summarizes accounting information
Use sa command to print summarizes information about previously executed commands. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis; sa will save this iinformation into a file named usracct.
# saOutput:
579 222.81re 0.16cp 7220k
4 0.36re 0.12cp 31156k up2date
8 0.02re 0.02cp 16976k rpmq
8 0.01re 0.01cp 2148k netstat
11 0.04re 0.00cp 8463k grep
18 100.71re 0.00cp 11111k ***other*
8 0.00re 0.00cp 14500k troff
5 12.32re 0.00cp 10696k smtpd
2 8.46re 0.00cp 13510k bash
8 9.52re 0.00cp 1018k less
Take example of first line:
4 0.36re 0.12cp 31156k up2date
Where,
* 0.36re “real time” in wall clock minutes
* 0.12cp sum of system and user time in cpu minutes
* 31156k cpu-time averaged core usage, in 1k units
* up2date command name
Display output per-user:
# sa -uOutput:
root 0.00 cpu 595k mem accton
root 0.00 cpu 12488k mem initlog
root 0.00 cpu 12488k mem initlog
root 0.00 cpu 12482k mem touch
root 0.00 cpu 13226k mem psacct
root 0.00 cpu 595k mem consoletype
root 0.00 cpu 13192k mem psacct *
root 0.00 cpu 13226k mem psacct
root 0.00 cpu 12492k mem chkconfig
postfix 0.02 cpu 10696k mem smtpd
vivek 0.00 cpu 19328k mem userhelper
vivek 0.00 cpu 13018k mem id
vivek 0.00 cpu 13460k mem bash *
lighttpd 0.00 cpu 48240k mem php *
Display the number of processes and number of CPU minutes on a per-user basis
# sa -mOutput:
667 231.96re 0.17cp 7471k
root 544 51.61re 0.16cp 7174k
vivek 103 17.43re 0.01cp 8228k
postfix 18 162.92re 0.00cp 7529k
lighttpd 2 0.00re 0.00cp 48536k
Task: Find out who is eating CPU
By looking at re, k, cp/cpu (see above for output explanation) time you can find out suspicious activity or the name of user/command who is eating up all CPU. An increase in CPU/memory usage (command) is indication of problem.
Please note that above commands and packages also available on other UNIX like oses such as Sun Solaris and *BSD oses.
Jun 22
To Check CPU Speed in Linux
less /proc/cpuinfo
egrep ‘GHz|MHz’ /proc/cpuinfo
Jun 22
To check avilable memory in Linux type free -m command. free displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel.
free -m
free -b
free -k
1. The -b switch displays the amount of memory in bytes
2. The -k switch (set by default) displays it in kilobytes
3. The -m switch displays it in megabytes
4. The -g switch displays it in gigabytes.
vmstat
Output
procs ———–memory———- —swap– —–io—- -system– —-cpu—-
r b swpd free buff cache si so bi bo in cs us sy id wa
0 0 0 63316 176624 1062340 0 0 25 18 39 592 5 1 94 0
1. swpd: the amount of virtual memory used.
2. free: the amount of idle memory.
3. buff: the amount of memory used as buffers.
4. cache: the amount of memory used as cache.
Jun 22
This document will guide you in configuring ssh keys on Linux, normally you need such type of configuration when you connect to some Linux server using some scripts without giving username and password to do some sys admin activity.
Make sure that ssh is installed on all the servers. Here is the output of rpm -qa from server1
[root@server1 ~]# rpm -qa |grep ssh
openssh-clients-3.9p1-8.RHEL4.9
openssh-askpass-3.9p1-8.RHEL4.9
openssh-3.9p1-8.RHEL4.9
openssh-server-3.9p1-8.RHEL4.9
openssh-askpass-gnome-3.9p1-8.RHEL4.9
[root@server1 ~]#[/i]
Here is the output of rpm -qa from server2
[root@server2 ~]# rpm -qa | grep ssh
openssh-clients-3.9p1-8.RHEL4.9
openssh-askpass-3.9p1-8.RHEL4.9
openssh-3.9p1-8.RHEL4.9
openssh-server-3.9p1-8.RHEL4.9
openssh-askpass-gnome-3.9p1-8.RHEL4.9
[root@server2 ~]#
Now generate a ssh key on server1 using following commands.
[root@server1 ~]# ssh-keygen -t dsa (Press Enter)
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase): (Enter passphrase if you want, otherwise just Enter)
Enter same passphrase again: (Enter Again)
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
1e:56:19:54:86:03:38:61:d5:1e:2c:c7:c3:11:bf:50 root@server1
[root@server1 ~]#
Now you need to copy /root/.ssh/id_dsa.pub from server1 to server2 and need to rename it to authorized_keys, place this file in the same directory i.e. /root/.ssh on server2. If you don’t find this directory then create it and chnage the permissions to 644 using chmod.
[root@server1 ~]# scp /root/.ssh/id_dsa.pub server2:/root/.ssh/authorized_keys
The authenticity of host ’server2 (10.216.152.221)’ can’t be established.
RSA key fingerprint is c1:14:0b:ef:0d:c7:48:94:2e:e3:fc:62:9a:2c:e6:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’server2′ (RSA) to the list of known hosts.
root@server2’s password:
id_dsa.pub
Note: Here you need to give root password of server2 since you are scping the file with username root from server1. Once you have configured ssh keys it wont ask you about the password.
Now login to server2 and check for authorized_keys file in /root/.ssh directory.
[root@server2 .ssh]# pwd
/root/.ssh
[root@server2 .ssh]# ls -lrt
total 24
-rw-r–r– 1 root root 224 Jan 27 06:22 known_hosts
-rw-r–r– 1 root root 602 Jun 14 05:54 id_dsa.pub
-rw-r–r– 1 root root 602 Jun 14 07:28 authorized_keys
[root@server2 .ssh]#
Now login from server1 to server2 using ssh and it will not ask for any password.
[root@server1 ~]# ssh server2
Last login: Wed Jun 14 07:28:36 2006 from server2
[root@server2 ~]#
To achive the same from server2, follow the all steps mentioned above on server2.
Jun 22
You can easily install rpm file with rpm -ivh
rpm -ivh file-package.name.rpm
To view rpm file contents
rpm -qlp file-package.name.rpm
To get info about rpm package itself
rpm -qip file-package.name.rpm
To extract or open rpm file in current directory:
rpm2cpio file.rpm | cpio -idmv
ls
Jun 22
I know itz very simple using “top” command. and then press “1″. But another easy way.
#grep -c processor /proc/cpuinfo
Jun 22
/sbin/service iptables save
/sbin/service ip6tables save
/sbin/service iptables off
/sbin/service ip6tables off
/sbin/service iptables stop
/sbin/service ip6tables stop
save -> save the firewall.
off -> turn off the firewall.
stop -> stop the firewall and open system.
iptables -> IPv4 firewall.
ip6tables -> IPv6 firewall.
Jun 22
Here are some examples you may find interesting:
Display message welcome on screen
echo ‘Welcome’
Write message File deleted to a file called /tmp/log.txt
echo ‘File has been deleted’ > /tmp/log.txt
Append message File deleted to a file called /tmp/log.txt
echo ‘File has been deleted’ >> /tmp/log.txt
echo “Today’s date is $(date)”
echo “Today’s date is $(date)” > /tmp/date.txt
man echo
#echo $PATH
#echo $HOSTNAME
#echo $HISTSIZE
Jun 22
Use rename command which is a quick and powerful tool written in C, featuring extended regular expression support for searching and substituting pattern strings in filenames. Rename can rename, convert to lowercase/uppercase, and change the ownership of a large number of files.
Rename all *.c file as *.cpp:
rename .c .cpp *.c
Rename command is included with all Linux distro, under UNIX / FreeBSD, use ports:
cd /usr/ports/sysutils/rename
make install clean
man rename
Recent Comments