Apache is the worlds largest using WEB SERVER. According to netcraft survey 49.73% of the market is owned by this wonderful product. This was free under GPL. The attackers are trying to hack the websites,whichever may be the server. So a Web Administrator should be vigilant about his Apache server.
Here I would like to tell how an administrator find whether his Apache server is Under Attack.
1.First checkout the load of the server
top -u apache (Here apache means the web server user)
Tasks: 126 total, 1 running, 125 sleeping, 0 stopped, 0 zombie
Cpu(s): 3.8%us, 0.7%sy, 0.0%ni, 94.3%id, 1.1%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1027224k total, 927296k used, 99928k free, 46428k buffers
Swap: 3004112k total, 0k used, 3004112k free, 410736k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5573 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5575 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5576 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5577 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5578 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
This is the normal stage of Apache. If the CPU usage is increasing,take care you are in trouble
2.Check the number of running Apache processes
ps -ef | grep apache | wc -l
If you get a number below 50,no problem. Other wise something nasty is happening
3.Check how many listening connection to port 80
ps -ef | grep apache | wc -l
If the number goes beyong 100,an attacker closely watching your servers
4.Check your listening foriegn IPs
netstat -tn
You can see that the same IP or IPrange is listening on your Web port (80). If you made a DNS lookup to those IPs You can found that all those IPS are come from a DHCP pool,it means ATTACK.
Sep 24, 2008
MySQL Replication - A brief Note
Replication enables data from one MySQL database server (called the master) to be replicated to one or more MySQL database servers (slaves). Replication is asynchronous - your replication slaves do not need to be connected permanently to receive updates from the master, which means that updates can occur over long-distance connections and even temporary solutions such as a dial-up service. Depending on the configuration, you can replicate all databases, selected databases, or even selected tables within a database. With the help of Replication we can assure the scalability of Data. Because once the Master server went off-line,the slave will act as the master and start serving data. The Data will be replicated into slave server in a frequent intervals. Replication in MySQL features support for one-way, asynchronous replication, in which one server acts as the master, while one or more other servers act as slaves
The mail advantages of MySQL Replication are as follows
1.Scale-out solutions
spreading the load among multiple slaves to improve performance. In this environment, all writes and updates must take place on the master server. Reads, however, may take place on one or more slaves. This model can improve the performance of writes (since the master is dedicated to updates), while dramatically increasing read speed across an increasing number of slaves.
2.Data security
Because data is replicated to the slave, and the slave can pause the replication process, it is possible to run backup services on the slave without corrupting the corresponding master data.
3.Analytics
Live data can be created on the master, while the analysis of the information can take place on the slave without affecting the performance of the master.
4.Long-distance data distribution
If a branch office would like to work with a copy of your main data, you can use replication to create a local copy of the data for their use without requiring permanent access to the master.
The mail advantages of MySQL Replication are as follows
1.Scale-out solutions
spreading the load among multiple slaves to improve performance. In this environment, all writes and updates must take place on the master server. Reads, however, may take place on one or more slaves. This model can improve the performance of writes (since the master is dedicated to updates), while dramatically increasing read speed across an increasing number of slaves.
2.Data security
Because data is replicated to the slave, and the slave can pause the replication process, it is possible to run backup services on the slave without corrupting the corresponding master data.
3.Analytics
Live data can be created on the master, while the analysis of the information can take place on the slave without affecting the performance of the master.
4.Long-distance data distribution
If a branch office would like to work with a copy of your main data, you can use replication to create a local copy of the data for their use without requiring permanent access to the master.
Voice problem in Firefox Flash plugin
The latest version of Ubuntu is Hardy. Its a perfect desktop I have ever seen. Some times you may face a problem hearing sound in FLASH player of Firefox. I am telling here how to solve it. Most of the case its due to missing of a library file of adobe flash player
Infrastructure
OS :Ubuntu 8.04
Browser : Firefox 3
apt-get install libflashsupport
Restart the Firefox and enjoy the Sound
Infrastructure
OS :Ubuntu 8.04
Browser : Firefox 3
apt-get install libflashsupport
Restart the Firefox and enjoy the Sound
Sep 18, 2008
Wireless Internet in Ubuntu Hardy
People think getting wireless connectivity in LINUX is a difficult task. That is not right always It takes some times to configure. Because there is a one button click environment is not available nowadays. So we need some more steps to get it working. Also I am preparing a Script to do this automatically.
Scenario
To get wireless internet through DLINK access point in the ubuntu 8.04
Infrastructure
Machine : Acer Aspire 4715Z NWXMI-Pentium dual core-T2310
OS : Ubuntu 8.04
Wireless card : Atheros
1.First of all check your BIT version of OS
getconf LONG_BIT
2.Check the Manufacture of your wireless car
lspci | grep wireless
3.Lets install the Drivers for Atheros Card . Download the ndiswrapper source code and AR5007EG Windows drivers
http://wifix.sourceforge.net/software.php?title=ndiswrapper
4.Download the AR5007EG Windows XP drivers,If you're using a 32-bit version of Linux, use this command
wget http://blakecmartin.googlepages.com/ar5007eg-32-0.2.tar.gz
5.Extract the archieves
tar xvf ar5007eg-*.tar.gz
tar xvf ndiswrapper-newest.tar.gz
6.Ensure you have your kernel headers and the build essential package.
aptitude update && sudo aptitude install linux-headers-$(uname -r) build-essential
7.Blacklist the ath_pci kernel module (it doesn't support our chipset).
echo "blacklist ath_pci" | sudo tee -a /etc/modprobe.d/blacklist
8.Compile Ndiswrapper
pushd ndiswrapper-*/
sudo make uninstall
make
sudo make install
popd
9.Install the Windows drivers (using ndiswrapper).
pushd */ar5007eg/
sudo ndiswrapper -i net5211.inf
popd
10.Make sure Ndiswrapper up and running everytime OS starts
sudo modprobe ndiswrapper
echo "ndiswrapper" | sudo tee -a /etc/modules
11.Just Reboot the Laptop
/sbin/shutdown -r now
You will get a NETWORK icon in the right top panel. Click on the ICON and search for available access point.
EnjoY WirelesS InterneT.
Scenario
To get wireless internet through DLINK access point in the ubuntu 8.04
Infrastructure
Machine : Acer Aspire 4715Z NWXMI-Pentium dual core-T2310
OS : Ubuntu 8.04
Wireless card : Atheros
1.First of all check your BIT version of OS
getconf LONG_BIT
2.Check the Manufacture of your wireless car
lspci | grep wireless
3.Lets install the Drivers for Atheros Card . Download the ndiswrapper source code and AR5007EG Windows drivers
http://wifix.sourceforge.net/software.php?title=ndiswrapper
4.Download the AR5007EG Windows XP drivers,If you're using a 32-bit version of Linux, use this command
wget http://blakecmartin.googlepages.com/ar5007eg-32-0.2.tar.gz
5.Extract the archieves
tar xvf ar5007eg-*.tar.gz
tar xvf ndiswrapper-newest.tar.gz
6.Ensure you have your kernel headers and the build essential package.
aptitude update && sudo aptitude install linux-headers-$(uname -r) build-essential
7.Blacklist the ath_pci kernel module (it doesn't support our chipset).
echo "blacklist ath_pci" | sudo tee -a /etc/modprobe.d/blacklist
8.Compile Ndiswrapper
pushd ndiswrapper-*/
sudo make uninstall
make
sudo make install
popd
9.Install the Windows drivers (using ndiswrapper).
pushd */ar5007eg/
sudo ndiswrapper -i net5211.inf
popd
10.Make sure Ndiswrapper up and running everytime OS starts
sudo modprobe ndiswrapper
echo "ndiswrapper" | sudo tee -a /etc/modules
11.Just Reboot the Laptop
/sbin/shutdown -r now
You will get a NETWORK icon in the right top panel. Click on the ICON and search for available access point.
EnjoY WirelesS InterneT.
Sep 15, 2008
Prevent DoS attack in Linux using IPTABLES
A major problem facing by mail server admin is DOS (Deniel Of Service) attack. Hackers will try to mess up with the most popular ports of a UNIX/LINUX machines. We can prevent this my writing an IPTABLE rule in the server. The working is ,if some one is trying make connection continuously through a specified port the rule will block the IPADDRESS permanently. Here I am stating the securing of PORT 25 (SMTP) here you can use your own
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
This will Block all the IP ADDRESS which will make connection to port 25 continuously within ie 4 SMTP connection within 60 seconds. You can change PORT,INTERVALs here.
We can also log these ips as well and use for future purpose for example,if you would like to add these logged IP to TCPWRAPPER etc.
Do the following.
Firts of all Set your Log Daemon to log the IPTABLES
# vi /etc/syslog.conf
Add the following line at the end of the file
#kern.warning /var/log/iptables.log
#touch /var/log/iptables.log
Restart the System Log Service
#/etc/init.d/syslog restart (On Redhat based,Centos)
iptables -A INPUT -j LOG --log-level 4
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP --log-prefix '** HACKERS **'--log-level 4
PERFECT. THE HACKERS ARE BEING LOGGED NOW !!!.
The next stage is to add these logged ips to TCPWRAPPER (/etc/hosts.deny).
#/bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt
The above line will grep the SOURCE ip from the log and append to badip.txt
Next Run this command as a frequent interval with the help of CRON
#vi /etc/crontab
*/1 * * * * root /bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt
Here the script will run in every minutes. The file will be grow up rapidly to heavy size if your server have heavy traffic. So CleanUP the file in a frequent intervals. Better setup another CRON for it.
Next to add these IPs in the hosts.deny file
#vi /etc/hosts.deny
SSHD:/root/badip.txt
So things are clear. The first CRON job will update the file badip.txt list, as well as it will blocked by TCPWRAPPER.
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
This will Block all the IP ADDRESS which will make connection to port 25 continuously within ie 4 SMTP connection within 60 seconds. You can change PORT,INTERVALs here.
We can also log these ips as well and use for future purpose for example,if you would like to add these logged IP to TCPWRAPPER etc.
Do the following.
Firts of all Set your Log Daemon to log the IPTABLES
# vi /etc/syslog.conf
Add the following line at the end of the file
#kern.warning /var/log/iptables.log
#touch /var/log/iptables.log
Restart the System Log Service
#/etc/init.d/syslog restart (On Redhat based,Centos)
iptables -A INPUT -j LOG --log-level 4
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP --log-prefix '** HACKERS **'--log-level 4
PERFECT. THE HACKERS ARE BEING LOGGED NOW !!!.
The next stage is to add these logged ips to TCPWRAPPER (/etc/hosts.deny).
#/bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt
The above line will grep the SOURCE ip from the log and append to badip.txt
Next Run this command as a frequent interval with the help of CRON
#vi /etc/crontab
*/1 * * * * root /bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt
Here the script will run in every minutes. The file will be grow up rapidly to heavy size if your server have heavy traffic. So CleanUP the file in a frequent intervals. Better setup another CRON for it.
Next to add these IPs in the hosts.deny file
#vi /etc/hosts.deny
SSHD:/root/badip.txt
So things are clear. The first CRON job will update the file badip.txt list, as well as it will blocked by TCPWRAPPER.
Subscribe to:
Posts (Atom)