Sep 24, 2008

How to Find APACHE under Attack

Apache is the worlds largest using WEB SERVER. According to netcraft survey 49.73% of the market is owned by this wonderful product. This was free under GPL. The attackers are trying to hack the websites,whichever may be the server. So a Web Administrator should be vigilant about his Apache server.

Here I would like to tell how an administrator find whether his Apache server is Under Attack.

1.First checkout the load of the server

top -u apache (Here apache means the web server user)

Tasks: 126 total, 1 running, 125 sleeping, 0 stopped, 0 zombie
Cpu(s): 3.8%us, 0.7%sy, 0.0%ni, 94.3%id, 1.1%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1027224k total, 927296k used, 99928k free, 46428k buffers
Swap: 3004112k total, 0k used, 3004112k free, 410736k cached

5573 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5575 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5576 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5577 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5578 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2

This is the normal stage of Apache. If the CPU usage is increasing,take care you are in trouble

2.Check the number of running Apache processes

ps -ef | grep apache | wc -l

If you get a number below 50,no problem. Other wise something nasty is happening

3.Check how many listening connection to port 80

ps -ef | grep apache | wc -l

If the number goes beyong 100,an attacker closely watching your servers

4.Check your listening foriegn IPs

netstat -tn

You can see that the same IP or IPrange is listening on your Web port (80). If you made a DNS lookup to those IPs You can found that all those IPS are come from a DHCP pool,it means ATTACK.

MySQL Replication - A brief Note

Replication enables data from one MySQL database server (called the master) to be replicated to one or more MySQL database servers (slaves). Replication is asynchronous - your replication slaves do not need to be connected permanently to receive updates from the master, which means that updates can occur over long-distance connections and even temporary solutions such as a dial-up service. Depending on the configuration, you can replicate all databases, selected databases, or even selected tables within a database. With the help of Replication we can assure the scalability of Data. Because once the Master server went off-line,the slave will act as the master and start serving data. The Data will be replicated into slave server in a frequent intervals. Replication in MySQL features support for one-way, asynchronous replication, in which one server acts as the master, while one or more other servers act as slaves

The mail advantages of MySQL Replication are as follows

1.Scale-out solutions
spreading the load among multiple slaves to improve performance. In this environment, all writes and updates must take place on the master server. Reads, however, may take place on one or more slaves. This model can improve the performance of writes (since the master is dedicated to updates), while dramatically increasing read speed across an increasing number of slaves.

2.Data security
Because data is replicated to the slave, and the slave can pause the replication process, it is possible to run backup services on the slave without corrupting the corresponding master data.

Live data can be created on the master, while the analysis of the information can take place on the slave without affecting the performance of the master.

4.Long-distance data distribution
If a branch office would like to work with a copy of your main data, you can use replication to create a local copy of the data for their use without requiring permanent access to the master.

Voice problem in Firefox Flash plugin

The latest version of Ubuntu is Hardy. Its a perfect desktop I have ever seen. Some times you may face a problem hearing sound in FLASH player of Firefox. I am telling here how to solve it. Most of the case its due to missing of a library file of adobe flash player

OS :Ubuntu 8.04
Browser : Firefox 3

apt-get install libflashsupport

Restart the Firefox and enjoy the Sound

Sep 18, 2008

Wireless Internet in Ubuntu Hardy

People think getting wireless connectivity in LINUX is a difficult task. That is not right always It takes some times to configure. Because there is a one button click environment is not available nowadays. So we need some more steps to get it working. Also I am preparing a Script to do this automatically.

To get wireless internet through DLINK access point in the ubuntu 8.04


Machine : Acer Aspire 4715Z NWXMI-Pentium dual core-T2310
OS : Ubuntu 8.04
Wireless card : Atheros

1.First of all check your BIT version of OS

getconf LONG_BIT

2.Check the Manufacture of your wireless car

lspci | grep wireless

3.Lets install the Drivers for Atheros Card . Download the ndiswrapper source code and AR5007EG Windows drivers

4.Download the AR5007EG Windows XP drivers,If you're using a 32-bit version of Linux, use this command


5.Extract the archieves

tar xvf ar5007eg-*.tar.gz
tar xvf ndiswrapper-newest.tar.gz

6.Ensure you have your kernel headers and the build essential package.

aptitude update && sudo aptitude install linux-headers-$(uname -r) build-essential

7.Blacklist the ath_pci kernel module (it doesn't support our chipset).

echo "blacklist ath_pci" | sudo tee -a /etc/modprobe.d/blacklist

8.Compile Ndiswrapper

pushd ndiswrapper-*/
sudo make uninstall
sudo make install

9.Install the Windows drivers (using ndiswrapper).

pushd */ar5007eg/
sudo ndiswrapper -i net5211.inf

10.Make sure Ndiswrapper up and running everytime OS starts

sudo modprobe ndiswrapper
echo "ndiswrapper" | sudo tee -a /etc/modules

11.Just Reboot the Laptop
/sbin/shutdown -r now

You will get a NETWORK icon in the right top panel. Click on the ICON and search for available access point.
EnjoY WirelesS InterneT.

Sep 15, 2008

Prevent DoS attack in Linux using IPTABLES

A major problem facing by mail server admin is DOS (Deniel Of Service) attack. Hackers will try to mess up with the most popular ports of a UNIX/LINUX machines. We can prevent this my writing an IPTABLE rule in the server. The working is ,if some one is trying make connection continuously through a specified port the rule will block the IPADDRESS permanently. Here I am stating the securing of PORT 25 (SMTP) here you can use your own

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This will Block all the IP ADDRESS which will make connection to port 25 continuously within ie 4 SMTP connection within 60 seconds. You can change PORT,INTERVALs here.

We can also log these ips as well and use for future purpose for example,if you would like to add these logged IP to TCPWRAPPER etc.
Do the following.

Firts of all Set your Log Daemon to log the IPTABLES

# vi /etc/syslog.conf

Add the following line at the end of the file

#kern.warning /var/log/iptables.log
#touch /var/log/iptables.log

Restart the System Log Service

#/etc/init.d/syslog restart (On Redhat based,Centos)

iptables -A INPUT -j LOG --log-level 4

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP --log-prefix '** HACKERS **'--log-level 4


The next stage is to add these logged ips to TCPWRAPPER (/etc/hosts.deny).

#/bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt

The above line will grep the SOURCE ip from the log and append to badip.txt

Next Run this command as a frequent interval with the help of CRON

#vi /etc/crontab

*/1 * * * * root /bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt

Here the script will run in every minutes. The file will be grow up rapidly to heavy size if your server have heavy traffic. So CleanUP the file in a frequent intervals. Better setup another CRON for it.

Next to add these IPs in the hosts.deny file

#vi /etc/hosts.deny

So things are clear. The first CRON job will update the file badip.txt list, as well as it will blocked by TCPWRAPPER.