A good security tutorial is at : http://www.toplayer.com/content/resource/faq.jsp
One more link
http://www.google.com/search?q=How+to+stop+SYN+attack+on+server&hl=en&lr=&ie=UTF-8&oe=UTF-8
A good security tutorial is at : http://www.toplayer.com/content/resource/faq.jsp
One more link
http://www.google.com/search?q=How+to+stop+SYN+attack+on+server&hl=en&lr=&ie=UTF-8&oe=UTF-8
PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.
Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.
If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)
Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.
Time:
10 Minutes, Root access required.
Step 1)
Login to your server and su – to root.
Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop
Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail
Paste in the following:
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {
print INFO “$date – $PWD – @infon”;
}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach (@ARGV) {
$arg=”$arg” . ” $_”;
}
open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);
Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail
Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log
chmod 0777 /var/log/spam_log
Step 7)
Start Exim up again.
/etc/init.d/exim start
Step
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function – a message board, a contact script.
tail – f /var/log/spam_log
Sample Log Output
Mon Apr 11 07:12:21 EDT 2005 – /home/username/public_html/directory/subdirectory – nobody x 99 99 Nobody / /sbin/nologin
Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.
pico /etc/logrotate.conf
FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
ADD BELOW:
# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}
Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.
ddos command :
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
route add 12.219.178.143 reject
route add 202.173.147.138 reject
===============
netstat -a | grep SYN | wc -l
iptables -A INPUT -s 124.177.148.139 -j DROP
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
===============
Use “netsh routing ip show filter” and
“netsh routing ip show filter ”
to see open ports.
Finding Spam Scripts On cPanel
If a server is sending lots of spam, and no one knows why, there is a chance that the cause is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here’s a trick that should help.
Log into WHM with root and the root password of the server.
Click on “Exim Configuration Editor” under “Service Configuration”.
Click on the box at the top that says “Switch to Advanced Mode (Edit Raw Configuration File)”.
Paste this into the top box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
That line is pretty long, be sure to copy all of it and realize it may span beyond your browser’s window. Most web browsers should allow you to “triple click” in the above field and copy all of the text to your clip board but if not simply place your mouse on the far left of “log_selector” and drag the mouse to your right until you have “+tls_peerdn” highlighted.
Once you’ve copied that into the Exim editor box, scroll all the way down and click the little “Save” button.
Now you’re done in WHM. You can close out of the window, or leave it open if you plan on coming back to remove your addition to the Exim.conf. This change will slow Exim a little, so if you have a busy mailserver it’s best to remove this modification when you’re done.
Login to the server via ssh.
Watch the outgoing message log to see what directory messages are being sent from. This command works wonders:
tail -f /var/log/exim_mainlog | grep cwd
Note: cwd stands for current working directory.
This is quite normal: cwd=/var/spool/exim
This warrants investigation, but might be legit: cwd=/tmp
This is generally bad: cwd=/home/h4x0r/public_html/forums/tmp
What are frozen messages?
Frozen messages are messages that Exim will no longer attempt to deliver. You can thaw the message with:
exim -Mt [ … ]
To remove all frozen messages:
exiqgrep -z -i | xargs exim -Mrm
To show frozen messages:
exim -bp | grep frozen
Freeze all queued messages from local user:
exiqgrep -i -f luser@localhost | xargs exim -Mf
Tracking Down Spam Scripts in cPanel
If you’re receiving complaints that your cPanel server is sending out spam, there is a fair chance that there is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here is a trick that may help:
Log into your WHM interface by using the root user and root password.
Click on ‘Exim Configuration Editer’ under ‘Service Configuration’.
Click the box at the top labeled ‘Switch to Advanced Mode (Edit Raw Configuration File)’.
Copy the following and paste into the top box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
Next, scroll down to the bottom and click the ‘Save’ button.
At this point, you can log out of WHM, and log into your server via SSH.
Now we want to watch the mail program’s log files, to see where the messages are comming from on your server. Type the following at the command line:
tail -f /var/log/exim_mainlog | grep cwd
This will show exactly what is being logged by the mail server, but will only display the relevant lines.
The output will be something like the following. ‘cwd’, in this case stands for ‘current working directory’, or the place on the server where the messages originate.
cwd=/var/spool/exim –> This one is nothing to worry about; this is normal operation.
cwd=/tmp –> This is the temporary directory. If you see entries with this, you should probably investigate further.
cwd=/home/accountname/public_html/forums/tmp –> This one is definately something that should be investigated.
ls -la /home/accountname/public_html/forums/tmp –> This will list the directory’s contents.
By listing the contents of the directory that looks suspicious (in this case, /home/accountname/public_html/forums/tmp), you can discover the name of the script. To check and see if it is currently running, type the following:
ps aux | grep
This will give an output that includes a number known as the process ID. You can stop the script by typing kill . Next, remove the script from the server:
rm /home/accountname/public_html/forums/tmp/
How to find all IPs bound to a machine that are not hosting sites
This command can be used to find free IPs on a non-panel Linux server.
echo System has $(ifconfig | grep “inet addr:” | grep -v 127.0.0.1 | awk ‘{print $2}’ | sed s/”addr:”// | sort -n > /tmp/boundips && cat /usr/local/apache/conf/httpd.conf | grep “”$// | sed s/”>”$// | sort -n | uniq > /tmp/usedips && diff /tmp/boundips /tmp/usedips | sed -n /^”< “/p | sed s/^”< “// | wc -l) free IPs: && diff /tmp/boundips /tmp/usedips | sed -n /^”< “/p | sed s/^”< “// && rm -f /tmp/boundips /tmp/usedips
Note: On a cPanel server, there is a tool called “Rebuild the IP address pool”, which performs the same function.
To block IPs in Linux you use a program called iptables that should already be installed on your server. To issue the neccessary commands you will need to login to your server via SSH as the root user. Adding Temporary Rules: To make only temporary rules that will not survive a reboot you can do the following steps. Once the rules are setup correctly they can be made permanent Step 1) Determine which IPs need to be blocked from accessing your server. Step 2a) To block a single IP issue the following command at the command prompt iptables -I INPUT -s -j DROP Step 2b) To block a range of IPs issue the following command at the command prompt. This will block all ips starting at and incrementing by one until it reaches and includes iptables -I INPUT -s : -j DROP Step 2c) To block a Netblock of IPs issue the following command at the command prompt. This will block all ips that fall into the subet by applying the to . iptables -I INPUT -s / -j DROP Removing Temporary Rules: Step 1) At the command line type the following command to display the list of current rules: iptables -L Step 2) The previous command should have displayed "Chain INPUT" followed by a list of rules. The top most rule is considered to be Rule 1. Count down to the rule you wish to remove and note its number. So the first rule is Rule 1, the second is Rule 2, etc. Step 3) Type in the following command where is the number of the rule you wish to delete iptables -D INPUT Making/Adding Permanant Rules: The above rules will only last until your server is rebooted. There are two ways to make make the rules permant on a RHEL or CENTOS based system. You can setup temporary rules as shown above and then save the current configuration when you are sure all the rules are correct. To do this you type in the following command which will save the rules and make sure they run at the next reboot. iptables-save > /etc/sysconfig/iptables; chkconfig iptables on The second method is to add the rules manually to the file /etc/sysconfig/iptables and then restart iptables. The rules themselves remain mostly unchanged as seen below. The only difference is that you do not call the iptables command. 1a) To block a single IP add the following to /etc/sysconfig/iptables. -I INPUT -s -j DROP 1b) To block a range of IPs add the following to /etc/sysconfig/iptables. -I INPUT -s : -j DROP 1c) To block a Netblock of IPs add the following to /etc/sysconfig/iptables -I INPUT -s / -j DROP 2) Restart iptables by issusing the following command: service iptables restart 3) Ensure iptables runs at reboot chkconfig iptables on Removing Permanant Rules: 1) Delete the rules from the file /etc/sysconfig/iptables 2) Restart iptables by issusing the following command: service iptables restart
Kill nobody process
ps aux grep nobody awk ‘{print $2}’ xargs kill -9
Kill user process
ps aux grep apache awk ‘{print $2}’ xargs kill -9