MyTrueHost launched Web Hosting for Indian clients just in Rs 60/Month with various payment options(netbanking, debit card, credit card,cash card or paypal).
Please Visit at https://www.mytruehost.in

How to stop SYN-ACK attack

A good security tutorial is at : http://www.toplayer.com/content/resource/faq.jsp

One more link

http://www.google.com/search?q=How+to+stop+SYN+attack+on+server&hl=en&lr=&ie=UTF-8&oe=UTF-8

 

Stop PHP nobody Spammers

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.
Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)

Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.

Time:
10 Minutes, Root access required.

Step 1)
Login to your server and su – to root.

Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {

print INFO “$date – $PWD – @infon”;

}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach (@ARGV) {
$arg=”$arg” . ” $_”;
}

open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);

Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function – a message board, a contact script.
tail – f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 – /home/username/public_html/directory/subdirectory – nobody x 99 99 Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}

Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.

ddos command

ddos command : 

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
route add 12.219.178.143 reject
route add 202.173.147.138 reject

===============

netstat -a | grep SYN | wc -l
iptables -A INPUT -s 124.177.148.139 -j DROP
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

===============

How can I check which ports are open when the firewall is activated?

Use “netsh routing ip show filter” and
“netsh routing ip show filter ”
to see open ports.

 

 

Finding Spam Scripts on cPanel

Finding Spam Scripts On cPanel

If a server is sending lots of spam, and no one knows why, there is a chance that the cause is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here’s a trick that should help.

Log into WHM with root and the root password of the server.
Click on “Exim Configuration Editor” under “Service Configuration”.
Click on the box at the top that says “Switch to Advanced Mode (Edit Raw Configuration File)”.
Paste this into the top box:

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

That line is pretty long, be sure to copy all of it and realize it may span beyond your browser’s window. Most web browsers should allow you to “triple click” in the above field and copy all of the text to your clip board but if not simply place your mouse on the far left of “log_selector” and drag the mouse to your right until you have “+tls_peerdn” highlighted.

Once you’ve copied that into the Exim editor box, scroll all the way down and click the little “Save” button.

Now you’re done in WHM. You can close out of the window, or leave it open if you plan on coming back to remove your addition to the Exim.conf. This change will slow Exim a little, so if you have a busy mailserver it’s best to remove this modification when you’re done.

Login to the server via ssh.

Watch the outgoing message log to see what directory messages are being sent from. This command works wonders:

tail -f /var/log/exim_mainlog | grep cwd

Note: cwd stands for current working directory.
This is quite normal: cwd=/var/spool/exim
This warrants investigation, but might be legit: cwd=/tmp
This is generally bad: cwd=/home/h4x0r/public_html/forums/tmp

Frozen messages with Exim

What are frozen messages?

Frozen messages are messages that Exim will no longer attempt to deliver. You can thaw the message with:
exim -Mt [ … ]

To remove all frozen messages:

exiqgrep -z -i | xargs exim -Mrm
To show frozen messages:
exim -bp | grep frozen
Freeze all queued messages from local user:
exiqgrep -i -f luser@localhost | xargs exim -Mf

 

Tracking Down Spam Scripts in cPanel

Tracking Down Spam Scripts in cPanel
If you’re receiving complaints that your cPanel server is sending out spam, there is a fair chance that there is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here is a trick that may help:

Log into your WHM interface by using the root user and root password.
Click on ‘Exim Configuration Editer’ under ‘Service Configuration’.
Click the box at the top labeled ‘Switch to Advanced Mode (Edit Raw Configuration File)’.
Copy the following and paste into the top box:

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

Next, scroll down to the bottom and click the ‘Save’ button.

At this point, you can log out of WHM, and log into your server via SSH.

Now we want to watch the mail program’s log files, to see where the messages are comming from on your server. Type the following at the command line:

tail -f /var/log/exim_mainlog | grep cwd

This will show exactly what is being logged by the mail server, but will only display the relevant lines.

The output will be something like the following. ‘cwd’, in this case stands for ‘current working directory’, or the place on the server where the messages originate.

cwd=/var/spool/exim –> This one is nothing to worry about; this is normal operation.
cwd=/tmp –> This is the temporary directory. If you see entries with this, you should probably investigate further.
cwd=/home/accountname/public_html/forums/tmp –> This one is definately something that should be investigated.

ls -la /home/accountname/public_html/forums/tmp –> This will list the directory’s contents.

By listing the contents of the directory that looks suspicious (in this case, /home/accountname/public_html/forums/tmp), you can discover the name of the script. To check and see if it is currently running, type the following:

ps aux | grep

This will give an output that includes a number known as the process ID. You can stop the script by typing kill . Next, remove the script from the server:

rm /home/accountname/public_html/forums/tmp/

 

How to find all IPs bound to a machine that are not hosting sites

How to find all IPs bound to a machine that are not hosting sites

This command can be used to find free IPs on a non-panel Linux server.

echo System has $(ifconfig | grep “inet addr:” | grep -v 127.0.0.1 | awk ‘{print $2}’ | sed s/”addr:”// | sort -n > /tmp/boundips && cat /usr/local/apache/conf/httpd.conf | grep “”$// | sed s/”>”$// | sort -n | uniq > /tmp/usedips && diff /tmp/boundips /tmp/usedips | sed -n /^”< “/p | sed s/^”< “// | wc -l) free IPs: && diff /tmp/boundips /tmp/usedips | sed -n /^”< “/p | sed s/^”< “// && rm -f /tmp/boundips /tmp/usedips

Note: On a cPanel server, there is a tool called “Rebuild the IP address pool”, which performs the same function.

 

How to block an IP/netblock using iptables

To block IPs in Linux you use a program called iptables that should already be installed on your server. To issue the neccessary commands you will need to login to your server via SSH as the root user.

Adding Temporary Rules:
To make only temporary rules that will not survive a reboot you can do the following steps. Once the rules are setup correctly they can be made permanent
Step 1) Determine which IPs need to be blocked from accessing your server.
Step 2a) To block a single IP issue the following command at the command prompt
iptables -I INPUT -s -j DROP
Step 2b) To block a range of IPs issue the following command at the command prompt. This will block all ips starting at and incrementing by one until it reaches and includes 
iptables -I INPUT -s : -j DROP
Step 2c) To block a Netblock of IPs issue the following command at the command prompt. This will block all ips that fall into the subet by applying the to .
iptables -I INPUT -s / -j DROP

Removing Temporary Rules:
Step 1) At the command line type the following command to display the list of current rules:
iptables -L
Step 2) The previous command should have displayed "Chain INPUT" followed by a list of rules. The top most rule is considered to be Rule 1. Count down to the rule you wish to remove and note its number. So the first rule is Rule 1, the second is Rule 2, etc.
Step 3) Type in the following command where is the number of the rule you wish to delete
iptables -D INPUT 

Making/Adding Permanant Rules:
The above rules will only last until your server is rebooted. There are two ways to make make the rules permant on a RHEL or CENTOS based system. You can setup temporary rules as shown above and then save the current configuration when you are sure all the rules are correct. To do this you type in the following command which will save the rules and make sure they run at the next reboot.
iptables-save > /etc/sysconfig/iptables; chkconfig iptables on

The second method is to add the rules manually to the file /etc/sysconfig/iptables and then restart iptables. The rules themselves remain mostly unchanged as seen below. The only difference is that you do not call the iptables command.
1a) To block a single IP add the following to /etc/sysconfig/iptables.
-I INPUT -s -j DROP
1b) To block a range of IPs add the following to /etc/sysconfig/iptables.
-I INPUT -s : -j DROP
1c) To block a Netblock of IPs add the following to /etc/sysconfig/iptables
-I INPUT -s / -j DROP
2) Restart iptables by issusing the following command:
service iptables restart
3) Ensure iptables runs at reboot
chkconfig iptables on

Removing Permanant Rules:
1) Delete the rules from the file /etc/sysconfig/iptables
2) Restart iptables by issusing the following command:
service iptables restart

Kill nobody /user process

Kill nobody process

ps aux grep nobody awk ‘{print $2}’ xargs kill -9
Kill user process
ps aux grep apache awk ‘{print $2}’ xargs kill -9