General :: Detect DoS Attacks / Manually Block IP On Ubuntu?
Sep 14, 2011
I have a VPS with Ubuntu. I host a small website (~10 visitors at the same time). Sometimes the website starts lagging. It lags so bad that my SSH connection starts lagging too. Running top says that 2 instances of apache2 take up 50 %CPU each.
I assume this is a DoS attack. I've copy-paste installed a few iptables scripts that made sense, but this has not helped. I installed libapache2-mod-evasive -- I'm sure it blocks the attacker, but I'm still lagging.
What can I do? Can I at least find the IP of the attacker? I have strong experience with Linux, but almost zero experience with being a server admin.
I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code: [php-url-fopen] enabled = true port = http,https filter = php-url-fopen
I launched my website. At the moment the site has an firewall (iptables) enabled with very simple rules. All incoming traffic is blocked, except for the ports http and ssh. Everything is working perfect, but I want also to be able to block certain kinds of attacks. There are some really good examples on the internet, but I don't now if they contain all kinds of attacks which are relevant to my situation. To be clear, I only server web content through port 80 and use ssh to remote login.
I've heard of attacks using PDF files on Windows with Adobe Acrobat and Foxit Reader. Is Linux vulnerable to these attacks when using the default PDF viewers in KDE or Gnome or even xpdf? What is a good PDF scanner to determine if a PDF file is evil?
I have a mail server running RHEL, with postfix, dovecot, etc. I installed Fail2ban and this works wonders against SSH brute force attacks. It'll ban an IP address for a period of time if it unsuccessfully attempts to log on 3 times within, say a minute. I was wondering if it can be as effective with pop3 attacks. If it is, how can I get it done?
we are using linux email server axigen past few years. we keep port open ssh and pop,smtp webmail etc. ssh use for remote trouble shooting. so through firewall it is globally accessable. we notice many attacks coming to our machine, also some people try to enter in our system but failure. as example see below a log come in messages file
Mar 17 09:19:50 sa1 sshd(pam_unix)[21231]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.13.120 user=root how we can secure more. as per my understanding only good long strong password can stop to prevent from attacks.
I would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?
Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?
I'm using Debian 6 to host a website (with apache2) and a game server. But because of attacks to my server, my hosting company have now set it offline.
These are the two logs that they provided (I replaced all IPs): Direction IN Internal ***.***.***.***
I have a VPS which is running HTTPD, and its getting blown to bits by a DOS Attack. Turns out mod_evasive is totally useless (due to not running a total - rather counting per child process) and the only way to stop the box from running at 100% on all cores is to term HTTPD. So, what rules can I implement on the iptables firewall to block multiple requests from an IP? I saw this: [URL] Where someone has posted some rules but these dont work ("unknown error 4294967295" on the 3rd line). This is what i'm after though - block multiple requests from a single IP for a certain period of time.
recently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
With the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
My server has been the repeated victim of bandwidth attacks: any large file on the server is downloaded repeatedly, with the goal of pushing the server over the provider's bandwidth limit. How can I lessen the effect of these kinds of attacks with IPTables or APF? For example, can I set the server to: Is this possible? Is there a more effective way, and can a firewall even do this? My web server is Lighttpd, perhaps I can place such a rule directly in its config?
I have a SSH server set up at home listening on port 22. I have hardened the server so it is pretty secure but I want to make it even safer by editing my iptables to rate-limit incoming connections and DROP false login attempts. I have tried these tutorials but I just cant get it to work:[URL]I want the debian-administration.org tutorial to work but when I try to add the first rule in terminal:sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --setI get the following:Bad argument --set'I am new to iptables and I'm not sure if I'm doing something wrong when I try to set it up. I'm using Ubuntu 10.04.1 LTS with iptables v1.4.4.
I need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog 2010-12-17 07:34:11 string too large in xxxyyy() 2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
I need to learn how to analyze network traffic for attacks and while finding the attack seems easy in my case I need to identify what hes doing. I will be happy right now if you guys can answer my question. How to identify if an attack has brought the server down? I have packet captures of an attack in progress and I noticed that every now and then the attacker would do something weird and the server would start sending packets with just the RST packet sent in response. Normally I had been seeing the RST ACK flags set or the FIN ACK bits set to terminate a connection. So once again my question is how do I tell if the traffic indicates a server crash?
I've installed Squeeze 2.6.32-5-amd64 on my laptop (Alienware M17X R3, Intel i7 Sandybridge, ATI Technologies Inc Broadway [ATI Mobility Radeon HD 6800 Series])The screen is 17", with maximum resolution of 1920 x 1080. After a default install of the operating system, the maximum resolution I can select is 1280 x 1024.My research so far has suggested that I need to edit the /etc/X11/xorg.conf file and provide xorg with the necessary resolution.
Again, by default, the xorg.conf file is not created. This leads me to believe that xorg is scanning my hardware at startup and providing me with whatever it thinks is appropriate. I tried following these instructions to generate an xorg.conf file. This process created an xorg.conf file under /root/.
When I copy this xorg.conf file to /etc/X11, I get a blank (i.e. black) screen. Deleting this file restores the default resolution 1280 x 1024.This system is dual booting with Windows 7. Under windows I am able to get a 1920 x 1080 resolution, so I know my hardware is up to it.At this stage I have yet to install the drivers for the Radeon graphics card.What are my options regarding configuring xorg to give me a higher screen resolution?
I have a new F12 install, and my syslog is filling up with messages about USB. I have 2 USB devices plugged in directly to the mobo (bluetooth keyboard receiver, touchscreen), and it keeps redetecting them and then disabling the port for some reason.
I am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.
I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.
Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.
The messages show a lot of lines like this:
Code:
The only I get from my hoster is to back up all domains and re-install the machine.
I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.
But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?
I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.
What have I done so far?
1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.
2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.
3) I have used online scanners to check all sites for malware, all have been reported back to be clean.
4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:
Code:
Code:
Code:
I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.
The Network Manager on KDE gets DNS configuration from DHCP and sets it automatically, but I would like to use the Google Public DNS. If I overwrite /etc/resolv.conf with nameserver 8.8.8.8 it still resolves names with the old DNS (probably cached in memory) and, of course, even if it worked, it would be annoying having to do that every time I connect to a network.
I've noticed the Network Manager lets you specify a fixed DNS with the rest being taken from DHCP, but that's on a per network basis, and I would like to set it once for whichever network I connect to (if you're on the go with a laptop that becomes an issue).
I have installed tomcat6 on Ubuntu. It starts it automatically at the startup. I do not want it to start automatically, I want to start it manually because I use same 8080 port for different servers. If tomcat is already started on 8080, it becomes problem.
How do I stop Ubuntu from not starting tomcat automatically at startup.
A. I want to manually set the Window Clamp for my experiment.I came to know we can do that in net/ipv4/tcp_output.c::tcp_grow_window. I'm really confused with the flow. Even i tried in net/ipv4/tcp_output.c::tcp_select_window, but things are asusual.
B. Can I really improve the throughput by increasing the buffer space ? Do i have to go for netfileters or altering the existing data structure will do ?
I had installed this drive as a slave drive yesterday, and it had worked perfectly, mounted good, etc., etc.
Today, I fire up ol' trusty, and my slave drive doesn't show in either "Places," "System Monitor," or "Disk Usage Analyzer." It does, however, show up in BIOS and "Gparted Partition Editor." A mounting option isn't present in "Places" as it was yesterday.
If I need to manually mount it or whatever, would someone please list the steps I need to take to get my HD back?
My main harddrive is a Western Digital 160 Gb IDE and is listed as /dev/sda. My slave is a Seagate 80 Gb SATA and is listed as /dev/sdb
For some reason, my kernel got uninstalled. I have only file called "initrd.img-2.6.26-1-xen-amd64.bak" in my /boot folder. The only other thing is a 'grub' folder. I booted into a rescue OS, but is there a way to install a kernel manually so that I can boot into my original OS again? Can I just download a vmlinuz file into that folder and then fix my menu.lst?
yum install libstdc++-docs doesn't work for me:No package libstdc++-docs available.So, I can only install it myself.I've found the C++ man pages here, how can I install it?I guess just put it under /usr/share/man/man3 will do the job, but I'm not sure.
