recently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
View 2 Replies
I was just wondering if you were to get DDoSed/Dosed would ubuntu block the packets or protect you in some way?
View 1 Replies View Relatedwe are using linux email server axigen past few years. we keep port open ssh and pop,smtp webmail etc. ssh use for remote trouble shooting. so through firewall it is globally accessable. we notice many attacks coming to our machine, also some people try to enter in our system but failure. as example see below a log come in messages file
Mar 17 09:19:50 sa1 sshd(pam_unix)[21231]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.13.120 user=root how we can secure more. as per my understanding only good long strong password can stop to prevent from attacks.
my computer froze solid, and it would not react to anything. X didn't react to Ctrl+Alt+Backspace, not Ctrl+Alt+Del, so I had to turn it off using the power button.
This is the first time my computer freezes like this, the log files did not reveal any HW errors. Is it possible that someone in the channel did not like my level of Java skill, and flooded me to disconnect?
By the way; Im using slackware 13.1 with the default kernel (2.6.33.4) and irssi as IRC client.
I know that if you eg. ICMP-flood someone, the traffic will be denied and, but can it provoke other behavior from the computer?
So my question is; can a IRC flood/DDoS attack cause a computer to freeze sub zero?
how can I track a Dos and DDoS attack on a server . Does linux have any goiod known command line utilities and log files to us e in this way?
View 1 Replies View Relatedi have 1 question no more because i got many ddos attack and my load is 95++ what is the best program to stop DDOS Attack ?
View 14 Replies View RelatedWell someone has been putting up this attack on my game-server ports. For those of you who don't know what type of attack this is, so its an attack which is actually masked to us because the attacker uses his machine to send packets to a machine called source which reflects the packets to destination. Based on this, the UDP port under Flood at the destination starts making outgoing connections to that IP and gets rejected which uses up more than 5mb/second bandwidth instantly.
I've worked out on some security for this and now need a tool to test this against my machine. I've used PentBox but that's not really powerful to do anything. As I search Google, I find something called Trinoo but can't download or test it.
I would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?
View 1 Replies View RelatedI fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.
View 3 Replies View RelatedI have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow. i executed the following command on my ssh:
[Code]....
I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?
View 5 Replies View RelatedWith the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
View 2 Replies View RelatedMy debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
My infected files:
/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop
[code]....
I launched my website. At the moment the site has an firewall (iptables) enabled with very simple rules. All incoming traffic is blocked, except for the ports http and ssh. Everything is working perfect, but I want also to be able to block certain kinds of attacks. There are some really good examples on the internet, but I don't now if they contain all kinds of attacks which are relevant to my situation. To be clear, I only server web content through port 80 and use ssh to remote login.
View 3 Replies View RelatedI need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?
View 4 Replies View RelatedI am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.
I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.
Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.
The messages show a lot of lines like this:
Code:
The only I get from my hoster is to back up all domains and re-install the machine.
I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.
But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?
I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.
What have I done so far?
1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.
2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.
3) I have used online scanners to check all sites for malware, all have been reported back to be clean.
4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:
Code:
Code:
Code:
I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.
I have been learning Linux for the past few months and just recently started with Bash programming. Using scripts it is possible to find users with duplicate UIDs but is there any way or script why which duplicate UIDs can be prevented altogether.
View 7 Replies View RelatedI am new to Fedora 10, and to SELinux too.
I would like to know how can I prevent from users with role user_r to connect to Internet with firefox.
Windows have many firewalls to prevent the system. But Ubuntu have few. Why is it so? Is it not needed to prevent Ubuntu or if it is prevented?
View 5 Replies View Relatedhow to prevent same user from ssh to multiple linux server at a same time , anyone of you have the script or how to do that ?
View 16 Replies View RelatedI just made a script to read out /dev/input/event3 into a file (My keyboard is identified here [ Machine is a laptop which runs on slax-atma distro ]). Then used a hexdump to convert the binary into hex. After that used a gwak script to print out the keys corresponding to each keyboard input. So now when I put this in my rc.local , It is taking down all the keys I press. Including login passwords (In short, each and every keys I press).Isn't this a big security risk, because intruder who has a physical access to my machine or has root password can put this file in rc.local and run a script to mail him all the details like my passwords, account and PIN numbers.
View 14 Replies View Relatedhow to prevent the execution of the following commands or how to set a policy or rule that prevents the execution of the following malicious commands
dd if=/dev/zero of=/dev/sda
rm -rf /
I use the following method for preventing the users from changing their passwords , is there any other method other than this ?ls -l /usr/bin/passwd-rwsr-xr-x 1 root root 37140 2010-01-26 12:09 /usr/bin/passwdso we need to remove the suid for that command as follows :- chmod u-s /usr/bin/passwdnow normal users won't be able to change their own passwords - and only the root user will be able to do it for them.
View 9 Replies View RelatedI'm doing a research to protect my pc from physical access. What I'm facing here is that my company created a program for fedora 8 and plans to sell the unit away. We created a function where you can configure the program using any web browser from a network so we do not want anybody to have access to the fedora except for out personnel.
Based on my research, I've found [URL] this guide to protect people from accessing grub and single user. I am currently researching on preventing others to clone the harddisk. I would like to know if there are any other methods to prevent people from unauthorized access to fedora.
I have installed MoBlock as instructed here: [URL]
After installation I created my own list file in /etc/blockcontrol/custom-blocklist.p2p and have the following uncommented at the bottom of /etc/blockcontrol/blocklists.list:
Code:
locallist /etc/blockcontrol/custom-blocklist.p2p
The list contains the following 2 entries:
Code:
Yahoo:98.137.149.56
Google:74.125.47.147
When I do:
[Code].....
Recently I just noticed that the locallist rules seem to have no effect. I will always get "destination port unreachable" even if the locallist entry in blocklists.list is commented out.
However, whenever I try to browse to that IP, even when blockcontrol is on, even by typing the IP into Konqueror (not the domain name), it lets me go there every time. How can I know that my other applications will not to do the same thing? How can I lock this down and test it empirically to be sure?
I'm writing here because it's mainly a security issue even though it's rather kernel related.
I'm compiling my own vanilla kernel with an initramfs included in the bzImage. That image contains encryption keys for the rest of the system. Even though it's not for everybody the initramfs image can be extracted from the kernel, decompressed and the keys extracted.
I'm looking on a way to prevent this.
How do I prevent/disable a file from being copied?
I would want someone to be able to see the content of a directory, then open the relevant document, but just for viewing purpose. They cannot copy the file, either through copy + paste or File/Save As.
Is that possible under Ubuntu?
I am administrating a system with about 40 or 50 users, and we recently jumped ship from windows to ubuntu. Most of my users are getting along fine, but it seems every few days, i have to help someone who accidentally changed something, and now their account (or more rarely, the machine) is unusable, and has to be reset.
I know configuring /etc/sudoers is a huge step toward fixing my problem, but that still will not completely solve it. What I would like to do is prevent users from making ANY changes to the system (aside from their work files and the like), including themes, icons, desktop, background, etc.
This is an excerpt from the Linux man page for mktemp command: "mktemp is provided to allow shell scripts to safely use temporary files. Traditionally, many shell scripts take the name of the program with the PID as a suffix and use that as a temporary filename. This kind of naming scheme is predictable and the race condition. It creates is easy for an attacker to win. A safer, though still inferior approach is to make a temporary directory using the same naming scheme. While this does allow one to guarantee that a temporary file will not be subverted, it still allows a simple denial of service attack. For these reasons it is suggested that mktemp be used instead."
- How can a denial-of-service attack be carried out if a directory name is known?
- Why is it important to use mktemp to generate a sufficiently random file/directory name for temporary files?
