What services are active, are all necessary?
To see the services we have active you can use the netstat command . For example from an SSH connection:
: ~ # netstat -aIt shows all the active services and listening to receive users or connections, here we see some like Apache (http) to serve web pages, smtp email delivery service, ftp to upload files.
A service can be stopped if it is unnecessary or if it occupies a lot of memory or cpu, for this we can see the consumption with the command:
: ~ # ps aux --sort cputime
Here we can see Mysql, Clamav antivirus, and Dovecot is an open source IMAP and POP3 server. Here we can see the process executed by us previously, it is important not to confuse the START column that takes dates and times, indicates on what date or time the operation began.
Then to stop a Mysql example service:
/etc/init.d/mysql restart /etc/init.d/mysql stop /etc/init.d/mysql startExample of using command in Linux server security, we will use some commands to detect and prevent a denial of services attack that are the most frequent.
A denial of service attack (DoS attack) or distributed denial of service attacks (DDoS attack) is an attempt to make a server resource unavailable to its users.
1) Detect the attack
The main symptom is the server gets very slow, or "services are down", they stop working because an excess of connections is generated the server cannot respond.
We will use the “netstat” command.
It shows the active connections on port 80.
: ~ # netstat -an | grep: 80 | sort
Here we can see that one of the active ip that makes queries to our server carries 5000 connections, while it could be said that the normal would be about 20 or 30 connections per ip. We could then suspect a DDOS attack, since the consumption of resources
2) The first thing will be to block the ip of the attacker with Iptables
Iptables is the name of the user space tool through which the administrator can define policies for filtering the traffic that circulates through the network.
: ~ # iptables -I INPUT -s 74, 6, 73, 22 -j DROPWith that it crashes.
3) Install mod_evasive for Apache
Mod Evasive is a module for Apache that is responsible for providing an additional level of security to our very powerful and customizable web server.
In the example we will do it for Centos, but it can be adapted to any Linux with Apache.
We install dependencies from ssh
: ~ # cd / usr / src : ~ # wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz : ~ # tar zxvf mod_evasive_1.10.1.tar.gz : ~ # cd mod_evasive : ~ # apxs -cia mod_evasive20.c # for Apache 1.3 the command would be apxs -cia mod_evasive.c : ~ # vi /etc/httpd/conf/httpd.conf # edit the configuration : ~ # service httpd restart # restart the ApacheIn the / etc / httpd / conf / httpd.conf the following lines should be added.
DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 300The important parameters
- DOSPageCount: number of connections a user can make per sec before his ip is blocked.
- DOSSiteCount: how many requests a user can make before being blocked.
- DOSBlockingPeriod: how long in seconds will the blocking of that IP last.
- 0
Articles