Absolutely required software for dDos attacks

Config Security & Firewall (CSF)

Absolutely the best software I’ve used to date, automatically detects a plethora of patterns and automatically adds the IP to the iptables block list.  Has lots of extra features for detecting malicious file activity and SU logins as well as some basic checks to make sure your configurations are secure.

Check it out at Config Server

Apache Mod_Evasive

Extremely effective and useful module for automatically blocking IP’s that request the same file very rapidly.

Mod_Evasive

SNORT Intrusion Detection

Very effective and useful tool to monitor everything thats going on in your system and track down potential attempted intrusions.

SNORT.org

Mitigate a small DOS attack

Tonight at 8:45 our main server load alarm tripped, on Nagios, at Beyond Hosting.  By the time I was able to ssh in, load had exceeded 220.64 and the box was headed straight for kernel panic, this is a  “dual core”. Quickly throwing the IPTables firewall onto drop all I was able to prevent the box from locking up, after a few minutes (takes a little to recover from the load) of checking netstat and Apache logs we were able to narrow the attack down to 2 separate ip.
Simply added blocks for the 2 addresses with:

iptables -I INPUT -s x.x.x.x -j DROP

I played with apache mod_evasive a little bit during the attack, pretty solid addon and I highly recommend it.  We tried out (D)Dos deflate but no matter what settings you put it on, it seems to think you have 2500+ connections from 1 IP and black list everyone.

You can view how many connections you have on your server by running:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Cool One Liners #1

Welcome to the first edition of Cool One Liners. This will be a collection of one line commands you can use via BASH or another shell/scripting language to do something useful. Creativity will definitely be a big merit. Todays one liner is:

cat /var/log/secure | grep Failed | grep sshd | grep root | awk ‘{print $11}’ | sort | uniq -c | sort -n

What does it do? This takes the secure log, sorts out failed login attempts and then makes it so that the IPs are sorted based on the number attempts. Handy to try and track down brute force attempts on an box running SSH. As an example, I generated a few failed logins.

[[email protected] log]: cat /var/log/secure | grep Fail

May  9 03:31:58 DNS01 sshd[10706]: Failed password for root from 127.0.0.1 port 34900 ssh2
May  9 03:32:00 DNS01 sshd[10706]: Failed password for root from 127.0.0.1 port 34900 ssh2
May  9 03:32:04 DNS01 sshd[10706]: Failed password for root from 127.0.0.1 port 34900 ssh2

After this I ran the command given. Notice how the IPs have the number to the left of them. If this were a list the number with the most logins is going to be at the bottom.

[[email protected] log]: cat /var/log/secure | grep Failed | grep sshd | grep root | awk '{print $11}' | sort | uniq -c | sort -n

3 127.0.0.1

This command also serves an additional interesting use. Lets say someone is probing your machine, and they happen to be attempting to brute force some nonstandard account names in the hope of coming up with something on the system that is there and has a weak password. This script will also list any invalid users that attempt to log in as well. An example would be if I attempted to log in with the user root1. The output would look like:

[[email protected] log]: cat /var/log/secure | grep Failed | grep sshd | grep root | awk '{print $11}' | sort | uniq -c | sort -n

3 127.0.0.1
3 root1

In another blog we will likely take this command, convert it into a shell script, and make it so it will run as a cron job and email us periodic digests.