Hosting

Absolutely required software for dDos attacks

Tyler Bishop 0 Comments
Config Security & Firewall (CSF)

Absolutely the best software I’ve used to date, automatically detects a plethora of patterns and automatically adds the IP to the iptables block list.  Has lots of extra features for detecting malicious file activity and SU logins as well as some basic checks to make sure your configurations are secure.

Check it out at Config Server

Apache Mod_Evasive

Extremely effective and useful module for automatically blocking IP’s that request the same file very rapidly. If you need breach detection for your network, then you can click here to get the best services.

Mod_Evasive

SNORT Intrusion Detection

Very effective and useful tool to monitor everything thats going on in your system and track down potential attempted intrusions.

SNORT.org

Mitigate a small DOS attack

Tyler Bishop 1 Comment

Tonight at 8:45 our main server load alarm tripped, on Nagios, at Beyond Hosting.  By the time I was able to ssh in, load had exceeded 220.64 and the box was headed straight for kernel panic, this is a  “dual core”. Quickly throwing the IPTables firewall onto drop all I was able to prevent the box from locking up, after a few minutes (takes a little to recover from the load) of checking netstat and Apache logs we were able to narrow the attack down to 2 separate ip.
Simply added blocks for the 2 addresses with:

iptables -I INPUT -s x.x.x.x -j DROP

I played with apache mod_evasive a little bit during the attack, pretty solid addon and I highly recommend it.  We tried out (D)Dos deflate but no matter what settings you put it on, it seems to think you have 2500+ connections from 1 IP and black list everyone.

You can view how many connections you have on your server by running:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Cool One Liners #1

Alex Underwood 1 Comment

Welcome to the first edition of Cool One Liners. This will be a collection of one line commands you can use via BASH or another shell/scripting language to do something useful. Creativity will definitely be a big merit. Todays one liner is:

cat /var/log/secure | grep Failed | grep sshd | grep root | awk ‘{print $11}’ | sort | uniq -c | sort -n

What does it do? This takes the secure log, sorts out failed login attempts and then makes it so that the IPs are sorted based on the number attempts. Handy to try and track down brute force attempts on an box running SSH. As an example, I generated a few failed logins.

[root@DNS01 log]: cat /var/log/secure | grep Fail

May  9 03:31:58 DNS01 sshd[10706]: Failed password for root from 127.0.0.1 port 34900 ssh2
May  9 03:32:00 DNS01 sshd[10706]: Failed password for root from 127.0.0.1 port 34900 ssh2
May  9 03:32:04 DNS01 sshd[10706]: Failed password for root from 127.0.0.1 port 34900 ssh2

After this I ran the command given. Notice how the IPs have the number to the left of them. If this were a list the number with the most logins is going to be at the bottom.

[root@DNS01 log]: cat /var/log/secure | grep Failed | grep sshd | grep root | awk '{print $11}' | sort | uniq -c | sort -n

3 127.0.0.1

This command also serves an additional interesting use. Lets say someone is probing your machine, and they happen to be attempting to brute force some nonstandard account names in the hope of coming up with something on the system that is there and has a weak password. This script will also list any invalid users that attempt to log in as well. An example would be if I attempted to log in with the user root1. The output would look like:

[root@DNS01 log]: cat /var/log/secure | grep Failed | grep sshd | grep root | awk '{print $11}' | sort | uniq -c | sort -n

3 127.0.0.1
3 root1

In another blog we will likely take this command, convert it into a shell script, and make it so it will run as a cron job and email us periodic digests.

Migration from Rackspace Cloud to OpenVZ

Tyler Bishop 1 Comment

Xen Virtualization Technology

Today I had a customer that needed me to move over his Virtual Machine (Virtual Private Server) from the Rack Space Cloud to one of our OpenVZ servers on Beyond Hosting.  While in theory this seemed pretty easy, it became all to clear that It wouldn’t be.  First, rack spaces cloud uses a strange configuration of Xen Para Virtualization, and for whatever reason their configuration does not easily convert to OpenVZ using the standard methods.

Upon importing, the tty configurations are broken and you must repair this before you can serial console into the container or ssh it.  After your fix tty you will need to reconfigure the networking configuration for venet0:0 with the OpenVZ commands.   In my case the /dev devices were correctly configured and I did not need to do any further editing for the container to work correctly.

OpenVZ Virtual Containers

However if you are importing a physical system or Xen HVM guest you will need to follow this guide provided by OpenVZ.  OpenVZ Convert OS to Container If you only have a few applications installed and minimal configuration it is easier to SCP over the configs along with home directory’s.  Create the respective users and chown all the home dir’s back to those users.  Besides, the more you do it the better you will be at using your OS!

Earlier I mentioned that the customer was having me  migrate from a Rack Space Cloud VPS, I just want to note that Rack Space has always been a highly recommended solid and reputable company.  While they still are, the shear size they have grown to has slightly tarnished their products quality.    The reason for the migration was simply cost for performance, he did not feel that the performance was worth what he was paying.

Tracking Network Floods

Alex Underwood 0 Comments

When it comes to working at a DC, attacks are a fact of life. Someone will ultimately get annoyed at a client and start throwing down with the botnet, their home system etc. These attacks can be hard to isolate at times because they can be on nearly any service, as well as using a wide variety of protocols. These attacks can do anything from making a server slow to respond to taking an entire data center out. When a system goes down due to an attack, there are a few things that must be known:

  • Who is DoSing or who is being DoSed (don’t assume your machine is the “victim” insidious PHP scripts are plentiful these days)
  • The magnitude of the attack
  • What protocol they are using

To find these out, you need proper network infrastructure set up. To this end I like Cacti on the switches for ease of usability in finding overall traffic, even though NFsen is nice for a quick check by IP however it can be flawed in picking up distributed or spoofed attacks in my experience. When attempting to isolate the problems one should have a “tiered” approach where they start checking at the most basic level which is a single server. If the attack is larger  one should try to see if it’s a single rack/switch being attacked and seeing if it can back track to a single server being the target. At this point, there are a few options. Null routes are an option if all fails, even null routing the server’s IP so that other traffic doesn’t get affected can be done as a last resort. The option that you probably have the most control over is server side mitigation. This will be the topic of my next blog. See you then!

SolusVM New Update

Tyler Bishop 0 Comments

Hi everyone, a long anticipated update has finally been released for SolusVM today.

New features in build SolusVM Enterprise v1.2.04

Us at Beyond Hosting have been delaying the launch of Xen Containers simply because there was no way to rate limit them.    It’s also nice to see how they build their PHP modules, everything for WHMCS is ioncube encoded and hard to modify if needed.

How to interpret logs

Alex Underwood 1 Comment

In a previous blog I promised to show how to use pipes to read log files better. This can be an intimidating process to say the least, lets give an example. 

[root@DNS01 logs]: ls -lh
-rw-r--r-- 1 root root    0 Mar 28 04:02 access_log
-rw-r--r-- 1 root root 320K Mar 24 22:14 access_log.1
-rw-r--r-- 1 root root 327K Mar 24 03:36 access_log.2
-rw-r--r-- 1 root root  94K Mar  6 21:48 access_log.3
-rw-r--r-- 1 root root 1.7M Feb 28 03:10 access_log.4

Notice I have almost a megabyte of access logs here. This is a sandbox that only I really play on. I’ve got WordPress, Drupal and a few other minor things installed. Nothing special virtually NO traffic. Regardless, when we do:

[root@DNS01 logs]: cat access_log* | wc -l
16176

There are over 16,000 entries! That is a lot of text to go through, and these are TINY compared to what you can see on a production server which is likely millions of lines. Without a good question we will not get a good answer, so we have to know the data we are looking for and how to narrow down your data pool to only the entries you need, or at the very least an amount you can go through manually. Some times this means that you wouldn’t even know the log file that you were looking for. At this point, you could use grep in the capacity 

grep searchterm -ilr /logdir/*

and this should give you some file names where you can process data at. I don’t usually have to do this unless I am unfamiliar with the application. If you’re getting an error with a configuration this is a GREAT way to find out what configuration file contains the parameter you need to set.

Getting back to the task at hand, which is how to interpret our findings lets just say that I was looking for some PHP code that was causing trouble. Because network traffic monitoring is set up, I know that I had an outbound flood to the IP address 122.222.233.234. I can grep for the IP in question in the apache logs to find out what and where is happening. These can be set up in a few different ways, so assuming you’re on CPanel I would run

[root@DNS01 logs]: grep 122.222.233.234 -ilr /etc/httpd/domlogs/*

and see if anything came up with this IP address in the actual page title. It would likely only be entries for one or two PHP pages, and they would likely be highly suspicious. Lets say that we found a script called suspicious.php mentioned that had this IP in the get string, and it was mentioned a ton of times in one domain’s log. We could find out how many times this was mentioned by running:

[root@DNS01 logs]: grep 122.222.233.234 -ilr /etc/httpd/domlogs/domain.com | grep suspicious.php | wc -l

and this would tell us the number of times it has been ran. Depending on the attack script this can be thousands of log entries. Lets say we wanted to see if they had been doing anything else on the server, but the suspicious.php access entries were so numerous that we have thousands of lines to search through. Instead of searching through these we would just run:

[root@DNS01 logs]: grep 111.222.254.254 -ilr /etc/httpd/domlogs/* | grep -v suspicious.php

Where 111.222.254.254 is the IP that accessed suspicious.php. This would eliminate any entries that contained suspicious.php from being shown. We can do this multiple times with different terms as necessecary. By the gradual inclusion or exclusion of terms we can process the logs into usable data. It takes a bit of time but you can track compromises, spammers and other server side problems with this. You can even do it in real time. Lets say you had a 503 error. All you would do is run:

[root@DNS01 logs]: tail -f /etc/httpd/log/error_log | grep

Where is the IP of the computer you are accessing the problem page with. This will filter out any requests by other IP addresses. It would be virtually impossible to use tail -f by its self on a server with high traffic because the entries would scroll too fast. This way it shows only the entries you give. This works great for email sending problems as well, lets say you don’t think your email is being sent out. All you have to do is run:

[root@DNS01 logs]: tail -f /var/log/exim_mainlog | grep

Where the email is the sending or receiving address. This will show you flow of the email through the server.

Choosing a web hosting provider for features

Tyler Bishop 0 Comments

What’s Right For Me?

There are 5 different types of hosting services: Personal Hosting, Business Hosting, Virtual Private Server (VPS) Hosting, Dedicated Server Hosting. Choosing between these hosting options is often difficult, with many different features to compare. No worries! Here’s a simple way to decide between the hosting choices.  For this article we are going to use Beyond Hosting as an example,  We host our blog with them.

Personal Hosting

Personal Hosting is a “shared hosting” environment. This means that your website will be on a server that will be hosting other Personal Hosting websites. The server resources will be split evenly between all Personal Hosting accounts. This means that attempting to use more than your “fair share” will result in degraded performance. This makes Personal Hosting suitable for low traffic websites, websites with little or no dynamic content (PHP scripts, Python scripts, etc.), and websites that are relatively small.

View Personal Hosting Packages

Business Hosting

Business Hosting is also a “shared hosting” environment, but with extra features that Personal Hosting can’t support. This is mainly the Secure Socket Layer (SSL) and Static IP. SSL allows you to communicate securely over the Internet, performing financial transactions safely. This makes Business Hosting great for small merchants and businesses. Business Hosting also supports a Static IP, meaning that your website will be accessible anywhere throughout the world through a dedicated, unique address that is only yours. This improves rankings on search engines like Google, Yahoo, and Bing because you don’t share the IP with your shared hosting “neighbors” (other accounts on the same server). This makes Business Hosting indistinguishable from our dedicated products, but you are still sharing server resources.

View Business Hosting Packages

Virtual Private Servers

Virtual Private Servers offer all of the features of Business Hosting, and guarantee access to more powerful server resources. Virtual Private Servers put you in control of your own website and server by providing a fully customizable Linux server platform. While Virtual Private Servers do share the same physical server, like shared hosting environments, the number of websites-per-server is significantly lower, typically 25 for Virtual Private Servers but up to 1000 for shared hosting. Virtual Private Servers are a necessity for larger websites, websites with lots of dynamic content, or websites with larger disk space demands.

View Virtual Private Servers

Dedicated Servers

Dedicated Servers are the ultimate in hosting. You are in full control of what the server is hosting, with direct access to all hardware. Dedicated Servers are typically configured to meet performance requirements, and can always be customized for specific applications. Unlike the shared hosting services Personal Hosting and Business Hosting, Dedicated Servers allow for customized services to run, such as a dedicated MySQL or PostgreSQL server to improve performance of heavyweight applications. Dedicated Servers provide the same interface as Virtual Private Servers, but with the additional advantages of more processor power, more RAM, more bandwidth, and more hard disk space.

View Dedicated Servers

Article Provided by: Beyond Hosting