Delete IPTables Rules By Line Number

Delete IPTables Rules By Line Number

First off list all IPTable's rules by chain number:

iptables -vnL --line-numbers

Then delete the line you want:

iptables -D INPUT 22

This will delete chain line number 22

Read More

How to install Linux Malware Detect (LMD)

How to install Linux Malware Detect (LMD)

Maldet also known as Linux Malware Detect virus scanner for Linux.

Download the tar file using the below link:

    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract the file using the below command

    tar -xzf maldetect-current.tar.gz

go to the maldet folder

    cd maldetect-*

Now, run the below command to install maldet.

    sh ./install.sh or sudo sh ./install.sh

It will give below output

    Linux Malware Detect v1.3.4
    (C) 1999-2010, R-fx Networks <proj@r-fx.org>
    (C) 2010, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL

    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    cron.daily: /etc/cron.daily/maldet

    maldet(32517): {sigup} performing signature update check…
    maldet(32517): {sigup} local signature set is version 2010051510029
    maldet(32517): {sigup} latest signature set already installed

    

To update the maldet use the below commands.

    maldet –update-ver

    maldet –update[/i]

To scan the files.

    maldet -a /home/username/

It will scan all the files and provide you the output.



To scan all user uder public_html paths under /home*/ this can be done with:

    root@server[~]# maldet –scan-all /home?/?/public_html

To scan the same path but the content that has been created/modified in the last 5 days:

    root@server[~]# maldet –scan-recent /home?/?/public_html 5

To scan but forget to turn on the quarantine option, you could quarantine all malware results from a previous scan with:

    root@server[~]# maldet –quarantine SCANID

If you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do with.

    root@server[~]# maldet –clean SCANID

If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:

    root@server[~]# maldet –restore config.php.2384
    root@server[~]# maldet –restore /usr/local/maldetect/quarantine/config.php.2384

 

Read More

Detecting DDos Attacks Using the Netstat Command

Take a look at these handy netstat commands below that will surely help you determine wether your under attack or are part of an attack.

netstat -na

Display all active Internet connections to the server and only established connections are included.

netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80 and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l

To find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p | grep SYN_REC | sort -u

List all IP addresses involved.

netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

List all the unique IP addresses of the nodes that are sending SYN_REC connection status.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

List the number of connections the IPs are making to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show a list IP address’s and its number of connections that are connecting to port 80 on the server. Port 80 is used mainly by the HTTP protocol.

A quick and usefull command for checking if a server is under ddos is:

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
===========
Denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its services or obstructs the communication media between the users and the victim so that they can no longer communicate adequately.

This blog provides you an overview on how to identify DDOS attack using netstat command.

#netstat -na

Display all active Internet connections to the server and only established connections are included.

#netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80 and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

#netstat -n -p|grep SYN_REC | wc -l

To find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

#netstat -n -p | grep SYN_REC | sort -u

List all IP addresses involved.

#netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’

List all the unique IP addresses of the nodes that are sending SYN_REC connection status.

#netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.

#netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

List the number of connections the IPs are making to the server using TCP or UDP protocol.

#netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP.

#netstat -plan|grep :80|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show a list IP addresses and its number of connections that are connecting to port 80 on the server. Port 80 is used mainly by the HTTP protocol.

Read More

Install ConfigServer Apps On A cPanel/WHM Server

ConfigServer provide a range of paid and free applications, including a significantly more advanced firewall, that plug directly into WHM on your cPanel server. These applications are highly recommended for anyone who is serious about the security of their cPanel Server, as they not only provide enhanced security functionality, but also allow you to easily manage a number of other basic cPanel functions, such as mail settings, mail queues, and a more advanced ModSecurity tool.

Below is a list of the free applications that we will be providing the simple installation instructions for:

1. CSF - this is an advanced firewall system utilising Linux ip tables
2. Mail Manage – allows you to adjust mail settings, such as hourly limits and email forwarders, on a per account basis
3. Mail Queues – easily manage your email queues with the ability to force run the queue and delete stuck messages
4. ModSecurity Control – if you have installed ModSecurity on your cPanel Server, this provide an advanced management interface
5. Explorer – This is a file system explorer web interface which allows you to also run basic shell commands within folders – WARNING: While this utility can be very useful it is also very dangerous indeed. You can easily render your server inoperable and unrecoverable by performing ill advised actions. No warranty or guarantee is provided with the product that protects against system damage.

NOTE: All of the installations below require you to be logged into SSH as root.

Install ConfigServer Security & Firewall

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Remove installation files:

cd ..
rm -Rfv csf/ csf.tgz

Install ConfigServer Mail Manage

rm -fv cmm.tgz
wget http://www.configserver.com/free/cmm.tgz
tar -xzf cmm.tgz
cd cmm
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmm/ cmm.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmm.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmmversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmm/

Install ConfigServer Mail Queues

rm -fv cmq.tgz
wget http://www.configserver.com/free/cmq.tgz
tar -xzf cmq.tgz
cd cmq
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmq/ cmq.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmq.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmqversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmq/

Install ConfigServer ModSecurity Control

rm -fv cmc.tgz
wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmc/ cmc.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmc.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmcversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmc/

Install ConfigServer Explorer

rm -fv cse.tgz
wget http://www.configserver.com/free/cse.tgz
tar -xzf cse.tgz
cd cse
sh install.sh

Remove installation files:

cd ..
rm -Rfv cse/ cse.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cse.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cseversion.txt

If you run into any issue with the install, just head over to the ConfigServer forums and you’ll find plenty of people who can assist you.

Read More