Xen – Using Netfront instead of rtl8139 on CentOS, RedHat, Fedora

On an HVM domain, the guest OS will always automatically detect your virtual network device as a buggy and slow Realtek RTL8139. You can maximize your network performance with Netfront driver which is now built into latest Redhat / CentOS kernel. For older releases, you needed the kmod-xenpv package to do this, but it’s built in as of RHEL/CentOS 5.3 I believe. The method is highly undocumented from my research so hopefully this saves someone.

1. In /etc/modprobe.conf, change 8139cp to xen-kniv using this following command:

sed -i 's/8139cp/xen-vnif/g' /etc/modprobe.conf

2. Then blacklist the rtl8139 drivers

echo 'blacklist 8139cp' >> /etc/modprobe.d/blacklist
echo 'blacklist 8139too' >> /etc/modprobe.d/blacklist

3. After a reboot, you can test that it worked by first making sure you’re online (duh!), then check lsmod and make sure you’re rid of Realtek junk at last:

lsmod | grep 8139

The output should return nothing (blank).

Now let’s activate the Xen SCSI driver to maximize disk performance by inserting the following in /etc/modprobe.conf:

alias scsi_hostadapter xen-vbd

Be sure to remove the existing scsi_hostadapter entry… if you use both, you’ll zap your disk.

Now reboot to activate.

Good luck!

Easy Javascript-based Bookmark Link

Here’s a simple Javascript-based bookmarking script for your site. It automatically populates the page name and URL so you don’t have to. Put this in the <HEAD>:

<script language="javascript" type="text/javascript">
function addToFav() {
    window.sidebar.addPanel(document.title, this.location,"");

Then, you can add a link in your <BODY>:

Bookmark Us!

Sysctl and ip_conntrack_max optimization

On a busy webserver, you have to be very careful that you don’t run out of connection tracking buckets.

Check how many you have set as your max:

/sbin/sysctl net.ipv4.ip_conntrack_max

Check how many you’re using:

wc -l /proc/net/ip_conntrack

A good maximum setting for most web servers with at least 2Gb RAM is 65536. Change the setting and lock it in (Redhat variants):

echo "net.ipv4.ip_conntrack_max = 65535" >> /etc/sysctl.conf
/sbin/sysctl -w

Find files modified/created within N days ago

This proved to be useful in cleaning up a compromised site. List all the files created or modified within a certain time frame — in this case we are looking 30 days in the past:

find . -mtime -30 -type f -print

If you want to delete all files created/modified n days ago, you can do something like this:

find . -mtime -30 -type f -exec rm {} \;

Or this:

find . -mtime -30 -type f -print0 | xargs -0 rm

Sorting disk usage by folder in Linux

Normally you would use something like this:

du -k | sort -nr > sorted.txt

But the output is not pretty since we don’t like counting bytes. This will sort it in human readable format:

du -k | sort -nr | awk '
     BEGIN {
        split("KB,MB,GB,TB", Units, ",");
        u = 1;
        while ($1 >= 1024) {
           $1 = $1 / 1024;
           u += 1
        $1 = sprintf("%.1f %s", $1, Units[u]);
        print $0;
    ' > sorted.txt

Pre-analysis of a DDOS attack on a Cpanel or Linux server

Determine the nature of the attack (SYN, GET, ect):

netstat -nat | awk '{print $6}' | sort | uniq -c

The following will list all the IPs connecting to the server in order of most connections.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

We can see which domains are most active (in the case of a GET style attack):

cd /usr/local/apache/domlogs/
ls -ltr |tail -50

Then, we can see which IPs are active on a particular domain and take appropriate action (drop in firewall, ect):

cd /usr/local/apache/domlogs/
tail -f <domainname> | awk {'print $1'}