On a busy webserver, you have to be very careful that you don’t run out of connection tracking buckets.
Check how many you have set as your max:
/sbin/sysctl net.ipv4.ip_conntrack_max
Check how many you’re using:
wc -l /proc/net/ip_conntrack
A good maximum setting for most web servers with at least 2Gb RAM is 65536. Change the setting and lock it in (Redhat variants):
echo "net.ipv4.ip_conntrack_max = 65535" >> /etc/sysctl.conf
/sbin/sysctl -w
Here is the location of the main Cpanel configuration file. You can configure many of it’s various components, such adding more cpu’s to cpuwatch:
/var/cpanel/cpanel.config
Sometimes you might need to add one or more lines of text to the top of an existing text file. Let ‘sed’ rescue you:
sed -i '1iSTUFF TO ADD' file.txtYou can add multiple lines (separated by \n) to multiple files at once:
sed -i '1iSTUFF TO ADD\nMORE STUFF' *.txtRight here:
/usr/lib/courier-imap/etc/...This proved to be useful in cleaning up a compromised site. List all the files created or modified within a certain time frame — in this case we are looking 30 days in the past:
find . -mtime -30 -type f -printIf you want to delete all files created/modified n days ago, you can do something like this:
find . -mtime -30 -type f -exec rm {} \;Or this:
find . -mtime -30 -type f -print0 | xargs -0 rmWhen cloning a Debian system, be sure to remove everything in:
/etc/udev/rules.d/*persistent-net.rulesThis will allow the new hardware to detect properly.
Normally you would use something like this:
du -k | sort -nr > sorted.txtBut the output is not pretty since we don’t like counting bytes. This will sort it in human readable format:
du -k | sort -nr | awk '
BEGIN {
split("KB,MB,GB,TB", Units, ",");
}
{
u = 1;
while ($1 >= 1024) {
$1 = $1 / 1024;
u += 1
}
$1 = sprintf("%.1f %s", $1, Units[u]);
print $0;
}
' > sorted.txtDetermine the nature of the attack (SYN, GET, ect):
netstat -nat | awk '{print $6}' | sort | uniq -cThe following will list all the IPs connecting to the server in order of most connections.
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1We can see which domains are most active (in the case of a GET style attack):
cd /usr/local/apache/domlogs/
ls -ltr |tail -50Then, we can see which IPs are active on a particular domain and take appropriate action (drop in firewall, ect):
cd /usr/local/apache/domlogs/
tail -f <domainname> | awk {'print $1'}If you are using a cpanel/WHM server then the MTA will be Exim by default.
Enable Mailheaders by running /scripts/easyapache script. After that, check the mail header using:
exim -Mvh <message id>From that you will able to find the source of spam.
Adaptec RAID cards have huge performance gains over other cards, but the management features in Linux stink. Really bad. If you don’t have a GUI installed, you cannot set up monitoring or alerts, but thankfully you can use a Windows machine to set this up remotely. Additionally, there are no .deb packages so we have to convert the .rpm to a .deb package.
Download the latest installer in RPM format:
sudo bash ### Dang it Debian! LOL
wget http://download.adaptec.com/raid/storage_manager/asm_linux_x64_v6_30_18507.rpm
Convert the .rpm to a .deb package and install it:
apt-get install alien
alien --scripts asm_linux_x64_v6_30_18507.rpm
dpkg -i storman_6.30-18508_amd64.deb
Start the ‘StorMan’ agent:
/usr/StorMan/StorMan.sh
Add the following to /etc/rc.local (before the ‘exit 0’ line) so it starts automatically as the included init script is broken miserably. Don’t forget the ampersand or else you’ll hang up the boot process:
/usr/StorMan/StorMan.sh &
Now you can remotely connect using a remote Windows or Linux GUI to check RAID status and set up email alerts. It’s painfully obvious Adaptec is catering to the Windows crowd on this one, but at least there’s a work around.