How to find and kill Abusers on OpenVZ Linux
hosted Virtual Machines (Few bash scripts to protect OpenVZ CentOS
server from script kiddies and easify the daily admin job)
These days, I'm managing a number of
OpenVZ Virtual Machine
host servers. Therefore constantly I'm facing a lot of problems
with users who run shit scripts inside their Linux Virtual
Machines.
Commonly user Virtual Servers are used as a launchpad to attack
hosts do illegal hacking activities or simply DDoS a host..
The virtual machines users (which by the way run on top of the
CentOS OpenVZ Linux) are used to launch a Denial service scripts
like
kaiten.pl, trinoo, shaft, tfn etc.
As a consequence of their malicious activities, oftenly the Data
Centers which colocates the servers are either null routing our
server IPs until we suspend the Abusive users, or the servers go
simply down because of a server overload or a kernel bug hit as a
result of the heavy TCP/IP network traffic or CPU/mem
overhead.
Therefore to mitigate this abusive attacks, I've written few bash
shell scripts which, saves us a lot of manual check ups and
prevents in most cases abusers to run the common DoS and "hacking"
script shits which are now in the wild.
The first script I've written is
kill_abusers.sh , what the
script does is to automatically look up for a number of listed
processes and kills them while logging in
/var/log/abusers.log about the abusive VM user procs names
killed.
I've set this script to run 4 times an hour and it currently saves
us a lot of nerves and useless ticket communication with Data
Centers (DCs), not to mention that reboot requests (about hanged up
servers) has reduced significantly.
Therefore though the scripts simplicity it in general makes the
servers run a way more stable than before.
Here is
OpenVZ kill/suspend Abusers procs script kill_abusers.sh
ready for download
Another script which later on, I've written is doing something
similar and still different, it does scan the server hard disk
using
locate and
find commands and tries to identify
users which has script kiddies programs in their Virtual machines
and therefore are most probably crackers.
The scripts looks up for abusive network scanners, DoS scripts,
metasploit framework, ircds etc.
After it registers through scanning the server hdd, it lists only
files which are preliminary set in the script to be dangerous, and
therefore there execution inside the user VM should not be.
search_for_abusers.sh then logs in a files it's activity as
well as the OpenVZ virtual machines user IDs who owns hack related
files. Right after it uses nail mailing command to send email to a
specified admin email and reports the possible abusers whose VM
accounts might need to either be deleted or suspended.
search_for_abusers
can be download here
Honestly I truly liked my
search_for_abusers.sh script as it
became quite nice and I coded it quite quickly.
I'm intending now to put the
Search for abusers script on a
cronjob on the servers to check periodically and report the IDs of
OpenVZ VM Users which are trying illegal activities on the
servers.
I guess now our beloved Virtual Machine user script kiddies are in
a real trouble ;P