Posts Tagged ‘sys admins’

How to check if your Linux WebServer is under a DoS attack

Friday, July 22nd, 2011

There are few commands I usually use to track if my server is possibly under a Denial of Service attack or under Distributed Denial of Service

Sys Admins who still have not experienced the terrible times of being under a DoS attack are happy people for sure …

1. How to Detect a TCP/IP Denial of Service Attack This are the commands I use to find out if a loaded Linux server is under a heavy DoS attack, one of the most essential one is of course netstat.
To check if a server is under a DoS attack with netstat, it’s common to use:

linux:~# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l

If the output of below command returns a result like 2000 or 3000 connections!, then obviously it’s very likely the server is under a DoS attack.

To check all the IPS currently connected to the Apache Webserver and get a very brief statistics on the number of times each of the IPs connected to my server, I use the cmd:

linux:~# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
221 80.143.207.107 233 145.53.103.70 540 82.176.164.36

As you could see from the above command output the IP 80.143.207.107 is either connected 221 times to the server or is in state of connecting or disconnecting to the node.

Another possible way to check, if a Linux or BSD server is under a Distributed DoS is with the list open files command lsof
Here is how lsof can be used to list the approximate number of ESTABLISHED connections to port 80.

linux:~# lsof -i TCP:80
litespeed 241931 nobody 17u IPv4 18372655 TCP server.www.pc-freak.net:http (LISTEN)
litespeed 241931 nobody 25u IPv4 18372659 TCP 85.17.159.89:http (LISTEN)
litespeed 241931 nobody 30u IPv4 29149647 TCP server.www.pc-freak.net:http->83.101.6.41:54565 (ESTABLISHED)
litespeed 241931 nobody 33u IPv4 18372647 TCP 85.17.159.93:http (LISTEN)
litespeed 241931 nobody 34u IPv4 29137514 TCP server.www.pc-freak.net:http->83.101.6.41:50885 (ESTABLISHED)
litespeed 241931 nobody 35u IPv4 29137831 TCP server.www.pc-freak.net:http->83.101.6.41:52312 (ESTABLISHED)
litespeed 241931 nobody 37w IPv4 29132085 TCP server.www.pc-freak.net:http->83.101.6.41:50000 (ESTABLISHED)

Another way to get an approximate number of established connections to let’s say Apache or LiteSpeed webserver with lsof can be achieved like so:

linux:~# lsof -i TCP:80 |wc -l
2100

I find it handy to keep track of above lsof command output every few secs with gnu watch , like so:

linux:~# watch "lsof -i TCP:80"

2. How to Detect if a Linux server is under an ICMP SMURF attack

ICMP attack is still heavily used, even though it’s already old fashioned and there are plenty of other Denial of Service attack types, one of the quickest way to find out if a server is under an ICMP attack is through the command:

server:~# while :; do netstat -s| grep -i icmp | egrep 'received|sent' ; sleep 1; done
120026 ICMP messages received
1769507 ICMP messages sent
120026 ICMP messages received
1769507 ICMP messages sent

As you can see the above one liner in a loop would check for sent and recieved ICMP packets every few seconds, if there are big difference between in the output returned every few secs by above command, then obviously the server is under an ICMP attack and needs to hardened.

3. How to detect a SYN flood with netstat

linux:~# netstat -nap | grep SYN | wc -l
1032

1032 SYNs per second is quite a high number and except if the server is not serving let’s say 5000 user requests per second, therefore as the above output reveals it’s very likely the server is under attack, if however I get results like 100/200 SYNs, then obviously there is no SYN flood targetting the machine 😉

Another two netstat command application, which helps determining if a server is under a Denial of Service attacks are:

server:~# netstat -tuna |wc -l
10012

and

server:~# netstat -tun |wc -l
9606

Of course there also some other ways to check the count the IPs who sent SYN to the webserver, for example:

server:~# netstat -n | grep :80 | grep SYN |wc -l

In many cases of course the top or htop can be useful to find, if many processes of a certain type are hanging around.

4. Checking if UDP Denial of Service is targetting the server

server:~# netstat -nap | grep 'udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n

The above command will list information concerning possible UDP DoS.

The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so:

server:~# netstat -nap | grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n
104 109.161.198.86
115 112.197.147.216
129 212.10.160.148
227 201.13.27.137
3148 91.121.85.220

If after getting an IP that has too many connections to the server and is almost certainly a DoS host you would like to filter this IP.

You can use the /sbin/route command to filter it out, using route will probably be a better choice instead of iptables, as iptables would load up the CPU more than simply cutting the route to the server.

Here is how I remove hosts to not be able to route packets to my server:

route add 110.92.0.55 reject

The above command would null route the access of IP 110.92.0.55 to my server.

Later on to look up for a null routed IP to my host, I use:

route -n |grep -i 110.92.0.55

Well hopefully this should be enough to give a brief overview on how, one can dig in his server and find if he is under a Distributed Denial of Service, hope it’s helpful to somebody out there.
Cheers 😉

Facebook use in organizations harmful for company businesses – How to block facebook access to company or organization network on Linux routers

Wednesday, May 2nd, 2012

Facebook harms company and organization employee efficiency picture, Falling company efficiency diagram due to facebook employee use

I don't know if someone has thought about this topic but in my view Facebook use in organizations has a negative influence on companies overall efficiency!
Think for a while, facebook's website is one of the largest Internet based "people stealing time machine" so to say. I mean most people use facebook for pretty much useless stuff on daily basis (doesn't they ??). The whole original idea of facebook was to be a lay off site for college people with a lot of time to spend on nothing.
Yes it is true some companies use facebook succesfully for their advertising purposes and sperading the awareness of a company brand or product name but it is also true that many companies administration jobs like secretaries, accountants even probably CEOs loose a great time in facebook useless games and picture viewing etcetera.

Even government administration job positioned people who have access to the internet access facebook often from their work place. Not to mention, the mobility of people nowdays doesn't even require facebook to be accessed from a desktop PC. Many people employeed within companies, who does not have to work in front of a computer screen has already modern mobile "smart phones" as the business people incorrectly call this mini computer devices which allows them to browse the NET including facebook.

Sadly Microsoft (.NET) programmers and many of the programmers on various system platforms developers, software beta testers and sys admins are starting to adopt this "facebook loose your time for nothing culture". Many of my friends actively use the Facebook, (probably) because they're feeling lonely in front of the computer screen and they want to have interaction with someone.

Anyways, the effect of this constant fb use and aline social networks is clear. If in the company the employeed personal has to do work on the computer or behind any Internet plugged device, a big time of the use of the device is being 'invested' in facebook to kill some time instead of investing the same time for innovation within the company or doing the assigned tasks in the best possible way

Even those who use facebook occasionally from their work place (by occasionally I mean when they don't have any work to do on the work place), they are constantly distracted (focus on work stealed) by the hanging opened browser window and respectively, when it comes to do some kind of work their work efficiency drops severely.
You might wonder how do I know that facebook opened browser tab would have bad interaction with the rest of the employee work. Well let me explain. Its a well known scientifically proven fact that the human mind is not designed to do simultaneously multiple tasks (we're not computers, though even computers doesn't work perfect when simultaneous tasks are at hand.).
Therefore using facebook in parallel with their daily job most people nowdays try to "multi task" their job and hence this reflects in poor work productivity per employee. The chain result cause of the worsened productivity per employee is therefore seen in the end of the fiscal quarter or fiscal year in bad productivity levels, bad or worsened quality of product and hence to poor financial fiscal results.

I've worked before some time for company whose CEO has realized that the use of certain Internet resources like facebook, gmail and yahoo mail – hurts the employee work productivity and therefore the executive directors asked me to filter out facebook, GMAIL and mail.yahoo as well as few other website which consumed a big portion of the employees time …
Well apparantly this CEO was smart and realized the harm this internet based resources done to his business. Nowdays however many company head executives did not realize the bad effect of the heavy use of public internet services on their work force and never ask the system administrator to filter out this "employees efficiency thefts".

I hope this article, will be eventually red by some middle or small sized company with deteriorating efficiency and this will motivate some companies to introduce an anti-facebook and gmail use policy to boost up the company performance.

As one can imagine, if you sum up all the harm all around the world to companies facebook imposed by simply exposing the employees to do facebooking and not their work, this definitely worsenes the even severe economic crisis raging around …
The topic of how facebook use destroyes many businesses is quite huge and actually probably I'm missing a lot of hardmful aspects to business that can be imposed by just a simple "innocent facebook use", so I will be glad to hear from people in comments, if someone at all benefits of facebook use in an company office (I seriously doubt there is even one).

Suppose you are a company that does big portion of their job behind a computer screen over the internet via a Software as a Service internet based service, suppose you have a project deadline you have to match. The project deadline is way more likely to be matched if you filter out facebook.
Disabling access to facebook of employees and adding company policy to prohibit social network use and rules & regulations prohibiting time consuming internet spaces should produce good productivity results for company lightly.
Though still the employees can find a way to access their out of the job favourite internet services it will be way harder.
If the employee work progress is monitored by installed cameras, there won't be much people to want to cheat and use Facebook, Gmail or any other service prohibited by the company internal codex

Though this are a draconian measures, my personal view is that its better for a company to have such a policy, instead of pay to their emloyees to browser facebook….

I'm not aware what is the situation within many of the companies nowdays and how many of them prohibit the fb, hyves, google plus and the other kind of "anti-social" networks.
But I truly hope more and more organizations chairman / company management will comprehend the damages facebook makes to their business and will issue a new policy to prohibit the use of facebook and the other alike shitty services.

In the mean time for those running an organization routing its traffic through a GNU / Linux powered router and who'd like to prohibit the facebook use to increase the company employees efficiency use this few lines of bash code + iptables:

#!/bin/sh
# Simple iptables firewall rules to filter out www.facebook.com
# Leaving www.facebook.com open from your office will have impact on employees output ;)
# Written by hip0
# 05.03.2012
get_fb_network=$(whois 69.63.190.18|grep CIDR|awk '{ print $2 }');
/sbin/iptables -A OUTPUT -p tcp -d ${get_fb_network} -j DROP

Here is also the same filter out facebook, tiny shell script / blocks access to facebook script

If the script logic is followed I guess facebook can be disabled on other company networks easily if the router is using CISCO, BSD etc.
I will be happy to hear if someone did a research on how much a company efficiency is increased whether in the company office facebook gets filtered out. My guess is that efficiency will increase at least with 30% as a result of prohibition of just facebook.

Please drop me a comment if you have an argument against or for my thesis.

Happy System Administrator Day – It’s 31 of July again ;)

Friday, July 29th, 2011

Happy System Administrator’s Day to all Sys Admins, who read my blog regularly! 😉

There are some many mafias around the world, Maybe one day there should be a sysadmin mafia 😉
Cheers! 😉