How to secure your server ??

Here is a command line to run on your server if you think your server is under attack. It prints our a list of open connections to your server and sorts them by ammount.

RedHat: netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

BSD: netstat -na |awk ‘{print $5}’ |cut -d “.” -f1,2,3,4 |sort |uniq -c |sort -n

netstat -apln | grep :80 | sort|awk {‘print $5’}|cut -d: -f1 |uniq -c|sort -n

netstat -alpn | grep  :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c

ifconfig -a | grep inet | awk {‘print $2’} | awk -F : ‘{print $2}’

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

You can also check for connections by running the following command.
netstat -plan | grep :80 | awk ‘{print $4 }’ | sort -n | uniq -c | sort

These are few step to be taken when you feel the server is under attack:
Step 1: Check the load using the command “w”.
Step 2: Check which service is utilizing maximum CPU by “nice top”.
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk {‘print $5’}|cut -d”:” -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables “apf -d < IP>” )

You can also implement security features in your server like:

1) Install apache modules like mod_dosevasive and mod_security in your server.
2) Configure APF and IPTABLES to reduce the DDOS
3) Basic server securing steps :
4) Configure sysctl parameters in your server to drop attacks.

You can block the IP which is attacking your server using Ipsec from command prompt.
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction

1) check the /tmp directory and delete the un wanted files from there

2) mount /tmp as noexec

3) execute the command

pstree -acpu

and check whether perl scripts are running in the server. If yes kill the porcess and if you have the process IP

check the current working directory using

ll /proc/processID



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: