Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am a newbie on linux and its management, im learning. I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow.
I would advice you to run a firewall on the server. And if you already have one running, then the logs from the firewall is what you should be examening.
Netstat does not give useful info on attacks, it's just info on active and closing/terminating connections, it does not have any kind of history.
What you are interested in, for example, is how many connection attempts has there been on port x the last minute/hour/day.
Only a firewall can give you that.
Well, a packet sniffer also could do the job, but it's really the job of a decent firewall.
Another thing you can try, is to see what process is slowing the machine down. It could be that some service is draining the cpu, and then it might be as easy as restarting or stopping that service.
Running "top" in a terminal may give a hint of what is using the cpu.
I am a newbie on linux and its management, im learning. I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow.
There could be a thousand reasons that your server runs slowly; a DDos is only one of these.
When you say it is a server, do you mean that it is a webserver (eg, Apache or something similar, plus whatever else needed to serve nicely formatted webpages, like a CMS?)?
If it was a DDos, you'd expect to see lots of connections...as you've only presented 10, you can't tell from this. Additionally, if it was a webserver, your objective is for people from the outside world to make connections; if it is your fileserver, things are rather different.
Quote:
please tell me if these IPs are doing any kind of attacks..
How? we could probably tell you where those particular IPs are based, which may raise suspicions (or not), but that is as likely to be deceptive as not.
We really need some good information from you:
What is this server supposed to do?
What evidence is there that the server runs more slowly than is reasonable for a server with this planned workload?
Are there many of these connections? should there be?
Can you outline the system specs (processor and memory, primarily) and what software it is running.
When you say it is slow, what are your criteria (load average, request served stats, general feeling)?
what does top show?
Does vmstat (not the fiorst line) show excessive disk activity?
* What is this server supposed to do?
* What evidence is there that the server runs more slowly than is reasonable for a server with this planned workload?
* Are there many of these connections? should there be?
* Can you outline the system specs (processor and memory, primarily) and what software it is running.
* When you say it is slow, what are your criteria (load average, request served stats, general feeling)?
* what does top show?
* Does vmstat (not the fiorst line) show excessive disk activity?
This is a server having apache 2.2.
1. Server is hosting few websites.
2. I dont say server running slow, actually the sites are opening damn slow. also i dont see any process on my TOP but still my site is down. my cpu load is less than 0.30, but still site opens slow. and when ever i reboot my webserver (httpd) frm whm then the site opens fine for about 5 mins then again starts to load slow.
3. i suppose there are many connections, is there any command by which i can find how many connections are there.
4. My cpu specs are:
Quote:
Core2Quad 9300 server
1TB SATA HDD
8GB DDR2 RAM
Hosting few sites and FFMPEG is installed
5. My server is not slow as i said , load is also normal but my site opens damn slow.
It cant be network latency in our region because if i reboot the httpd the sites starts to load fine.
eg site: bindas.tk
root@server [~]# vmstat
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
0 0 120 225920 74412 2336076 0 0 45 44 2 3 2 3 93 2 0
root@server [~]#
please note that server is not slow but site opens slow.
2. I dont say server running slow, actually the sites are opening damn slow. also i dont see any process on my TOP but still my site is down. my cpu load is less than 0.30, but still site opens slow. and when ever i reboot my webserver (httpd) frm whm then the site opens fine for about 5 mins then again starts to load slow.
Hrmm...
DDoS activity usually results in the system tanking due to it having issues attempting to track thousands+ of alerts. Let's say a system that was being DDoSed was restarted. When a system restarts, everything is reinitialized, including connection tracking. So, of course, a check of resources immediately after a reboot won't be the same as a check of resources after 10 or so minutes of DDoS activity. Your explanation doesn't mean a thing, IMO. The only thing that backs you up at this point is the fact that top isn't showing any resource spikes, which also means nothing.
Quote:
please note that server is not slow but site opens slow.
Then this isn't a DDoS issue. If this were a DDoS, your netstat output would certainly be different (I'm not saying that netstat provides proof-positive results, either), as it would be showing a LOT more than what you provided. Also, most DoS-type attacks happen because system resources (CPU and/or memory) are eventually drained. What usually happens with DDoS is the system grinds to a halt and eventually tanks. The system...the server. Not an application.
This tells me that you're possibly experiencing an application issue, but you did know that one IP/host can DoS a computer, right? A host can send a specially crafted packet to another system which would make that remote system gag on the packet, which may hose the whole system or hog enough resources to where that remote system can't do anything else. That's pretty much a denial of service. Again, your issue might not be DDoS-related...it may certainly be DoS-related, though. So, we're back to square one. What you think is a DDoS is almost certainly not, but you might be experiencing some type of DoS, or you've an issue with one of your apps (misconfiguration that the system is choking on or that someone is attempting to take advantage of)
Now, check this link and use it to determine the state of integrity of your host. This is the US CERT's Intrusion Detection Checklist. There's also a massive LQ Security Resources thread here. Use this (maybe after you've fixed your current issue) to establish an integrity baseline for your machine(s).
You need to find out the who, what, when, where, why, and how, if you think your box is being defiled or impeded. Start with your system logs, your application logs (definitely check Apache). You can run a sniffer on a temporary basis just so you can better see what's going on...I believe a sniffer will be a better resource than any FW log. A FW log will point you in a direction. A sniffer log, depending on how you've configured it, will tell you everything a FW log will, in addition to Layer-7 information (which a FW won't be able to do unless it has true IPS functionality).
Lastly, quit restarting your host. Restarting plays havoc with the system's audit trail. If you're restarting, you're wiping away traces of evidence that may not have yet made it to a logfile.
A quick way to detect if it really is a network problem, is to unplug the network cable, and access one of your sites from the server itself (with wget).
If it responds at once, it is an indication that some network problem exists, but still it's no guarantee that it is an attack. It may be several other things going on on your LAN, a runaway workstation, etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.