[SOLVED] Linux server cannot identify new connexions

rischfre · 08-31-2011, 02:17 PM

Hi

I m running a Centos 5.6 server, with several basic applications (mySQL, Web, ...).
Sometimes, the server craches, and does not let me connect to it.
SSH, Telnet, even on the own server.
For each process (Telnet, SSH...) it does not let me further than the LOGIN. That means ports are open, services are running, but something strange is ocuring when try to identify the user.
Could you please let me know what should i do?
thank you

timur91 · 08-31-2011, 03:50 PM

most likely someone is abusing some script on your server. Try the following script to run each minute as cronjob:

Code:

* * * * * /path/to/script.sh

and the script...

Code:

#!/bin/sh

mkdir -p /var/log/script
date=`date +%H_%M`

/etc/init.d/httpd fullstatus > /var/log/script/apache_status_$date
top -b -n 1 > /var/log/script/top_$date
netstat -anp > /var/log/script/netstat_$date
ps -efww > /var/log/script/ps_$date
free > /var/log/script/free_$date
w > /var/log/script/w_$date

You will need to enable ExtendedStatus and mod_status in apache with the /server-status location so you can get each minute's apache status.

After the server is dead and back online you will have a lot of info to look at. Check the active connections, processes, pids, compare with the apache status, etc

java socket

chrism01 · 08-31-2011, 08:13 PM

Logging that info isn't a bad idea, but doing it via cron means every minute its going to create a new env to run that stuff; bit of a performance hit; consider making it a daemon instead.
Its worth checking the normal logfiles like /var/log/messages etc. There may be some clues in there.
Also, it doesn't necessarily follow that you're being attacked, you need to check first, but when it crashes, it may corrupt the passwd or shadow file, so that could prevent successful logins.

timur91 · 09-01-2011, 05:32 PM

/var/log/messages provides no info at all

running that cron each minute until the problem is solved won't hurt at all

java socket