Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In order for a symlink attack to be successful, the attacker must already have local access to your computer. What indication of an attack do you have?
If, in fact, it is a symlink attack, you'll need to figure out how they got into your system in the first place -- you were compromised before that attack.
I don't think the attack you experienced was a symlink attack. I'm gonna have to agree with Matir...you either have a malicious user, someone from the outside has access, or you've some symlinked content within your webserver directory that you should maybe unlink.
- Perform checks on files to be handled.
a) Check for existance of file.
b) Check for symlinks
c) Check for hardlinks
d) etc.
Is there a certain program I need to use to scan if I have symlinks / hardlinks or some other vulnerabilities on the server? This is my first time have this issue. I've got a pretty strict firewall as is. So it shouldnt look too bad...hopefully
These are the only other logs I can tie this in with..that occured around the same time last night.
It was a ton more then that...that was just a sample.
All this 403 probably means he was trying to get in but couldnt ?
And is there an easy way to have my server email me if load averages go above a certain amount ? Im running Plesk 9.0 and have full root access.
I appreciate it much guys...Im starting to become suspicious of even the Tech guys I allow access to my server. One of the reasons why I signed up here. hehe.
What gave you the impression that 99.248.145.194 is involved? The source of all those requests is ::1, the IPv6 loopback interface.
When I ran "netstat -an | less" several times while the attack was occuring...that was the Only IP addresses showing up the whole time. All the way down the list. Even "netstat -an" . same thing.
Then if I ran TOP immediately after, the whole putty display would be completely full of apache http requests. massive amounts of requests and cpu usuage.
What do you suspect the ::1 had to do with it ? maybe he was unaware the file he was trying to access was mod-rewrite or something?
I been google'ing today to find a way to email me when server loads go above a certain number and I cant find one method to do it. Can someone please direct me to something ? If it happens again overnight, i'd like to be alerted.
which is the root Script folder on a linux ? or the general path ? (this is something I never needed to use in the past..but will need now)
That script checks server load. That has nothing to do with a SYN flood. If you wish to detect SYN flooding, you basically just need to script a netstat check for the amount of half-open connections (SYN_RECV). If you wish to stop SYN flooding from happening, you basically just need to enable TCP SYN cookies:
That script checks server load. That has nothing to do with a SYN flood. If you wish to detect SYN flooding, you basically just need to script a netstat check for the amount of half-open connections (SYN_RECV). If you wish to stop SYN flooding from happening, you basically just need to enable TCP SYN cookies:
Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Yeah, but i'd rather just be notified by email whenever my server load is above normal. Which can help me diagnose more then just a SynFlood. Plus that TCP Syn Cookies has some drawbacks of its own. Especially considering the rare amount of times it occurs.
Any advice on installing that script? Should I just install it somewhere in /etc/ ?
Yeah, but i'd rather just be notified by email whenever my server load is above normal. Which can help me diagnose more then just a SynFlood. Plus that TCP Syn Cookies has some drawbacks of its own. Especially considering the rare amount of times it occurs.
Any advice on installing that script? Should I just install it somewhere in /etc/ ?
There seems to be some miscommunication here. Once again: A SYN flood doesn't cause your server load to spike. Hence, that script would be useless for detecting a SYN flood. While it's true that issuing TCP SYN cookies has its drawbacks, it's not like you have much of a choice during an attack. If you script the netstat check, you can make it so that TCP SYN cookies are only enabled when a SYN flood is actually taking place. I have no idea why your tech support would say that you were under a SYN flood based on the symptoms you've described here (none of which match a SYN flood).
Using a script to email you an alert when server load anomalies are detected is great, it's just that you should not be fooled into thinking it's gonna do anything for you as far a SYN flooding is concerned. One thing has nothing to do with the other. When you get SYN flooded, there won't be any load spike, hence no email alert, and consequently no countermeasures. So you will end-up in a denial-of-service situation which you could have mitigated had you used the right tool for the job. As for "installing" the server load script, you can pretty much place it anywhere you wish as long as the ownership and permissions on the file (and its parent directory) are sane (/etc is just fine).
Dude, if I put the script warn level to send the email out...when my 5 minute load average hits above 1.50 , im sure if a syn flood was occuring then, the load average would go up atleast a little. My average load almost never even goes above 0.40 .
If these half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Once all resources set aside for half-open connections are reserved, no new connections (legitimate or not) can be made, resulting in denial of service. Some systems may malfunction badly or even crash if other operating system functions are starved of resources this way.
after reading that, you cant tell me the server load average wont go up at all.
My server was never shut down during that time..Putty and TOP command were available the whole time. so if I had the script up then, it would of alerted me.
although the load averages were over 70.0 at times during the attack..
It hasnt happened even once since. when I why I still think it was a syn flood.
Dude, if I put the script warn level to send the email out...when my 5 minute load average hits above 1.50 , im sure if a syn flood was occuring then, the load average would go up atleast a little. My average load almost never even goes above 0.40 .
after reading that, you cant tell me the server load average wont go up at all.
My server was never shut down during that time..Putty and TOP command were available the whole time. so if I had the script up then, it would of alerted me.
although the load averages were over 70.0 at times during the attack..
It hasnt happened even once since. when I why I still think it was a syn flood.
This type of attack has NOTHING to do with server load. I really don't think your load is going to change all that much between before and during a syn flood.
If you want a true assessment of a syn flood, try it with something like a vmware host. In fact, try it with two hosts...one being the attacker and one being the target. Find a syn flood tool and attack the target host and monitor the load of the server.
Syn floods consume network stack resources, not service or host-level resources or even hardware-based resources such as CPU and memory.
I really don't think what you saw in your logs was anywhere near what you are assuming. If you think otherwise, you need to provide more data than you have provived thus far. If that's all you have, that still doesn't mean that you were syn flooded or symlink attacked. If I were you I'd check things such as the syslog logs to ensure the server wasn't misconfigured. This sounds more and more like a misconfig and not an actual attack.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Depending on the level of logging, a SYN flood or other request flood could cause staggering disk I/O trying to keep up with logging the requests, which would result in very high load average and sluggish responses. I was once troubleshooting a Linux system that was responding very slowly despite not handling unusual amounts of network traffic. The cause turned out to be someone had enabled iptables logging for every packet and it was logging to local disk. Disabling iptables logging took the load from 27 to 3.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.