Wednesday, March 20, 2013

Detecting DDos Attacks Using the Netstat Command

Take a look at these handy netstat commands below that will surely help you determine wether your under attack or are part of an attack.

netstat -na

Display all active Internet connections to the server and only established connections are included.

netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80 and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l

To find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p | grep SYN_REC | sort -u

List all IP addresses involved.

netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

List all the unique IP addresses of the nodes that are sending SYN_REC connection status.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

List the number of connections the IPs are making to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show a list IP address’s and its number of connections that are connecting to port 80 on the server. Port 80 is used mainly by the HTTP protocol.

A quick and usefull command for checking if a server is under ddos is:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
===========
Denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its services or obstructs the communication media between the users and the victim so that they can no longer communicate adequately.

This blog provides you an overview on how to identify DDOS attack using netstat command.
#netstat -na
Display all active Internet connections to the server and only established connections are included.
#netstat -an | grep :80 | sort
Show only active Internet connections to the server on port 80 and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.
#netstat -n -p|grep SYN_REC | wc -l
To find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.
#netstat -n -p | grep SYN_REC | sort -u
List all IP addresses involved.
#netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’
List all the unique IP addresses of the nodes that are sending SYN_REC connection status.
#netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
Use netstat command to calculate and count the number of connections each IP address makes to the server.
#netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
List the number of connections the IPs are making to the server using TCP or UDP protocol.
#netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP.
#netstat -plan|grep :80|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Show a list IP addresses and its number of connections that are connecting to port 80 on the server. Port 80 is used mainly by the HTTP protocol.

Monday, March 11, 2013

Locations of Common Log Files on cPanel Servers

Apache

Apache is the web server that is typically utilized by cPanel.  On cPanel servers Apache does write to a rather high number of logs as each site has its own traffic log.


    /usr/local/apache/logs/access_log

The access_log is used to log all http requests to ether the hostname of the server, requests directed at the servers IPs, or sites that resolve to the server but are no longer hosted on it.

    /usr/local/apache/logs/error_log

On cPanel servers all Apache errors, regardless of site, are logged in the error_log.

    /usr/local/apache/domlogs

Within the domlogs folder each site on the server will have its own log file.  These files will be the fully qualified domain name for the domain, ie domain.com, liquidweb.com.  All http traffic to a site will be logged in this log file.

Exim

Exim is the MTA(Mail Transfer Agent) that cPanel utilizes.  Exim has three primary logs, but only two of these logs contain useful information

    /var/log/exim_mainlog

The exim_mainlog contains ALL interactions that exim handles, so both incoming and outgoing mail transactions.

    /var/log/exim_rejectlog

The exim_rejectlog contains all connection attempts that were denied.  This information is also logged in the exim_mainlog.

For more information on Exim’s logs try a Google search for “Exim Cheat Sheet”.

cPanel

Cpanel does log all http traffic to WHM, webmail, and cPanel access.  All cPanel logs are located in the /usr/local/cpanel/logs directory.

    /usr/local/cpanel/logs/access_log

This access_log contains all traffic to WHM, cPanel, and webmail over http.

    /usr/local/cpanel/logs/error_log

This error_log contains all errors that occur when accessing a cPanel related site over http or https.
FTP

Regardless of FTP deamon in use, cPanel does log connections, uploads, and downloads.  However, FTP does not have its own log file it is instead threaded into the systemside messages log file.

    /var/log/messages

All FTP transactions are recorded in messages.  They are however interwoven with all over system messages that are logged in this file.