DoS: looking at open connections

Here is a command line to run on your server if you think your server is under attack. It prints our a list of open connections to your server and sorts them by ammount.
RedHat: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
BSD: netstat -na |awk '{print $5}' |cut -d "." -f1,2,3,4 |sort |uniq -c |sort -n

You can also check for connections by running the following command.
netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort
These are few step to be taken when you feel the server is under attack:
-------------------------------------------------------------------------------
Step 1: Check the load using the command "w".
Step 2: Check which service is utilizing maximum CPU by "nice top".
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables "apf -d < IP>" )
-------------------------------------------------------------------------------
You can also implement security features in your server like:
1) Install apache modules like mod_dosevasive and mod_security in your server.
2) Configure APF and IPTABLES to reduce the DDOS
3) Basic server securing steps :
===============================
http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
===============================
4) Configure sysctl parameters in your server to drop attacks.
You can block the IP which is attacking your server using Ipsec from command prompt.
=========
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction
========
Related Articles

Помог ли вам данный ответ?

 Распечатать статью

Также читают

My server has been blocked by Abuse. What do I do?

Generally the abuse department will not block your server unless one of the following...

URL injections information

URL Injection attacks typically mean the server for which the IP address of the attacker is bound...

Brute Force Detection

BFD -- Brute Force Detection BFD is a shell script which parses security logs and detects...

Chrootkit help

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.#Change to rootsu...

SPAM

What is Spam? Would you like to... Print this pagePrint this page Email this pageEmail this...