DoS: looking at open connections

Here is a command line to run on your server if you think your server is under attack. It prints our a list of open connections to your server and sorts them by ammount.
RedHat: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
BSD: netstat -na |awk '{print $5}' |cut -d "." -f1,2,3,4 |sort |uniq -c |sort -n

You can also check for connections by running the following command.
netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort
These are few step to be taken when you feel the server is under attack:
-------------------------------------------------------------------------------
Step 1: Check the load using the command "w".
Step 2: Check which service is utilizing maximum CPU by "nice top".
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables "apf -d < IP>" )
-------------------------------------------------------------------------------
You can also implement security features in your server like:
1) Install apache modules like mod_dosevasive and mod_security in your server.
2) Configure APF and IPTABLES to reduce the DDOS
3) Basic server securing steps :
===============================
http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
===============================
4) Configure sysctl parameters in your server to drop attacks.
You can block the IP which is attacking your server using Ipsec from command prompt.
=========
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction
========
Related Articles

Bu mövzu kifayət qədər köməkçi oldu?

 Çap

Digər başlıqlar

URL injections information

URL Injection attacks typically mean the server for which the IP address of the attacker is bound...

What is a DMCA and how do I file one?

The Digital Millennium Copyright Act (DMCA) is a United States copyright law that implements two...

Rootkit help

RootKit -- Spyware and Junkware detection and removal toolGo to Rootkit Hunter homepage, and...

My server has been blocked by Abuse. What do I do?

Generally the abuse department will not block your server unless one of the following...

Brute Force Detection

BFD -- Brute Force Detection BFD is a shell script which parses security logs and detects...