FREE

First of all lets learn how to find out what is chocking or gobbling up the server resource. You can get the memory usage by issuing the command “free -m”

root@spark [~]# free -m

             total       used       free     shared    buffers     cached

Mem:          4051       3052        999          0        249       1294

-/+ buffers/cache:       1508       2543

Swap:         4000          1       3999

The top row ‘used’ (3052) value will almost always nearly match the top row mem value (4051). Since Linux likes to use any spare memory to cache disk blocks (1294).

The key figure to look at is the buffers/cache row used value (1508). This is how much space your applications are currently using. For best performance, this number should be less than your total (4051) memory.

VMSTAT

vmstat helps you to see, among other things, if your server is swapping. Take a look at the following run of vmstat doing a one second refresh for two iterations.

root@spark [~]# vmstat 1 2

procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----

 r  b   swpd   free   buff  cache   si   so    bi    bo   in    cs us sy id wa

 0  0   1172 1689332 333588 663092    0    0    19   113    1     2  3  1 95  1

 0  0   1172 1690320 332920 663100    0    0   352   256  355   681  5  3 91  2

The first row shows your server averages. The si (swap in) and so (swap out) columns show if you have been swapping (i.e. needing to dip into ‘virtual’ memory) in order to run your server’s applications. The si/so numbers should be 0 (or close to it). Numbers in the hundreds or thousands indicate your server is swapping heavily. This consumes a lot of CPU and other server resources and you would get a very significant benefit from adding more memory to your server.

Some other columns of interest: The r (runnable) b (blocked) and w (waiting) columns help see your server load. Waiting processes are swapped out. Blocked processes are typically waiting on I/O. The runnable column is the number of processes trying to something. These numbers combine to form the ‘load’ value on your server. Typically you want the load value to be one or less per CPU in your server.

The bi (bytes in) and bo (bytes out) column show disk I/O (including swapping memory to/from disk) on your server.
The us (user), sy (system) and id (idle) show the amount of CPU your server is using. The higher the idle value, the better.

PS

This command is used to know all the processes running in the server. It can be also used to find out process which is using most of the memory and cpu.

To find out top 3 memory consuming processes.

ps -auxf | sort -nr -k 4 | head -3

To find out top 3 cpu consuming processes

ps -auxf | sort -nr -k 3 | head -3

TOP

Say the system is slow and you want to find out who is gobbling up all the CPU and/or memory. To display the top processes, you use the command top.

Note that unlike other commands, top does not produce an output and sits still. It refreshes the screen to display new information. So, if you just issue top and leave the screen up, the most current information is always up. Top runs until you press “q” to quit top.

$ top

18:46:13  up 11 days, 21:50,  5 users,  load average: 0.11, 0.19, 0.18

151 processes: 147 sleeping, 4 running, 0 zombie, 0 stopped

CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle

           total   12.5%    0.0%    6.7%   0.0%     0.0%    5.3%   75.2%

Mem:  1026912k av,  999548k used,   27364k free,       0k shrd,  116104k buff

                    758312k actv,  145904k in_d,   16192k in_c

Swap: 2041192k av,  122224k used, 1918968k free                  590140k cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND

  451 spark    15   0  6044 4928  4216 S     0.1  0.4   0:20   0 tnslsnr

 8991 spark    15   0  1248 1248   896 R     0.1  0.1   0:00   0 top

    1 root      19   0   440  400   372 S     0.0  0.0   0:04   0 init

    2 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 keventd

    3 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kapmd

    4 root      34  19     0    0     0 SWN   0.0  0.0   0:00   0 ksoftirqd/0

    7 root      15   0     0    0     0 SW    0.0  0.0   0:01   0 bdflush

    5 root      15   0     0    0     0 SW    0.0  0.0   0:33   0 kswapd

    6 root      15   0     0    0     0 SW    0.0  0.0   0:14   0 kscand

    8 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kupdated

    9 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 mdrecoveryd

... output snipped ...

Let’s examine the different types of information produced.

The first line:

18:46:13  up 11 days, 21:50,  5 users,  load average: 0.11, 0.19, 0.18

shows the current time (18:46:13), that system has been up for 11 days; that the system has been working for 21 hours 50 seconds. The load average of the system is shown (0.11, 0.19, 0.18) for the last 1, 5 and 15 minutes respectively. (By the way, you can also get this information by issuing the uptime command.)

If the load average is not required, press the letter “l” (lowercase L); it will turn it off. To turn it back on press l again. The second line: 151 processes: 147 sleeping, 4 running, 0 zombie, 0 stopped shows the number of processes, running, sleeping, etc. The third and fourth lines:

CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle

           total   12.5%    0.0%    6.7%   0.0%     0.0%    5.3%   75.2%

show the CPU utilization details. The above line shows that user processes consume 12.5% and system consumes 6.7%. The user processes include the Oracle processes. Press “t” to turn these three lines off and on. If there are more than one CPU, you will see one line per CPU.

The next two lines:

Mem: 1026912k av, 1000688k used, 26224k free, 0k shrd, 113624k buff

758668k actv, 146872k in_d, 14460k in_c Swap: 2041192k av, 122476k

used, 1918716k free 591776k cached

show the memory available and utilized. Total memory is “1026912k av”, approximately 1GB, of which only 26224k or 26MB is free. The swap space is 2GB; but it’s almost not used. To turn it off and on, press “m”.

The rest of the display shows the processes in a tabular format. Here is the explanation of the columns:

Column Description

PID The process ID of the process

USER The user running the process

PRI The priority of the process

NI The nice value: The higher the value, the lower the priority of the task

SIZE Memory used by this process (code+data+stack)

RSS The physical memory used by this process

SHARE The shared memory used by this process

STAT

The status of this process, shown in code. Some major status codes are:

R Running

S Sleeping

Z Zombie

T Stopped

You can also see second and third characters, which indicate:

W Swapped out process

N positive nice value

%CPU The percentage of CPU used by this process

%MEM The percentage of memory used by this process

TIME The total CPU time used by this process

CPU If this is a multi-processor system, this column indicates the ID of the CPU this process is running on.

COMMAND The command issued by this process

While the top is being displayed, you can press a few keys to format the display as you like. Pressing the uppercase M key sorts the output by memory usage. (Note that using lowercase m will turn the memory summary lines on or off at the top of the display.) This is very useful when you want to find out who is consuming the memory. Here is sample output:

PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND

31903 spark    15   0 75760  72M 72508 S     0.0  7.2   0:01   0 ora_smon_PRODB2

31909 spark    15   0 68944  66M 64572 S     0.0  6.6   0:03   0 ora_mmon_PRODB2

31897 spark    15   0 53788  49M 48652 S     0.0  4.9   0:00   0 ora_dbw0_PRODB2

Now that you learned how to interpret the output, let’s see how to use command line parameters.

The most useful is -d, which indicates the delay between the screen refreshes. To refresh every second, use top -d 1.

The other useful option is -p. If you want to monitor only a few processes, not all, you can specify only those after the -p option. To monitor processes 13609, 13608 and 13554, issue: top -p 13609 -p 13608 -p 13554
This will show results in the same format as the top command, but only those specific processes.

SKILL & SNICE

From the previous discussion you learned how to identify a CPU consuming resource. What if you find that a process is consuming a lot of CPU and memory, but you don’t want to kill it? Consider the top output below:

$ top -c -p 16514

23:00:44  up 12 days,  2:04,  4 users,  load average: 0.47, 0.35, 0.31

1 processes: 1 sleeping, 0 running, 0 zombie, 0 stopped

CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle

           total    0.0%    0.6%    8.7%   2.2%     0.0%   88.3%    0.0%

Mem:  1026912k av, 1010476k used,   16436k free,       0k shrd,   52128k buff

                    766724k actv,  143128k in_d,   14264k in_c

Swap: 2041192k av,   83160k used, 1958032k free                  799432k cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND

16514 spark    19   4 28796  26M 20252 D N   7.0  2.5   0:03   0 sparkPRODB2...

Now that you confirmed the process 16514 is consuming a lot of memory, you can “freeze” it but not kill it using the skill command.

$ skill -STOP 1
After this, check the top output:
23:01:11  up 12 days,  2:05,  4 users,  load average: 1.20, 0.54, 0.38

1 processes: 0 sleeping, 0 running, 0 zombie, 1 stopped

CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle

           total    2.3%    0.0%    0.3%   0.0%     0.0%    2.3%   94.8%

Mem:  1026912k av, 1008756k used,   18156k free,       0k shrd,    3976k buff

                    770024k actv,  143496k in_d,   12876k in_c

Swap: 2041192k av,   83152k used, 1958040k free                  851200k cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND

16514 spark    19   4 28796  26M 20252 T N   0.0  2.5   0:04   0 sparkPRODB2...

The CPU is now 94% idle from 0%. The process is effectively frozen. After some time, you may want to revive the process from coma:

$ skill -CONT 16514

This approach is immensely useful for temporarily freezing processes to make room for more important processes to complete.

The command is very versatile. If you want to stop all processes of the user “spark”, only one command does it all:

$ skill -STOP spark>

You can use a user, a PID, a command or terminal id as argument. The following stops all rman commands.

$ skill -STOP rman

As you can see, skill decides that argument you entered a process ID, userid, or command and acts appropriately. This may cause an issue in some cases, where you may have a user and a command in the same name. The best example is the “spark” process, which is typically run by the user “spark”. So, when you want to stop the process called “spark” and you issue:

$ skill -STOP spark

all the processes of user “spark” stop, including the session you may be on. To be completely unambiguous you can optionally give a new parameter to specify the type of the parameter. To stop a command called spark, you can give:

$ skill -STOP -c spark

The command snice is similar. Instead of stopping a process it makes its priority a lower one. First, check the top output:

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND

    3 root      15   0     0    0     0 RW    0.0  0.0   0:00   0 kapmd

13680 spark    15   0 11336  10M  8820 T     0.0  1.0   0:00   0 spark

13683 spark    15   0  9972 9608  7788 T     0.0  0.9   0:00   0 spark

13686 spark    15   0  9860 9496  7676 T     0.0  0.9   0:00   0 spark

13689 spark    15   0 10004 9640  7820 T     0.0  0.9   0:00   0 spark

13695 spark    15   0  9984 9620  7800 T     0.0  0.9   0:00   0 spark

13698 spark    15   0 10064 9700  7884 T     0.0  0.9   0:00   0 spark

13701 spark    15   0 22204  21M 16940 T     0.0  2.1   0:00   0 spark

Now, drop the priority of the processes of “spark” by four points. Note that the higher the number, the lower the priority.

$ snice +4 -u spark
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND

16894 spark    20   4 38904  32M 26248 D N   5.5  3.2   0:01   0 spark

Note how the NI column (for nice values) is now 4 and the priority is now set to 20, instead of 15. This is quite useful in reducing priorities.

Now lets get over to trace the process and manipulate it.

lsof

The command lsof shows a list of processes attached to open files or network ports. List processes attached to a given file: lsof filenmame

List all open files on system:
lsof

(Long list)

List all files opened by user:

The commands netstat -punta and socklist will list open network connections. Use the command lsof -i TCP:port-number to see the processes attached to the port.

root@spark [~]# lsof -i TCP:25 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME exim 11350 mailnull 4u IPv4 1226820346 TCP 201.201.203.43:smtp->esp222.neoplus.adsl.tpnet.pl:2466 (ESTABLISHED) exim 11350 mailnull 5u IPv4 1226820346 TCP 201.201.203.43:smtp->esp222.neoplus.adsl.tpnet.pl:2466 (ESTABLISHED) exim 11811 mailnull 4u IPv4 1226830746 TCP 201.201.203.43:smtp->ANantes-151-1-39-245.w83-195.abo.wanadoo.fr:627 31 (ESTABLISHED) exim 11811 mailnull 5u IPv4 1226830746 TCP 201.201.203.43:smtp->ANantes-151-1-39-245.w83-195.abo.wanadoo.fr:627 31 (ESTABLISHED) exim 14135 mailnull 4u IPv4 1226855434 TCP 201.201.203.43:smtp->125.115.215.112:3653 (ESTABLISHED) exim 14135 mailnull 5u IPv4 1226855434 TCP 201.201.203.43:smtp->125.115.215.112:3653 (ESTABLISHED)

To kill the processes

kill

killall

This will perform an orderly shutdown of the process. If it hangs give a stronger signal with:

kill -9 .

This method is not as sanitary and thus less preferred.

A signal may be given to the process. The program must be programmed to handle the given signal. See /usr/include/bits/signum.h for a full list.

To restart a process after updating it’s configuration file, issue the command

kill -HUP

The process attached to an open file can be killed using the command fuser:

fuser -ki filename

Prince Joseph Articles, linux linux commands

Here we will be covering some steps to take to help protect servers from common attacks

Main Topics
Local security measures
Protecting against common remote attacks
Having and following a Security Policy
Make sure existing users have decent pass words

Crack your own users’ passwords using JTR, crack. Preferably run the crackers on a dedicated machine, not the server, due to load

Crack your own users’ passwords using JTR, crack Preferably run the crackers on a dedicated machine, not the server, due to load
Turning off unrequired daemons in

    Check /etc/xinetd.conf

    Check /etc/xinetd.d/*

Common ones are cupsd (printing daemon nfs/statd (unless using nfs mounted FS)

gpm and xfs services

Find locally running processes

Often script kiddies will launch backdoor scripts on the server using vulnerable php scripts,bad clients or hacked accounts will be used to launch IRC bots / bouncers

`ps auxww`

`lsof -n`

Try to find processes hidden by a rootkit, such as

mpid=`sysctl kernel.pid_max | cut -d " " -f 3`; for i in

`seq 1 $mpid`; do test -f /proc/$i/cmdline && (echo -n

"[$i] "; strings /proc/$i/cmdline; echo); done

Login Access

Setting login access definitions

/etc/login.defs

­    Expire passwords after PASS_MAX_DAYS

     Set minimum password length to PASS_MIN_LEN

     Set number of days before pass expires to send reminder with PASS_WARN_AGE

There are more options that are well documented in the default file
/etc/hosts.allow and /etc/hosts.deny

Suggest to use firewall instead as it will protect all services, not just the ones written to obey the rules set in the hosts.* files

Shell limits

Setting resource limits for shell accounts Set in /etc/security/limits.conf Protect against fork bombs and out of control applications, scripts.Will want to start out very lax, make stricter after testing with current settings; as need arises

Example settings:

    @users     hard  nofile 500

    @users     hard  cpu 30

    @users     hard  nproc 150

    @users     soft  nproc 100

    @users     hard  rss 50000

    @users     maxlogins 3

    nobody     hard  nofile 16384

Permissions

Find all world writable files and directories

find / \( -perm -a+w \) ! -type l >> world_writable.txt

reveals target locations an attacker can use to store their file fixing bad perms breaks some poorly written php/cgi scripts leave (/var)/tmp alone, secure it with /scripts/securetmp

Find all setuid/gid files

find / \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >> suid_files.txt

Many files need these elevated permissions, do not “fix” without knowing exactly how it will affect the system. sudo, su, mount, traceroute, etc

 Find all files with no owner/group
    find / -nouser -o -nogroup

Mount Points

Use "nosuid" option when mounting /tmp and /home

Consider "noexec" on /tmp after cPanel installation

Use /scripts/securetmp to have /tmp be mounted nosuid,noexec on a temporary file

IDS / Basic Forensics

Tripwire

Monitors checksums of files, reports when they have changed. A good way of helping ensure files are not replaced by rootkits/trojans/etc

Commercial : http://www.tripwire.com

OSS Branch: http://sourceforge.net/projects/tripwire

Chkrootkit

http://www.chkrootkit.org

Scans system for common signs of rootkits, backdoors, lkm, etc.

Rkhunter

http://www.rootkit.nl/projects/rootkit_hunter.html

Same as chkrootkit

Logwatch

http://www.logwatch.org

Scans through logs and emails a daily report of system activity

Remote Attacks
Bound ports

Find out what programs are listening on what ports

netstat -nap

Backdoor scripts/irc apps are usually launched from a writable directory, /tmp or in the user’s directory. Most will bind to a port and wait for connections, some will “call home” in an attempt to get around P/NAT firewalling

‘/proc’ tunables
tcp syn cookies
Helps protect against SYN flood DoS attacks

sysctl -w net.ipv4.tcp_syncookies=1

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Firewalling

ipchains/iptables

Suggest using APF or similar if not familiar with iptables for ease of use and quality protection

Be sure to enable all the ports cPanel requires:

http://faq.cpanel.net/show.cgi?qa=108499296901804

Apache

Most all attacks are against poorly coded web-based applications php makes poor programming easy to pull off, most target scripts are written in php Backdoors, shell imitation scripts, etc can be launched to give full shell access to the server, even if the account has no shell access itself

Enable openbase_dir protection in WHM

This will stop some scripts from accessing other user accounts.

Enable suexec for perl scripts, phpsuexec for php scripts

This allows tracking of scripts and forces them to run as the user of the account, rather that the “nobody” user.

Enforces sane permissions and environment, such as not running if world writable, or in a world writable directory Greatly helps when tracking exploited scripts used by spammers

Keeps users from doing stuff like

system("killall -11 httpd");
enable "safe_mode" for php

Edit the relevant php.ini

php -i |grep php.ini

safe_mode = On

Edit “disable_functions” for php

disable_functions = exec, shell_exec, system, passthru,popen,virtual, show_source, readfile, pclose

Using mod_security

Can be installed in WHM in the addons section.
Main website at http://www.modsecurity.org/

General Policy

Give users a jailshell rather than a fullfledged shell Have clients use sftp, scp, smtp+ssl, pop+ssl, https://site.tld/cpanel whenever possible to avoid plain text passwords Use SSHv2 only, as SSHv1 is decryptable on the fly. Change root/admin passwords frequently using a mix of upper/lowercase letters, num- bers and symbols Constantly monitor logs.

Prince Joseph Articles, Controlpanel cpanel security