iptables -F
iptables -X
iptables -N ATTACKED
iptables -N ATTK_CHECK
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –syn -j SYN_FLOOD
iptables -A SYN_FLOOD -p tcp –syn -m hashlimit –hashlimit 100/sec –hashlimit-burst 3 –hashlimit-htable-expire 3600 –hashlimit-mode srcip –hashlimit-name synflood -j ACCEPT
iptables -A SYN_FLOOD -j ATTK_CHECK
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 80 -m recent –update –seconds 1800 –name BANNED –rsource -j DROP
iptables -A INPUT -p tcp -m tcp –dport 80 -m state –state NEW -j ATTK_CHECK
iptables -A ATTACKED -m limit –limit 5/min -j LOG –log-prefix “IPTABLES (Rule ATTACKED): ” –log-level 7
iptables -A ATTACKED -m recent –set –name BANNED –rsource -j DROP
iptables -A ATTK_CHECK -m recent –set –name ATTK
iptables -A ATTK_CHECK -m recent –update –seconds 180 –hitcount 20 –name ATTK –rsource -j ATTACKED
iptables -A ATTK_CHECK -m recent –update –seconds 60 –hitcount 6 –name ATTK –rsource -j ATTACKED
iptables -A ATTK_CHECK -j ACCEPT
Monthly Archives: December 2013
about modsecurity
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave’s SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
ip forwarding
cat /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward
Or permanently:
/etc/sysctl.conf:
net.ipv4.ip_forward = 1
modsecurity for nginx
yum install gcc make automake autoconf libtool
yum install pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel
From source:
mod_security:
./configure –enable-standalone-module
make
make install
or GIT:
git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
cd mod_security
./autogen.sh
./configure –enable-standalone-module
make
nginx:
./configure –add-module=../mod_security/nginx/modsecurity
make
make install
ModSecurity configuration nginx.conf:
server {
listen 80;
server_name localhost;
location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}
}
custom rules for mod_security applied to different directories in your website, you can create new mod_security.conf:
location /secured {
ModSecurityConfig modsecurity3.conf;
proxy_pass http://secured.mysite.com/;
proxy_read_timeout 180s;
}
turn off mod_security for one directory:
location /unsecured/ {
ModSecurityEnabled off;
proxy_pass http://unsecured.mysite.com/;
proxy_read_timeout 180s;
}
service nginx restart
pt-tcp-model
pt-tcp-model – Transform tcpdump into metrics that permit performance and scalability modeling.
pt-tcp-model [OPTION…] [FILE]
pt-tcp-model parses and analyzes tcpdump files. With no FILE, or when FILE is -, it read standard input.
Dump TCP requests and responses to a file, capturing only the packet headers to avoid dropped packets, and ignoring any packets without a payload (such as ack-only packets). Capture port 3306 (MySQL database traffic). Note that to avoid line breaking in terminals and man pages, the TCP filtering expression that follows has a line break at the end of the second line; you should omit this from your tcpdump command.
tcpdump -s 384 -i any -nnq -tttt \
‘tcp port 3306 and (((ip[2:2] – ((ip[0]&0xf)<<2))
- ((tcp[12]&0xf0)>>2)) != 0)’ \
> /path/to/tcp-file.txt
Extract individual response times, sorted by end time:
pt-tcp-model /path/to/tcp-file.txt > requests.txt
Sort the result by arrival time, for input to the next step:
sort -n -k1,1 requests.txt > sorted.txt
Slice the result into 10-second intervals and emit throughput, concurrency, and response time metrics for each interval:
pt-tcp-model –type=requests –run-time=10 sorted.txt > sliced.txt
Transform the result for modeling with Aspersa’s usl tool, discarding the first and last line of each file if you specify multiple files (the first and last line are normally incomplete observation periods and are aberrant):
for f in sliced.txt; do
tail -n +2 “$f” | head -n -1 | awk ‘{print $2, $3, $7/$4}’
done > usl-input.txt
verify that the VIBs are installed on your ESXi host
esxcli software vib list
suphp – softexception UID is smaller than min_uid
chown -R user.user /home/user/public_html
VMware Installation Bundle
VMware uses a file package called a VIB (VMware Installation Bundle) as the mechanism for installing or upgrading software packages, drivers on an ESX server.
The file may be installed directly on an ESX server from the command line or we can deploy using VMware update manager. Here I am going to mention about the command line method of doing the upgrade.
Install or update a patch/driver on the host using these esxcli commands:
COMMAND LINE INSTALLATION
New Installation
For new installs, you should perform the following steps, Issue the following command (full path to the file must be specified):
esxcli software vib install -v {VIBFILE} or esxcli software vib install -d {OFFLINE_BUNDLE}
Upgrade Installation
The upgrade process is similar to a new install, except the command that should be issued is the following:
esxcli software vib update –v {VIBFILE} or esxcli software vib update -d {OFFLINE_BUNDLE}
Notes:
To install or update a .zip file, use the -d option. To install or update a .vib file use the -v option.
The install method has the possibility of overwriting existing drivers. If you are using 3rd party ESXi images, VMware recommends using the update method to prevent an unbootable state.
Depending on the certificate used to sign the VIB, you may need to change the host acceptance level. To do this, use the following command: esxcli software acceptance:
esxcli software acceptance set –level=
sort text file by column
sort -k2 -n text_file.txt
It will sort by 2 column.
e1000e base driver for Gigabit Intel
The e1000e driver supports PCI Express Gigabit Network Connections except the 82575, 82576, 82580, and I350.
The Linux base drivers support the 2.4.x and 2.6.x kernels. These drivers includes support for Itanium® 2-based systems.
These drivers are only supported as a loadable module. Intel is not supplying patches against the kernel source to allow for static linking of the drivers. For questions related to hardware requirements, refer to the documentation supplied with your Intel Gigabit adapter. All hardware requirements listed apply to use with Linux.
The following features are now available in supported kernels:
Native VLANs
Channel Bonding (teaming)
SNMP
tar zxf e1000e*
cd e1000e-*
make install
will be installed to:
/lib/modules/
modprobe e1000e insmod e1000e
insmod /lib/modules/
reload old e1000e driver:
rmmod e1000e; modprobe e1000e
darkstat
Captures network traffic, calculates statistics about usage, and serves reports over HTTP.
Features:
Traffic graphs, reports per host, shows ports for each host.
Embedded web-server with deflate compression.
Asynchronous reverse DNS resolution using a child process.
Small. Portable. Single-threaded. Efficient.
Supports IPv6
configuring PHP and suEXEC command line suphp
Usage: /usr/local/cpanel/bin/rebuild_phpconf [–dryrun] [–no-restart] [–no-htaccess]
[–current|–available]
–dryrun : Only display the changes that would be made
–no-restart : Don’t restart Apache after updating the php.conf link
–no-htaccess : Don’t update user configurable PHP mime mapping.
–current : Show current settings
–available : Show available handlers and PHP SAPIs
: Version of PHP to set as default handler for .php files
<PHP# Handler> : Type of Apache module to use in serving PHP requests
: enabled, disabled, 1 or 0
/usr/local/cpanel/bin/rebuild_phpconf 5 cgi cgi 1
access VMware ESXi console
Alt-F1
esxcli commands
Show ESXi version and build:
esxcli system version get
vmware -v
Enter Maintenance Mode:
esxcli system maintenanceMode set –enable yes
Exit maintenance Mode:
esxcli system maintenanceMode set –enable no
List only advanced settings that have been changed from the system defaults:
esxcli system settings advanced list –d
List only kernel settings that have been changed from the system defaults:
esxcli system settings kernel list –d
List / Change / Test SNMP:
esxcli system snmp get | hash | set | test
List VMs on the ESXi server with the World ID
esxcli vm process list
Kill a VM
esxcli vm process kill –t soft -w WorldID
Install updates and drivers on a ESXi host (make sure the ESXI host is MaintenanceMode)
esxcli software vib install -d /vmfs/volumes/VMFS01/patches/nameoftheupdate.zip
List physical NICs and connection state
esxcli network nic list
List network information for the VM
esxcli network vm list
List the devices currently controlled by the VMware NMP Multipath Plugin and show the SATP and PSP information associated with that device
esxcli storage nmp device list
List VAAI properties for devices currently registered with the PSA.
esxcli storage core device vaai status get
Change the default pathing policy to Round Robin
esxcli storage nmp satp set –default-psp VMW_PSP_RR –satp youre_satp_policy
ESXi obtain network interface cards
esxcfg-nics -l