BestDesigns.Co.in

The SYN (TCP connection request) attack is a common denial of service (DoS) technique.

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system

When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established.

How to check the SYN attack on  the server.

A quick and useful command for checking if a server is under ddos:
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Another very important thing to look at is how many active connections your server is currently processing.

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.

Solution:

First go with

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

and then

Try with all these IPtables rule , there may other attacks too.

iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP

then,

service iptables save
service iptables restart

it should resolve your issue.

How to find the domain name (DNS) information.

http://network-tools.com or http://xwhois.com

http://intodns.com/

http://centralops.net/co/

http://www.dnsstuff.com/

http://www.ipmango.com/megadns.php

http://www.dnswatch.info

How to UNSECURED /tmp and /var/tmp partition.

On the linux server the /tmp and /var/tmp partition is secure. So you can not installed some php modules for example “pdflib” on the server, it shows the error  “ERROR: `/root/tmp/pear/pdflib/configure –with-pdflib=/usr/local’ failed”  then you need to set the /tmp and /var/tmp partition UNSECURED and then try to install it

You can set UNSECURED it by using following steps.

1)[root@server~]$ mount -o remount rw /tmp

2) [root@server~]$ mount -o remount rw /var/tmp

You can set SECURED it by using following steps.

1) [root@server~]$ mount -o remount noexec,nosuid,rw /tmp

2) [root@server~]$ mount -o remount noexec,nosuid,rw /var/tmp

Or

1]  /scripts/securetmp

If server is linux server then you can add this default iptable rules for open some common port and secure some ports.

# Generated by iptables-save v1.2.11
*raw
: PREROUTING ACCEPT [29:2132]
:OUTPUT ACCEPT [20:2224]
COMMIT
# Completed on Fri Feb 10 12:34:10 2006
# Generated by iptables-save v1.2.11 on Fri Feb 10 12:34:10 2006
*nat
: PREROUTING ACCEPT [0:0]
: POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Feb 10 12:34:10 2006
# Generated by iptables-save v1.2.11 on Fri Feb 10 12:34:10 2006
*mangle
: PREROUTING ACCEPT [29:2132]
:INPUT ACCEPT [29:2132]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20:2224]
: POSTROUTING ACCEPT [20:2224]
-A PREROUTING -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp –tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Fri Feb 10 12:34:10 2006
# Generated by iptables-save v1.2.11 on Fri Feb 10 12:34:10 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOG_ACCEPT – [0:0]
:LOG_DROP – [0:0]
:icmp_packets – [0:0]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp –dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name SSH –rsource -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -m recent –update –seconds 60 –hitcount 5 –rttl –name SSH –rsource -j LOG –log-prefix “SSH_Brute_Force”
-A INPUT -p tcp -m tcp –dport 22 -m recent –update –seconds 60 –hitcount 5 –rttl –name SSH –rsource -j DROP
-A INPUT -p tcp -m tcp –dport 25 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp –dport 26 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp –dport 43 -j ACCEPT
-A INPUT -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 873 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 888 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 2082 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 2083 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 2086 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 2087 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 2095 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 2096 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 3333 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 6277 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 6666 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 7786 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 24441 -j ACCEPT
-A INPUT -p udp -m udp –sport 6277 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -p icmp -j ACCEPT
-A INPUT -j LOG_DROP
-A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 7 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 25 -m owner –gid-owner mail -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 25 -m owner –gid-owner mailman -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 25 -m owner –uid-owner root -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 25 -j REJECT –reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp –dport 37 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp –dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 113 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 123 -j ACCEPT
-A OUTPUT -p udp -m udp –dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 873 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 888 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 2087 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 2089 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 2703 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 5432 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 6277 -j ACCEPT
-A OUTPUT -p udp -m udp –dport 6277 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 24441 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP
-A LOG_ACCEPT -j LOG –log-prefix “[IPTABLES ACCEPT] : ” –log-tcp-options –log-ip-options
-A LOG_ACCEPT -j ACCEPT
-A LOG_DROP -j LOG –log-prefix “[IPTABLES DROP] : ” –log-tcp-options –log-ip-options
-A LOG_DROP -j DROP
-A icmp_packets -p icmp -m icmp –icmp-type 0 -j ACCEPT
-A icmp_packets -p icmp -m icmp –icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp –icmp-type 8 -m limit –limit 10/min –limit-burst 15 -j ACCEPT
-A icmp_packets -p icmp -m icmp –icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -m icmp –icmp-type 30 -j ACCEPT
COMMIT
# Completed

RKHunter Cronjob

Ans> To set the cron job to receive the daily scan report

pico /etc/cron.daily/rkhunter.sh

Add the following line in above file

#!/bin/bash
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “Daily Rkhunter Scan Report” supp0rt24×7@gmail.com)

chmod +x /etc/cron.daily/rkhunter.sh

Thanks

Change SSH port to some higher port?

Ans>

pico -w /etc/ssh/sshd_config

Find the line ‘#Port 22′ and uncomment it and change it to look like ‘Port [Random high level port here]‘.

for example we changes the port no22 to port no 322

Port 322
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

now save the file and retsrat ssh service

Thanks,