User Tools

Site Tools


server_administration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
server_administration [2016/05/26 20:37]
sgripon [How to prevent DDOS attack]
server_administration [2016/12/28 12:06] (current)
sgripon [logwatch]
Line 1: Line 1:
-====== Server Administration ======+====== ​Linux Server Administration ======
  
 ~~socialite~~ ~~socialite~~
Line 34: Line 34:
   sudo ufw allow 80   sudo ufw allow 80
   sudo ufw allow 443   sudo ufw allow 443
-===== fail2ban and apf =====+   
 +After that, you can safely enable the firewall:
  
-fail2ban and apf firewall are 2 server tools that automatically ban attackers ip. It is necessary, when installed together, to configure fail2ban to work with apf. Otherwise, there will be a conflict in iptables rules. See http://​askubuntu.com/​questions/​124994/​how-to-set-fail2ban-with-apf for details.+  sudo ufw enable 
 +   
 +To check status:
  
-===== ddos-deflate =====+  sudo ufw status verbose 
 +   
 +Then, to ban an IP: 
 +  sudo ufw deny from yyy.yyy.yyy.yyy 
 +   
 +:!: In fact, it is better to add rules at the beginning of the list, because for iptables and ufw, the first rule matching an IP is applied, and other are ignored. It means that if your deny rule is after a rule allowing a port for all IP, it will be ignored. To do that:
  
-This is a simple script that automatically ban ip when the number of connections exceed what is configuredSee https://​antiddos.eu/​en/​news/​item/​20.+  sudo ufw insert 1 deny from yyy.yyy.yyy.yyy 
 +   
 +===== fail2ban and UFW =====
  
-**Note**: if you have an error "$CONF not found" when running the scriptyou mau change the first line of the script from:+fail2ban is a server deamon that automatically ban attackers ip. To do thatfail2ban reads system logs (especially ///​var/​log/​auth.log//​ and add a rule to block IP adress that try to access illegaly your server. It is usefull to block unwanted ssh access.
  
-  #!/bin/sh +It is necessary, when installed with ufw, to configure fail2ban to work with ufw. Otherwise, there will be a conflict in iptables rules.
-   +
-to:+
  
-  #​!/​bin/​bash +First create a action for ufw in fail2ban configuration:​
-   +
-Same thing in the cron job.+
  
-There is also an issue with cron service nameRaplace ​in the file all occurrences ​of  +<file ini /​etc/​fail2ban/​action.d/​ufw-ssh.conf>​ 
-  service ​crond restart+[Definition] 
 +actionstart = 
 +actionstop = 
 +actioncheck = 
 +actionban = ufw insert 1 deny from <ip> to any app OpenSSH 
 +actionunban = ufw delete deny from <ip> to any app OpenSSH 
 +</​file>​ 
 + 
 +Then activate ssh jail by modifying ///​etc/​fail2ban/​jail.conf//​. I also decided to ban for 1 year attackers:​ 
 + 
 +<code ini> 
 +... 
 + 
 +# Ignore my own IP in order to avoid being locked outside 
 +ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx 
 + 
 +# "​bantime"​ is the number ​of seconds that a host is banned. 
 +# 1 year 
 +bantime ​ = 31536000 
 + 
 +# Default banning action 
 +banaction = ufw-ssh 
 + 
 +# Activate ssh jail 
 +[ssh] 
 +enabled ​ = true 
 +port     = ssh 
 +filter ​  = sshd 
 +logpath ​ = /​var/​log/​auth.log 
 +maxretry = 6 
 + 
 +[ssh-ddos] 
 +enabled ​ = true 
 +port     = ssh 
 +filter ​  = sshd-ddos 
 +logpath ​ = /​var/​log/​auth.log 
 +maxretry = 6 
 + 
 +... 
 +</​code>​ 
 + 
 +Finally, reload configuration:​ 
 + 
 +  ​sudo service ​fail2ban ​restart 
 + 
 +===== Under DDOS attack? ===== 
 + 
 +The following command can help you identify ddos attacks and IP adresses which are at the source of the attack: 
 + 
 +  netstat -ntu | awk '​{if(NR>​2)print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
   ​   ​
-with +It will print for each connected IP the count of open connections:​ 
-  ​service ​cron restart+ 
 +      5 xxx.xxx.xxx.xxx 
 +      158 yyy.yyy.yyy.yyy 
 +       
 +Usually when you have a high number of open connections,​ like here for yyy.yyy.yyy.yyy,​ it is probably that this ip tries to DDOS you. That's time to ban it using ufw. 
 +===== nmd ===== 
 + 
 +No More DDOS (nmd) is a simple script that automatically ban ip when the number of connections exceed what is configured. See http://​us.informatiweb-pro.net/​system-admin/​linux/​17--debian-ubuntu-centos-block-ddos-attacks-with-no-more-ddos-formerly-ddos-deflate.html. (By Lionel Eppe) 
 + 
 +I modified a little the script in order to use ufw to ban adresses. Also, there is an issue with the installed cron script: 
 +  ​- The name of the cron script must not contain dot (modify CRON variable in ///​usr/​local/​nmd/​ndm.conf/​agent.conf//​. 
 +  - The second cron command in the file miss the user root 
 + 
 +The good cron script must look like this: 
 + 
 +<file bash /​etc/​cron.d/​nmd>​ 
 +* * * * * root /​usr/​local/​nmd/​nmd-agent.sh >> /​var/​log/​nmd-agent.log 2>&​1 
 +0 0 */7 * 0 root echo  > /​var/​log/​nmd-agent.log 2>&​1 
 +</​file>​
  
 ==== Use IPTables to limit NEW traffic on port 80 and 443 ==== ==== Use IPTables to limit NEW traffic on port 80 and 443 ====
Line 104: Line 177:
   ​   ​
 After that, you should be able to login via ssh without the need of the password. After that, you should be able to login via ssh without the need of the password.
 +
 +===== logwatch =====
 +
 +Logwatch can send you a formatted view of system logs every morning by email. It is usefull to check everyday the health of your server.
 +
 +First, copy default config file to change settings:
 +
 +  sudo cp /​usr/​share/​logwatch/​default.conf/​logwatch.conf /​etc/​logwatch/​conf/​
 +
 +Then, to receive by email the report modify the cron job and add --mailto option :
 +
 +<file bash /​etc/​cron.daily/​00logwatch>​
 +#!/bin/bash
 +
 +#Check if removed-but-not-purged
 +test -x /​usr/​share/​logwatch/​scripts/​logwatch.pl || exit 0
 +
 +#execute
 +/​usr/​sbin/​logwatch --output mail --mailto my.email@domain.tld
 +
 +</​file>​
 +
 +===== Slow server diagnostic =====
 +
 +See a very good flow chart to help in slow server cases : http://​blog.scoutapp.com/​articles/​2014/​07/​31/​slow_server_flow_chart
  
 **Share this page:** **Share this page:**
server_administration.1464287861.txt.gz · Last modified: 2016/05/26 20:37 by sgripon