User Tools

Site Tools


server_administration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
server_administration [2016/05/26 21:19]
sgripon [fail2ban and UFW]
server_administration [2016/12/28 12:06] (current)
sgripon [logwatch]
Line 1: Line 1:
-====== Server Administration ======+====== ​Linux Server Administration ======
  
 ~~socialite~~ ~~socialite~~
Line 108: Line 108:
 The following command can help you identify ddos attacks and IP adresses which are at the source of the attack: The following command can help you identify ddos attacks and IP adresses which are at the source of the attack:
  
-  netstat -ntu | awk '​{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n+  netstat -ntu | awk '{if(NR>2)print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
   ​   ​
 It will print for each connected IP the count of open connections:​ It will print for each connected IP the count of open connections:​
  
-      1 local 
       5 xxx.xxx.xxx.xxx       5 xxx.xxx.xxx.xxx
       158 yyy.yyy.yyy.yyy       158 yyy.yyy.yyy.yyy
       ​       ​
-Usually when you have a high number of open connection, like here for yyy.yyy.yyy.yyy,​ it is probably that this ip tries to DDOS you. That's time to ban it using ufw. +Usually when you have a high number of open connections, like here for yyy.yyy.yyy.yyy,​ it is probably that this ip tries to DDOS you. That's time to ban it using ufw. 
-===== ddos-deflate ​=====+===== nmd =====
  
-This is a simple script that automatically ban ip when the number of connections exceed what is configured. See https://antiddos.eu/en/news/item/20.+No More DDOS (nmd) is a simple script that automatically ban ip when the number of connections exceed what is configured. See http://us.informatiweb-pro.net/system-admin/linux/17--debian-ubuntu-centos-block-ddos-attacks-with-no-more-ddos-formerly-ddos-deflate.html(By Lionel Eppe)
  
-**Note**: if you have an error "$CONF not found" when running ​the script, ​you mau change ​the first line of the script ​from:+I modified a little ​the script ​in order to use ufw to ban adresses. Alsothere is an issue with the installed cron script: 
 +  - The name of the cron script ​must not contain dot (modify CRON variable in ///​usr/​local/​nmd/​ndm.conf/​agent.conf//​. 
 +  - The second cron command in the file miss the user root
  
-  #!/bin/sh +The good cron script must look like this:
-   +
-to:+
  
-  #!/bin/bash +<file bash /etc/cron.d/nmd> 
-   +* * * * * root /​usr/​local/​nmd/​nmd-agent.sh >> /​var/​log/​nmd-agent.log 2>&1 
-Same thing in the cron job+0 0 */7 * 0 root echo  > /​var/​log/​nmd-agent.log 2>&1 
- +</​file>​
-There is also an issue with cron service nameRaplace in the file all occurrences of  +
-  ​service crond restart +
-   +
-with +
-  service cron restart+
  
 ==== Use IPTables to limit NEW traffic on port 80 and 443 ==== ==== Use IPTables to limit NEW traffic on port 80 and 443 ====
Line 183: Line 177:
   ​   ​
 After that, you should be able to login via ssh without the need of the password. After that, you should be able to login via ssh without the need of the password.
 +
 +===== logwatch =====
 +
 +Logwatch can send you a formatted view of system logs every morning by email. It is usefull to check everyday the health of your server.
 +
 +First, copy default config file to change settings:
 +
 +  sudo cp /​usr/​share/​logwatch/​default.conf/​logwatch.conf /​etc/​logwatch/​conf/​
 +
 +Then, to receive by email the report modify the cron job and add --mailto option :
 +
 +<file bash /​etc/​cron.daily/​00logwatch>​
 +#!/bin/bash
 +
 +#Check if removed-but-not-purged
 +test -x /​usr/​share/​logwatch/​scripts/​logwatch.pl || exit 0
 +
 +#execute
 +/​usr/​sbin/​logwatch --output mail --mailto my.email@domain.tld
 +
 +</​file>​
 +
 +===== Slow server diagnostic =====
 +
 +See a very good flow chart to help in slow server cases : http://​blog.scoutapp.com/​articles/​2014/​07/​31/​slow_server_flow_chart
  
 **Share this page:** **Share this page:**
server_administration.1464290399.txt.gz · Last modified: 2016/05/26 21:19 by sgripon