DDOS attacks from amazon servers

Well today one of our client server had worst ddos attack against server main IP. While analyzing i found it is coming from amazon hacked servers. As amazon is offering free ec2 servers for 1 year so some of people don’t care about it after getting it as free. They do not use it and forget it after getting it. These servers are easy to get hacked and then can be used to attack other servers by hackers.

Here is the quick solution for linux centos 7 to deal with these attacks:

1. Access your server from ssh, you can use putty

2. Once you logged in with root access you have to install network monitoring tool, i found Trafshow tool very help full to see what IPs are attacking.

3. Install it with :

yum install trafshow -y

if you get nothing found error, just install epel-release repo by executing following command:

yum install epel-release -y

4. Once you install Trafshow, now you are ready to check incoming requests from IPs. Run following below command:

trafshow -i eth0 tcp

where eth0 is network card, you need to change it with your network interface. if you’re not sure about network interface, run following command:

ifconfig

It will return all the interfaces.

5. Once you run command trafshow -i eht0 tcp it will display all the connections with IPs. Here you can block them by various techniques. One is to add these IPs in config Server Firewall.

6. Here is the list of amazon IPs:

https://ip-ranges.amazonaws.com/ip-ranges.json

Read More

Change directories and files permissions from ssh

Here are the commands to change directories permission recursively to 755 and files permissions to 644 recursively:

To change directories/folders permissions to 755:

$ find /opt/lampp/htdocs -type d -exec chmod 755 {} \;

To change files permissions to 644:

$ find /opt/lampp/htdocs -type f -exec chmod 644 {} \;

Where, /opt/lampp/htdocs is the location of directory. You can use “.” without quotes to scan and change under current directory/folder.

Enabling second level quotas on openVZ/virtuozzo/VPS

Many VPS hosting providers have quota issue with their VPS provided to customers, they always get complaints regarding the quotas especially on cPanel/WHM based servers. As cPanel/WHM based servers require File system quotas must be enabled to calculate Disk space usage for the hosted accounts and this very important to get this issue fixed in order to limit the disk space usage for any hosted account.installing cpanel/WHM

Following below instructions enables you to get this issue sorted if you have OpenVZ/Virtuozzo VPS you should follow these instructions to enable 2nd level-quotas support to get disk space usage issue sorted.

Lets start fixing this:

Login to your main node’s SSH with root access where you have hosted VPS’.

Just find out the exact ID of your VPS for which you want to enable the second level-quotas by executing below stated command:

# vzlist

It will list all the online Virtual Private Servers, remember the one you want to enable second level quotas for.

Now execute following below command on the required VPS ID.

# vzctl set VPS_ID --quotaugidlimit NUMBER --save

Read More

Enable GeoIP on LiteSpeed web server

This tutorial explains how to install/configure/enable GeoIP location feature on litespeed web server.
Note: You can only use this feature with enterprise license of litespeed web server.

Follow these steps to get it enabled:

First of all download GeoIP location database from official web site (maxmind):

Login to your server via SSH with root access, and execute following commands:
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz
cp GeoLiteCity.dat /usr/local/share/GeoIP/

Now you have downloaded GeoIP location database, next is to enable it from LiteSpeed control panel.

Follow these steps:

liteSpeed admin console->Server->General
->Enable IP GeoLocation: Yes

liteSpeed admin console->Server->General
->IP to GeoLocation DB: Add
DB File Path: /usr/local/share/GeoIP/GeoIPCity.dat
DB Cache Type: MemoryCache

Last step is to add a line in .htaccess file of your hosting account directory (public_html in cPanel)

GeoIPEnable On

Well you have configured/enabled GeoIP location system.

Now just make a test on it:
Create a php file on your hosting account, and paste below code in it:

<?
$countryName = $_SERVER["GEOIP_COUNTRY_NAME"];
$countryCode = $_SERVER["GEOIP_COUNTRY_CODE"];

echo $countryName.'<br/ >'.$countryCode;
?>

Now run this file from browser it should return your country name and country code.

Checking Bash Vulnerability and Fixing it

There has been a critical vulnerability found in Bash. The vulnerability affects Linux/Unix distributions that use or have Bash installed. For additional information on this vulnerability please visit the following link:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

We advise all our clients to keep their servers & software updated constantly to make sure their servers are at minimal risk of potential vulnerabilities. For this particular vulnerability we recommend reading the following links and taking action as soon as possible:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://access.redhat.com/articles/1200223

To test if your version of Bash is vulnerable, run the following command:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

You are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function.

If you run the above example with the patched version of Bash, you should get an output verifying you are not vulnerable:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

To fix this issue just update your bash by following command:

yum update bash -y

Now check bash again:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"

It should return :

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

OR

this is a test