Remove IPtables rules from rescue system

Hey, this article explains how you can remove IPtables rules if they are blocking access to the server. This usually happens if you wrongly configured IPtables or got any port blocked mistakenly like SSH port. Following the below steps to get it fixed.

Operating System : These steps are tested on Centos 6, however not tested on other operating systems.

Steps:

  1. Boot your server into rescue system. (If you cannot boot it you can ask your server provider to do this for you.)
  2. Login to rescue system via SSH and then:
    1. List hard disk partitions:
      1. run:
      2. # fdisk -l
      3. Output will be like:
      4. Device    Boot     Start       End    Blocks  Id System/dev/sda1 *         2048   1026047    512000  83 Linux/dev/sda2        1026048 234436607 116705280  8e Linux LVM/dev/sda3      234436608 234440703      2048  83 LinuxDisk /dev/mapper/vg-root: 102.6 GiB, 110125645824 bytes, 215089152 sectorsUnits: sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytesDisk /dev/mapper/vg-tmp: 1 GiB, 1073741824 bytes, 2097152 sectorsUnits: sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytes
      5. This is your root partition : Disk /dev/mapper/vg-root: 102.6 GiB
      6. Now mount this partition on /mnt point:
        # mount /dev/mapper/vg-root /mnt
      7. Nothing will be shown if above command succeeds.
      8. Now navigate to the sysconfig directory where iptables rules are saved:
        # cd /mnt/etc/sysconfig
      9. There is file called iptables which stores all the iptables rules. You just have to rename it:
        # mv iptables iptables-old
        # mv iptables.save iptables.save-old
      10. Now you have changed iptables rules and ready to reboot your system into original operating system, but you need to unmount the partition as follows:
      11. # cd
      12. Read More

DDOS attacks from amazon servers

Well today one of our client server had worst ddos attack against server main IP. While analyzing i found it is coming from amazon hacked servers. As amazon is offering free ec2 servers for 1 year so some of people don’t care about it after getting it as free. They do not use it and forget it after getting it. These servers are easy to get hacked and then can be used to attack other servers by hackers.

Here is the quick solution for linux centos 7 to deal with these attacks:

1. Access your server from ssh, you can use putty

2. Once you logged in with root access you have to install network monitoring tool, i found Trafshow tool very help full to see what IPs are attacking.

3. Install it with :

yum install trafshow -y

if you get nothing found error, just install epel-release repo by executing following command:

yum install epel-release -y

4. Once you install Trafshow, now you are ready to check incoming requests from IPs. Run following below command:

trafshow -i eth0 tcp

where eth0 is network card, you need to change it with your network interface. if you’re not sure about network interface, run following command:

ifconfig

It will return all the interfaces.

5. Once you run command trafshow -i eht0 tcp it will display all the connections with IPs. Here you can block them by various techniques. One is to add these IPs in config Server Firewall.

6. Here is the list of amazon IPs:

https://ip-ranges.amazonaws.com/ip-ranges.json

Read More

Check active connections to web server – DDOS solution

Here are few commands to check the active connection to apache or to any other web server, you can block IPs having too many connections :

Login to SSH and execute following commands with root access:

1.To see what IPs are connecting to server and how many connections exist from each IP:

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

2.To see how many connections each IP on the server is receiving:

netstat -plan |grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n

3.Get total current active connections to Apache:

netstat -apn | grep :80 | wc -l

Get Apache status update from command line to see which domain is receiving maximum hits (cPanel/WHM server):

lynx http://localhost/whm-server-status

Read More

DDOS attacks on XMLRPC.php (Fixed)

wordpressXMLRPC.php is php file included with wordpress installation, it allows posting of content remotely through supported web blogs to wordpress blog, it provide many other features as well having many pros and cons. As far as web site security is concerned XMLRPC.php file is famous among hackers and attackers.

Most of the wordpress blogs get hits by attackers on XMLRPC.php usually called DDOS attacks. During the attack XMLRPC.php gets many requests and that makes web site goes down with excessive usage of allocated resources. Some web hosting providers suspend those accounts for high resource usage issues. Read More

Checking Bash Vulnerability and Fixing it

There has been a critical vulnerability found in Bash. The vulnerability affects Linux/Unix distributions that use or have Bash installed. For additional information on this vulnerability please visit the following link:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

We advise all our clients to keep their servers & software updated constantly to make sure their servers are at minimal risk of potential vulnerabilities. For this particular vulnerability we recommend reading the following links and taking action as soon as possible:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://access.redhat.com/articles/1200223

To test if your version of Bash is vulnerable, run the following command:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

You are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function.

If you run the above example with the patched version of Bash, you should get an output verifying you are not vulnerable:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

To fix this issue just update your bash by following command:

yum update bash -y

Now check bash again:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"

It should return :

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

OR

this is a test