Thursday, August 14, 2014

DDOS Auto block script CSF


This script can be used with csf to block connections on a server automatically if a client is getting really flooded. To use this you must change /etc/csf/csf.conf's deny limit from 100 to 0 and restart csf and load this script up.


#!/bin/bash
 
netstat -anp |grep ':80' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n > ~/curr
while read list
do
        conns=`echo $list | awk '{print $1}'`
        ip=`echo $list | awk '{print $2}'`
        if [ "$conns" -ge 20 ]
        then
                exist=`cat /etc/csf/csf.deny | grep $ip`
                if [ "$ip" != "$exist" ]
                then
                        echo blocking $ip with $conns connections
                        iptables -I INPUT -s $ip -j DROP
                        echo $ip >> /etc/csf/csf.deny
                        blocked=`echo yes`
                fi
                blocked=`echo yes`
        fi
done < ~/curr
 
if [ $blocked == "yes" ]
then
        /etc/init.d/httpd stop
        pkill httpd
        /etc/init.d/httpd start
fi
put in ~ on server add to crontab as so:
 */1 * * * * /root/autoblock.sh >> /var/log/autoblock
and change the 20 next to -ge to whatever threshold you would like on port 80
at No comments:
Labels: ,

Wednesday, July 30, 2014

Linux Memory Troubleshooting

Empty buffer cache
sync && echo 1 > /proc/sys/vm/drop_caches

clean up memory of unnecessary things (Kernerl 2.6.16 or newer)run sync first to flush useful things out to disk!!!
To free pagecache:

echo 1 > /proc/sys/vm/drop_caches    

To free dentries and inodes:

echo 2 > /proc/sys/vm/drop_caches

To free pagecache, dentries and inodes:

echo 3 > /proc/sys/vm/drop_caches
########################### < Memory Troubleshooting > ###########################
TOP 10 MEMORY USERS
ps auxk-rss | head -11 | cut -c1-120
MEMORY % VIA SAR
sar -r | grep -v Average | awk '{print $1" "$2" \t%"$5}'
(unset LANG ;sar -r) |awk '$3~/[0-9]/{total=$3+$2; usedbc=$3-($5+$6); pc_used=(100*usedbc)/total;print $0,pc_used} $3!~/[0-9]/{print $0}' | awk '{print $1" - "$11"%"}'
MEMORY % (RHEL 4)
sar -r | tail -n21 | head -n20 | awk '{ printf "%s -- %3.2f%%\n",$1,($3-$5-$6)*100/($3+$2)}'
DAILY MEMORY AVERAGES
sar -r | grep Average: | awk '{print $1" \t"$4"%"}'
for i in `ls -rt /var/log/sa/ | grep -E "sa[0-9][0-9]"`; do echo -ne "$i -- "; sar -r -f /var/log/sa/$i | grep -Ev "Linux|Average|RESTART|kbmemfree|^$" | awk '{ printf "%3.2f\n",($4-$6-$7)*100/($3+$4)}' | awk '{sum+=$1 } END { printf "Average = %3.2f%%\n",sum/NR}'; done
MONTHLY AVERAGES
for i in `ls /var/log/sa/ | egrep 'sa[0-9][0-9]'` ; do sar -f /var/log/sa/$i -r | grep Average | awk '{print $1" "$4"%"}' ; done
sar -r | grep -v Average | awk '{print $1" "$2" \t"$5"%"}';sar -r | grep Average: | awk '{print $1" \t"$4"%"}'
BETTER FREE REPORT
date ; free -mt ; free -m|awk 'NR==2{print "The total % of "Mem" Used: "($3*100)/$2"%"}'
MEMORY SUMMARY
vmstat -s -S M
echo -ne '\n';echo "===========================================";ps -eo user,%cpu,%mem,rsz,args|sort -rnk4|awk 'BEGIN {printf "%s\t%s\t%s\t%s\t%s\n","USER","%CPU","%MEM","RSZ","COMMAND"}{printf "%s\t%g'%'\t%g'%'\t%d MB\t%-10s\n",$1,$2,$3,$4/1024,$5}'|head -n30;echo "===========================================";echo -e "\n===========================================";vmstat -s -S M|head -n10;echo "===========================================";
CACHE CLEARING
sync; echo "2" > /proc/sys/vm/drop_caches; sleep 10; echo "0" > /proc/sys/vm/drop_caches
APACHE MEMORY USAGE
ps -eo rsz,args | grep httpd | awk ' { SUM += $1 } END { print "Memory used by Apache = "SUM/1024 " Megs" "\nNumber of process runing = " NR "\nAverage of each process mem usage = " SUM/1024/NR " Megs"} '
JAVA MEMORY USAGE
ps afux | grep java | grep -Eo "\-Xmx[0-9]+[m|g] "
</code>
More Memory Investigation
free -mt
vmstat -a -S m
ps auxk-rss |head -11
ps auxk-rss |head -11 | awk '{print $1, $4, $11}'

#Memory %
sar -r | grep -v Average | awk '{print $1" "$2" \t%"$5}'
#Memory Average %
sar -r | grep Average: | awk '{print $1" \t"$4"%"}'

#Monthly Averges
for i in `ls /var/log/sa/ | egrep 'sa[0-9][0-9]'` ; do sar -f /var/log/sa/$i -r | grep Average | awk '{print $1" "$4"%"}' ; done

sar -r | grep -v Average | awk '{print $1" "$2" \t"$5"%"}';sar -r | grep Average: | awk '{print $1" \t"$4"%"}'

date ; free -mt ; free -m|awk 'NR==2{print "The total % of "Mem" Used: "($3*100)/$2"%"}'

#Nimbus Memory %
(unset LANG ;sar -r) |awk '$3~/[0-9]/{total=$3+$2; usedbc=$3-($5+$6); pc_used=(100*usedbc)/total;print $0,pc_used} $3!~/[0-9]/{print $0}' | awk '{print $1" - "$11"%"}'

#Nimbus Memory % (RHEL 4)
sar -r | tail -n21 | head -n20 | awk '{ printf "%s -- %3.2f%%\n",$1,($3-$5-$6)*100/($3+$2)}'

#Summary
vmstat -s -S M

#More detailed overview!
slabtop
#push c to sort by highest cache user!

#Cool trick to clear cache!
[root@269179-db2 ~]# sync
[root@269179-db2 ~]# echo "2" > /proc/sys/vm/drop_caches
[root@269179-db2 ~]# sleep 10
[root@269179-db2 ~]# echo "0" > /proc/sys/vm/drop_caches

#Apache memory:
 ps -eo rsz,args | grep httpd | awk ' { SUM += $1 } END { print "Memory used by Apache = "SUM/1024 " Megs" "\nNumber of process runing = " NR "\nAverage of each process mem usage = " SUM/1024/NR " Megs"} '


low memory:
resize;clear;echo;date;echo "Top 10 Processes by MEM %"; vmstat -a -S m|tail -n1|awk \
'BEGIN {FS=" "}{printf "\nAvail\tActive\tTotal\tPercent Avail\n%sMB\t\
%sMB\t%sMB\t%s\n\n",$4+$5,$6,$4+$5+$6,($4+$5)/($4+$5+$6)*100}';ps -eo \
user,%cpu,%mem,rsz,args|sort -rnk4|awk 'BEGIN {printf "%8s %6s %6s \
%8s     %-10s\n","USER","%CPU","%MEM","RSZ","COMMAND"}{printf "%8s %6s \
%6s %8s MB  %-10s\n",$1,$2,$3,$4/1024,$5}'|head -n10; echo ""; echo "== \
Last Half Hour ==";echo; sar -r|head -n3; sar -r|tail -n4;echo; sar -B|\
head -n3; sar -B|tail -n4;echo;echo "== Current 2 Second Intervals ==";\
echo;sar -r 2 5;echo;sar -B 2 5

#Something with memory and sar
for i in `ls -rt /var/log/sa/ | grep -E "sa[0-9][0-9]"`; do echo -ne "$i -- "; sar -r -f /var/log/sa/$i | grep -Ev "Linux|Average|RESTART|kbmemfree|^$" | awk '{ printf "%3.2f\n",($4-$6-$7)*100/($3+$4)}' | awk '{sum+=$1 } END { printf "Average = %3.2f%%\n",sum/NR}'; done
Show whats using SWAP:
sh swapusage.sh | sort -n -k1 | tac | head -n10
#!/bin/bash
#
# show swap used by processes
#
(for PROCESS in /proc/*/; do
  swapused=$(awk 'BEGIN { total = 0 } /^Swap:[[:blank:]]*[1-9]/ { total = total + $2 } END { print total }' ${PROCESS}/smaps 2>/dev/null || echo 0)
  if [ $swapused -gt 0 ]; then
    /bin/echo -e "${swapused}k\t$(cat ${PROCESS}/cmdline)"
  fi
done ) | sort -nr
#!/bin/bash
# Get current swap usage for all running processes
# Erik Ljungstrom 27/05/2011
SUM=0
OVERALL=0
for DIR in `find /proc/ -maxdepth 1 -type d | egrep "^/proc/[0-9]"` ; do
PID=`echo $DIR | cut -d / -f 3`
PROGNAME=`ps -p $PID -o comm --no-headers`
for SWAP in `grep Swap $DIR/smaps 2>/dev/null| awk '{ print $2 }'`
do
let SUM=$SUM+$SWAP
done
echo "PID=$PID - Swap used: $SUM - ($PROGNAME )"
let OVERALL=$OVERALL+$SUM
SUM=0

done
echo "Overall swap used: $OVERALL"
Pipe thru this for only swap using procs:
| egrep -v "Swap used: 0" |sort -n -k 5
Swap one liner:
SUM=0; OVERALL=0; for DIR in `find /proc/ -maxdepth 1 -type d | egrep "^/proc/[0-9]"` ; do PID=`echo $DIR | cut -d / -f 3
at No comments:
Labels: ,

Server monitoring script :)

Script for find out abusive user in server

~~~~~~~~~~~

OUT=$(/usr/local/cpanel/bin/dcpumonview | grep -v Top  | sed -e 's#<[^>]*># #g' | while read i ; do NF=`echo $i | awk {'print NF'}` ; if [[ "$NF" == "5" ]] ; then USER=`echo $i | awk {'print $1'}`; OWNER=`grep -e "^OWNER=" /var/cpanel/users/$USER | cut -d= -f2` ; echo "$OWNER $i"; fi ; done) ; (echo "USER CPU" ; echo "$OUT" | sort -nrk4 | awk '{printf "%s %s%\n",$2,$4}' | head -5) | column -t ;echo;(echo -e "USER MEMORY" ; echo "$OUT" | sort -nrk5 | awk '{printf "%s %s%\n",$2,$5}' | head -5) | column -t ;echo;(echo -e "USER MYSQL" ; echo "$OUT" | sort -nrk6 |
awk '{printf "%s %s%\n",$2,$6}' | head -5) | column -t ;

~~~~~~~~~~~

Finging connections to server 

netstat -pltuna | awk '$6=="LISTEN"{sub(/^.*:+/,"",$4);sub(/^[[:digit:]]+\//,"",$7);idx=sprintf("%s:%05d",$1,$4);ary[idx]=$7;} $6~"^(ESTABLISHED|SYN_RECV|FIN_WAIT2|UNKNOWN)$"{sub(/^.*:(:ffff:)?/,"",$4);sub(/:[[:digit:]]+$/,"",$5);sub(/^::ffff:/,"",$5);idx=sprintf("%s:%05d@%s",$1,$4,$5);cons[idx]++;}END{LIMITS["def"]=30;LIMITS[21]=8;LIMITS[25]=5;LIMITS[26]=5;LIMITS[465]=5;LIMITS[587]=5;CL_NML="\033[0m";CL_WTE="\033[1;37m";CL_GRN="\033[0;32m";CL_YLW="\033[1;36m";CL_RED="\033[1;5;31;22;47m";n=asorti(ary,src);for(i=1;i<=n;i++){split(src[i],meh,/:/);sub(/^0*/,"",meh[2]);print CL_WTE ary[src[i]] CL_NML " " CL_GRN "(" meh[1] ":" meh[2] ")" CL_NML ":";delete nastyhack;for (q in cons){split(q,splt,/@/);if(match(splt[1],src[i])){fmtstr=sprintf("%010d %s",cons[q],splt[2]);nastyhack[fmtstr]=fmtstr;}}r=asort(nastyhack);zerocount=match(nastyhack[r],/[^0]/);for (m=1;m<=r;m++){nastyhack[m]=substr(nastyhack[m],zerocount);split(nastyhack[m],brg,/ /);printf CL_YLW brg[1] CL_NML " ";port=meh[2];if(!(port in LIMITS)) port="def";if (brg[1]>LIMITS[port]) printf CL_RED;print brg[2] CL_NML;}}}'



Blocking Ips DDOS

  ~~~~~~~~~~~~

grep "Port Flood" /var/log/messages | grep "Jul 17" | awk '{ print $12 }' | cut -d = -f2 | sort | uniq -c | sort -n > /root/testflood

    cat /root/testflood

    while read line; do number=$(echo $line | awk {'print $1'}); ip=$(echo $line | awk {'print $2'}); if [ $number -gt 500 ]; then csf -d $ip "Wp attack"; fi; done < /root/testflood

~~~~~~~~~~~~


at No comments:
Labels: ,

Sunday, August 11, 2013

Login failed because your username or password was entered incorrectly


Login failed because your username or password was entered incorrectly >> Horde
Roundcube: connection to storage server failed

it may be that the dovecot index files are for an older version of dovecot, and don't work full with the new version.
To resolve that issue, simply delete all dovecot index files, and dovecot will re-create them when it notices they're missing.

You should test this on one User first, before doing it on all Users.
Also, backup the dovecot* files of the test User first (shouldn't be required, but not a bad thing to do)

Fix 

====
cd /home
/etc/init.d/dovecot stop
rm -f */imap/*/*/Maildir/dovecot*
rm -f */imap/*/*/Maildir/.*/dovecot*
rm -f */Maildir/dovecot*
rm -f */Maildir/.*/dovecot*
/etc/init.d/dovecot restart
====
Dovecot will recreate the dovecot* files once the User logs in.
at No comments:
Labels:

Saturday, August 3, 2013

Got blank page when accessing RVSkin.



1. Please force update using this command.

rm -f /usr/local/cpanel/Cpanel/rvversion
perl /root/rvadmin/auto_rvskin.pl

2. Go to root WHM >> Server Configuration >> Tweak Settings >> System >> Accounts that can access a cPanel user account, and mark at "Root, Account-Owner, and cPanel User"

 If still not work, please SSH to your server and run following command.

cd /usr/lib/perl5/site_perl
ln -s 5.8.8 5.6.2

Cool Fix !!! :D
at No comments:
Labels:

RVSkin Installation

Once we have informed you that your license has been activated on the server just run this command to install.

mkdir /root/rvadmin; cd /root/rvadmin; wget http://download.rvglobalsoft.com/download.php/download/rvskin-auto/saveto/rvauto.tar.bz2; bunzip2 -d rvauto.tar.bz2; tar -xvf rvauto.tar; perl /root/rvadmin/auto_rvskin.pl
at No comments:
Labels:

Install ConfigServer Apps On A cPanel/WHM Server


*Install ConfigServer Security & Firewall
*Install ConfigServer Mail Manage
*Install ConfigServer Mail Queues
*Install ConfigServer ModSecurity Control
*Install ConfigServer Explorer
*Install  ConfigServer eXploit Scanner (Licenced)

NOTE: All of the installations below require you to be logged into SSH as root.

=========
Install ConfigServer Security & Firewall

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Remove installation files:

cd ..
rm -Rfv csf/ csf.tgz
=========

**Install ConfigServer Mail Manage

=========
rm -fv cmm.tgz
wget http://www.configserver.com/free/cmm.tgz
tar -xzf cmm.tgz
cd cmm
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmm/ cmm.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmm.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmmversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmm/
=========

**Install ConfigServer Mail Queues

rm -fv cmq.tgz
wget http://www.configserver.com/free/cmq.tgz
tar -xzf cmq.tgz
cd cmq
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmq/ cmq.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmq.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmqversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmq/
=========

**Install ConfigServer ModSecurity Control

rm -fv cmc.tgz
wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmc/ cmc.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmc.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmcversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmc/
=========

**Install ConfigServer Explorer

rm -fv cse.tgz
wget http://www.configserver.com/free/cse.tgz
tar -xzf cse.tgz
cd cse
sh install.sh

Remove installation files:

cd ..
rm -Rfv cse/ cse.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cse.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cseversion.txt

==========

ConfigServer eXploit Scanner

Once we have informed you that your license has been activated, you can install cxs. First  perform the following in a root shell on your server via SSH:

wget http://www.configserver.com/free/cxsinstaller.tgz
tar -xzf cxsinstaller.tgz
perl cxsinstaller.pl
rm -fv cxsinstaller.*
==========

at No comments:
Labels:
Subscribe to: Posts (Atom)