Happy Birthday Apache!
February 23rd, 2010 Category: Linux ServerThe Apache Web Server has a reason to party, it’s 15th anniversary! Powering more than 112 million website. Congratulations!
Read more on Apache Software Foundation Blog.
The Apache Web Server has a reason to party, it’s 15th anniversary! Powering more than 112 million website. Congratulations!
Read more on Apache Software Foundation Blog.
You might want to check the rebuild status of your Linux software RAID e.g. after a disc failure or a hard server crash. As you know this might take several hours, depending on the disc size.
In my case mdadm is used to configure the software RAID and mdadm –detail /dev/md1 can be used to show the rebuild status:
[root@hxxxxxxx ~]# mdadm --detail /dev/md1 /dev/md1: Version : 00.90 Creation Time : Thu Nov 9 18:57:15 2006 Raid Level : raid1 Array Size : 159726144 (152.33 GiB 163.56 GB) Used Dev Size : 159726144 (152.33 GiB 163.56 GB) Raid Devices : 2 Total Devices : 2 Preferred Minor : 1 Persistence : Superblock is persistent Update Time : Sun Feb 14 19:45:21 2010 State : active, resyncing Active Devices : 2 Working Devices : 2 Failed Devices : 0 Spare Devices : 0 Rebuild Status : 31% complete UUID : be29700c:083d0c62:67a9c130:e044323b Events : 0.3626065 Number Major Minor RaidDevice State 0 8 3 0 active sync /dev/sda3 1 8 19 1 active sync /dev/sdb3
In my case 31% of the rebuilt process are finished. We still have to wait a little bit..
Links
You have been looking for a low cost 19″ rack solution for your living room? Then you should check the LackRack homepage. It comes with many tips and tricks for your low cost 19″ living room rack
As written in a previous article Defending Againt SSH Attacks I think it’s really worth trying to install a tool like denyhosts. Since about 5 days denyhosts blocks IP addresses from all over the world every few minutes. In total now more than 550 different blocked IP addresses.
The reason seems that the IP address of my server has been added to a bot network which tries to hack servers using SSH brute force attacks. As far as I know such bot networks are built up with Viruses and Trojans. I think there is no reason why your server may have also been added to such a list, somehow IP addresses seem to added.
But the question is how to defend against such brute force attacks from bot networks?
Known Methods
I think there is one additional easy method to defend against such attacks. Why I think so? Read on..
Another Simple Method
When checking the auth.log we see that the user names of the attacks are taken from a dictionary:
Failed keyboard-interactive/pam for invalid user aderes from 195.xxx.xxx.xx port 39566 ssh2It seems that the bots are not adding digits to the user names. So I think one easy method to defend against such attacks is:
Failed keyboard-interactive/pam for invalid user aderyn from 203.xxx.xxx.xx port 44099 ssh2
Failed keyboard-interactive/pam for invalid user adi from 78.xxx.xxx.xx port 42748 ssh2
Failed keyboard-interactive/pam for invalid user adia from 89. port 51028 ssh2
Failed keyboard-interactive/pam for invalid user adiel from 217. port 33861 ssh2
Failed keyboard-interactive/pam for invalid user adila from 77. port 52867 ssh2
And definitely never ever add a user “admin”. In my logs the user “admin” is always used for brute force attacks:
Failed keyboard-interactive/pam for invalid user admin from 203.xxx.xxx.xx port 39711 ssh2
Failed keyboard-interactive/pam for invalid user admin from 203.xxx.xxx.xx port 55493 ssh2
Failed keyboard-interactive/pam for invalid user admin from 220.xxx.xxx.xx port 34502 ssh2
Failed keyboard-interactive/pam for invalid user admin from 80.xxx.xxx.xx port 51846 ssh2
Failed keyboard-interactive/pam for invalid user admin from 80.xxx.xxx.xx port 53934 ssh2
A real nice and easy to use tool for measuring the network throughput on Linux/Unix as well as Windows is NETIO. You only need to download the binaries from the NETIO homepage, store on your server or clients and execute them.
The example below shows a sample measurement between to servers connected with a 100 MBit ethernet card and located at two different providers.
On one machine NETIO is started as server:
machine1:~/netio/bin# ./linux-i386 -s NETIO - Network Throughput Benchmark, Version 1.26 (C) 1997-2005 Kai Uwe Rommel TCP server listening. UDP server listening. TCP connection established ... Receiving from client, packet size 1k ... Sending to client, packet size 1k ... Receiving from client, packet size 2k ... Sending to client, packet size 2k ... Receiving from client, packet size 4k ... Sending to client, packet size 4k ... Receiving from client, packet size 8k ... Sending to client, packet size 8k ... Receiving from client, packet size 16k ... Sending to client, packet size 16k ... Receiving from client, packet size 32k ... Sending to client, packet size 32k ... Done. TCP server listening.
On the other machine NETIO is called e.g. with -t option for TCP and the name or IP of the other machine:
machine2:~/netio/bin# ./linux-i386 -t machine1.mydomain.de NETIO - Network Throughput Benchmark, Version 1.26 (C) 1997-2005 Kai Uwe Rommel TCP connection established. Packet size 1k bytes: 7309 KByte/s Tx, 7645 KByte/s Rx. Packet size 2k bytes: 7276 KByte/s Tx, 7724 KByte/s Rx. Packet size 4k bytes: 7291 KByte/s Tx, 7737 KByte/s Rx. Packet size 8k bytes: 7276 KByte/s Tx, 7723 KByte/s Rx. Packet size 16k bytes: 7286 KByte/s Tx, 7719 KByte/s Rx. Packet size 32k bytes: 7291 KByte/s Tx, 7725 KByte/s Rx. Done.
We take a rough average of the result can multiply it by 8: 7,5 * 8 = 60 MBit/s. This is a acceptable value for a connection between two servers located at different providers within Germany.
For sure a useful tool! Also check Network Bandwidth Performance Measurement with Iperf
You often transfer huge files over FTP and are annoyed because the connection is sometimes interrupted and file transfer starts from zero? Especially when transferring over a mobile connection with UMTS/HSDPA this might get really really annoying.
To avoid this resume/restart should be enabled in your FTP server, in my case this is proftpd running on Debian Etch. To do this add the following two lines in /etc/proftpd/modules.conf:
AllowStoreRestart on AllowRetrieveRestart on
And restart proftpd “/etc/init.d/proftpd restart”.
Next we need a FTP client which supports resume/restart. I found CoreFTP for Windows is doing a good job here. It remembers every file transfer in a queue so no downloads are lost after a disconnect of your connection. Also it resumes the transfer.
And: The Core FTP Lite version is free for personal, educational and evaluation use.
You are running a Linux server and have no possibility to monitor your traffic monthly, daily, weekly etc? Then you really should try vnstat. I like it because it’s:
For people who don’t like the shell check out the vnstat PHP frontend.
Installation is esay using Debian Etch:
apt-get install vnstat vnstat -u -i eth0
For certain virtual servers you have to use a different ethernet interface than “eth0″, e.g. “venet0″:
vnstat -u -i venet0
That’s all. vnstat will now be executed periodically from cron. Some time passed you can check your traffic, like in the example below.
host:~# vnstat -m eth0 / monthly month rx | tx | total -----------------------+--------------+-------------------------------------- Jan '08 252.40 GB | 4.17 TB | 4.41 TB %::::::::::: Feb '08 140.07 GB | 3.96 TB | 4.10 TB ::::::::::: Mar '08 152.46 GB | 4.21 TB | 4.36 TB :::::::::::: Apr '08 150.35 GB | 4.11 TB | 4.26 TB :::::::::::: May '08 118.78 GB | 3.53 TB | 3.65 TB :::::::::: Jun '08 144.95 GB | 4.54 TB | 4.68 TB ::::::::::::: Jul '08 157.09 GB | 4.91 TB | 5.06 TB :::::::::::::: Aug '08 160.96 GB | 5.01 TB | 5.17 TB ::::::::::::::: Sep '08 172.33 GB | 5.43 TB | 5.60 TB :::::::::::::::: Oct '08 189.69 GB | 6.12 TB | 6.31 TB %::::::::::::::::: Nov '08 190.89 GB | 6.52 TB | 6.71 TB %:::::::::::::::::: Dec '08 209.59 GB | 7.35 TB | 7.55 TB %::::::::::::::::::::: -----------------------+--------------+-------------------------------------- estimated 219.94 GB | 7.71 TB | 7.93 TB
As soon as you put a server online you will recognize many many attempts accessing the SSH port like these one:
Dec 28 06:48:11 hostname sshd[12258]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somewhere
Dec 28 06:48:12 hostname sshd[12256]: error: PAM: User not known to the underlying authentication module for illegal user saman from somehost.somewhere
Dec 28 06:48:13 hostname sshd[12256]: Failed keyboard-interactive/pam for invalid user saman from xx.xxx.xx.xxx port 27751 ssh2
Annoying script kids… An easy method to protect at least a little bit against such attacks is a tool called denyhosts. I use it on all my servers because it’s easy to install. denyhosts automatically blocks ssh attacks by adding entries to /etc/hosts.deny.
Using debian Etch installation is really simple:
apt-get install denyhosts
Next edit /etc/denyhosts.conf and change:
PURGE_DENY = 1w PURGE_THRESHOLD = 0
and start the daemon:
/etc/init.d/denyhosts start
That’s all. Sure it’s not a perfect solution which helps for everything, but nevertheless it will increase your security.
All you have to to now is wait and check the /etc/hosts.deny Depending on your configuration denyhosts will automatically delete expired entries.
Useful tips regarding technical stuff for things like Linux, MySQL, apache, PHP, linux server, iPhone and more.