[Hidden-tech] Linux Security Troubleshooting

Robert Heller heller at deepsoft.com
Fri Jun 27 16:12:54 EDT 2014


At Fri, 27 Jun 2014 15:11:34 -0400 Tad Puckett <tadpuck at gmail.com> wrote:

> 
> 
> Going off what I know about the server. It's an older Ubuntu OS. VM is

'older Ubuntu OS' -- it might need updating.  

> hosting the one website. Website is Joomla (Daniel can verify this as I
> forget if it's Joomla or Drupal). 2GB does seem to be fine. At the time I
> looked at the server mem usage was hitting 400MB(ish) out of the 2GB.
> Problem is I haven't worked with Linux in 3+ years so I am a bit out of my
> element.
> Rackspace support mentioned using IP tables to filter out traffic, seems
> like a Firewall device or service would be a better option, but I don't

iptables *IS* a Firewall service (one of the standard ones on Linux machines,
and that actually includes the little WiFi router appliances, most of which
run a verison of Linux under the hood).

> know if they even offer a service or not. The website, i would think, needs
> active filtering/web traffic monitoring/AV support in some form or other. I
> know they do a lot of hands-on SPAM filtering/email removal, I'm assuming
> there is something more automated to handle this they could be using.

fail2ban is a software package that automagically 'bans' (firewalls) IP 
addresses based on 'bad behaviors', including things like brute force SSH 
attachs, brute force attacks on sendmail, and bad bot behavior WRT Apache (or 
other webservers).  It works with serval firewall systems, including iptables.

> 
> 
> On Fri, Jun 27, 2014 at 2:52 PM, Robert Heller <heller at deepsoft.com> wrote:
> 
> > At Fri, 27 Jun 2014 12:12:34 -0400 Tad Puckett <tadpuck at gmail.com> wrote:
> >
> > >
> > >
> > > Just to clarify exactly what is going on with the mem usage. The server
> > is
> > > allocated for 2GB of physical mem and 4GB swap (virtual mem for Windows
> > > users). The other hosts are all on the same RAID of HDDs. The server is
> > > spiking on mem usage and then tapping into the swap. The I/O usage of
> > > accessing that swap mem is obviously affecting the other servers being
> > > hosted on the RAID. They have no direct access to the server, so they are
> > > under the assumption that there is something malicious running on the
> > > server. I hope that helps somewhat.
> >
> > I presume that this is a virtual machine? How many websites is this VM
> > serving
> > (just this one, not the other VMs)? What kind of website(s)? (static HTML,
> > WordPress, Joomla, Drupal, some other CMS, custom CGI, JSP, or something
> > else).
> >
> > 2GB of memory for a VM providing webservices (including database support
> > for
> > WordPress, Joomla, or Drupal), should be *plenty*. If it is running out,
> > then
> > something is wrong indeed. Not necessarily something 'malicious' running on
> > the server. Something like excessive traffic causing an excessive amount of
> > database accesses. (And the 'excessive traffic' could be a broken spider
> > bot
> > or someone running a DDoS attach or bots probing for security holes.) OR it
> > could be something 'stupid' like a lack of caching -- most CMS systems
> > either
> > natively or via a plugin have database caching options, that can be used to
> > reduce server load (either CPU cycles or memory usage) fetching information
> > from the database.
> >
> > It is also *possible* that you have simply 'outgrown' the 2GB level of
> > memory
> > and may need to 'bite the bullet' and get a higher class of server or if
> > you
> > have multiple websites on this server move some off onto another server.
> >
> >
> > >
> > >
> > > On Thu, Jun 26, 2014 at 2:54 PM, Robert Heller <heller at deepsoft.com>
> > wrote:
> > >
> > > >    ** Be sure to fill out the survey/skills inventory in the member's
> > area.
> > > >    ** If you did, we all thank you.
> > > >
> > > >
> > > >
> > > > There is (at least) one 'legit' spider bot that has known problems: it
> > over
> > > > spiders some sites (seems to go after Joomla for no partitularly good
> > > > reason).
> > > > This can cause various problems both for the Joomla site itself and the
> > > > webserver in general.
> > > >
> > > > And yes, programs like fail2ban can be very useful in dealing with
> > these
> > > > issues.  And it is not always the case that there is an actual
> > > > vulnerability.
> > > > Sometimes the bots are just probing for the vulnerability and sometimes
> > > > they
> > > > will keep probing over and over again and sometimes excessively
> > > > agressively.
> > > > And this can become an effective DDoS.  And yes, the 'legit' spider
> > bot can
> > > > effectivly become a DDoS, probably not intentionally: "Never attribute
> > to
> > > > malice that which is adequately explained by stupidity."
> > > >
> > > >
> > > >
> > > > At Thu, 26 Jun 2014 10:57:25 -0400 Charlie Heath <
> > townwebsites at gmail.com>
> > > > wrote:
> > > >
> > > > >
> > > > > MIME-Version: 1.0
> > > > >
> > > > >    ** Be sure to fill out the survey/skills inventory in the member's
> > > > area.
> > > > >    ** If you did, we all thank you.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Usually significant and ongoing attacks mean either that your server
> > is
> > > > > high profile in some way, or that it has some vulnerability which
> > bots
> > > > > detect and as long as the vulnerability is not addressed, you'll get
> > > > added
> > > > > to more and more bot lists.   If it is the latter and assuming you've
> > > > > installed basic server hardening, it is likely that the prevention
> > > > solution
> > > > > is to secure the website in order to discourage the bots interest in
> > your
> > > > > website.  That might take a few months but just getting some IP
> > blocking
> > > > > capabilities both on your server (linux) and your website
> > administration
> > > > > (Joomla, if like your incommn website, or whatever other platform
> > this
> > > > > website uses) should be enough to satisfy Rackspace and improve your
> > > > > website's performance until the bots lose interest, unless it is a
> > high
> > > > > profile site that will require more serious resources to resolve.
> > > > >
> > > > > If you're still in need after the 4th, and it is a Joomla or Drupal
> > > > site, I
> > > > > can take a look-
> > > > >
> > > > > Charlie Heath
> > > > > Town Websites
> > > > >
> > > > >
> > > > > On Wed, Jun 25, 2014 at 3:18 PM, Daniel Lieberman <
> > daniell at incommn.com>
> > > > > wrote:
> > > > >
> > > > > >    ** Be sure to fill out the survey/skills inventory in the
> > member's
> > > > area.
> > > > > >    ** If you did, we all thank you.
> > > > > >
> > > > > >
> > > > > >
> > > > > > We’re having a problem with excessive memory use on a cloud server
> > at
> > > > > > Rackspace which hosts a website of ours. The tech support people at
> > > > > > Rackspace suggest that there’s some kind of attack going on, and we
> > > > need
> > > > > > someone to help us identify and cure the problem(s).
> > > > > >
> > > > > > Anyone with Linux expertise out there interested in taking this on?
> > > > > >
> > > > > > Sincerely yours,
> > > > > >
> > > > > > Daniel Lieberman
> > > > > > InCommN, LLC
> > > > > > 413 489 1818
> > > > > > http://incommn.com
> > > > > >
> > > > > > _______________________________________________
> > > > > > Hidden-discuss mailing list - home page:
> > http://www.hidden-tech.net
> > > > > > Hidden-discuss at lists.hidden-tech.net
> > > > > >
> > > > > > You are receiving this because you are on the Hidden-Tech
> > Discussion
> > > > list.
> > > > > > If you would like to change your list preferences, Go to the
> > Members
> > > > > > page on the Hidden Tech Web site.
> > > > > > http://www.hidden-tech.net/members
> > > > > >
> > > > > MIME-Version: 1.0
> > > > >
> > > > > _______________________________________________
> > > > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> > > > > Hidden-discuss at lists.hidden-tech.net
> > > > >
> > > > > You are receiving this because you are on the Hidden-Tech Discussion
> > > > list.
> > > > > If you would like to change your list preferences, Go to the Members
> > > > > page on the Hidden Tech Web site.
> > > > > http://www.hidden-tech.net/members
> > > > >
> > > > >
> > > >
> > > > --
> > > > Robert Heller             -- 978-544-6933 / heller at deepsoft.com
> > > > Deepwoods Software        -- http://www.deepsoft.com/
> > > > ()  ascii ribbon campaign -- against html e-mail
> > > > /\  www.asciiribbon.org   -- against proprietary attachments
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> > > > Hidden-discuss at lists.hidden-tech.net
> > > >
> > > > You are receiving this because you are on the Hidden-Tech Discussion
> > list.
> > > > If you would like to change your list preferences, Go to the Members
> > > > page on the Hidden Tech Web site.
> > > > http://www.hidden-tech.net/members
> > > >
> > >
> > >
> >
> > --
> > Robert Heller             -- 978-544-6933 / heller at deepsoft.com
> > Deepwoods Software        -- http://www.deepsoft.com/
> > ()  ascii ribbon campaign -- against html e-mail
> > /\  www.asciiribbon.org   -- against proprietary attachments
> >
> >
> >
> >
> 
>                                                           

-- 
Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


                                          


Google

More information about the Hidden-discuss mailing list