Restrict the number of parallel connections to a server
connlimit
Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).
[!] –connlimit-above n
Match if the number of existing connections is (not) above n.
–connlimit-mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128.
Examples:
# allow 2 telnet connections per client host
iptables -A INPUT -p tcp –syn –dport 23 -m connlimit –connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -A INPUT -p tcp –syn –dport 23 -m connlimit ! –connlimit-above 2 -j ACCEPT
# limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 –connlimit-mask 24 -j REJECT
# limit the number of parallel HTTP requests to 16 for the link local network (ipv6)
ip6tables -p tcp –syn –dport 80 -s fe80::/64 -m connlimit –connlimit-above 16 –connlimit-mask 64 -j REJECT
Using iptables to block incomming traffic but not effect outgoing traffic.
Solution:
iptables -F INPUT
iptables -A INPUT -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT
The below command permits incomming packets only if they are part of established outgoing connections.
iptables -A INPUT -m state –state ESTABLISHED -j ACCEPT
Using iptables to reject spoofing.
If you have a Linux machine acting as a firewall for an internal network 192.168.0.* with two network interface.
Solution:
iptables -A -input -i external_interface -s 192.168.0.0/24 -j REJECT
*The Linux firewall can refuse packets in two manager - iptables call them DROP and REJECT.
Hardening PHP
Run As The User Instead of “nobody” . You can run PHP as the user (like CGI scripts do with Apache’s suexec)
Enable suPHP
PHP scripts are executed by the user who owns the VirtualHost serving the request.
Use Hardening Tools Like phpsuhosin
Remove Insecure Scripts
Apache directives like php_value are not valid for mod_suphp. It is possible to place a php.ini file in the directory containing the PHP script and specify these types of values in it.
For PHP scripts to execute, permissions of 0400 are sufficient. Scripts are run as the user who owns the VirtualHost, and as long as this user has permissions sufficient to write to a file/directory, PHP scripts will also have the ability to do so. Mod_SuPHP performs various security checks before executing PHP scripts. Most can be disabled in Mod_SuPHP configuration file located at /opt/suphp/etc/suphp.conf
Rootcheck is an open source rootkit detection and system auditing software.
How to use it
Download from :
http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
* rootcheck requires the Perl Modules IO::Interface.
Rootcheck is a very simple software. Just unpack, compile and execute it. It will scan the system and print if it found or not anything.
-
wget http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
-
tar -zxvf rootcheck-2.0.tar.gz
-
cd rootcheck-2.0
-
make all
-
./ossec-rootcheck
Rootkit detection
Criminals (also known as hackers) want to hide their actions, but using rootkit detection you can be notified when they (or trojans, viruses, etc) change your system in this way.
Active response
Take immediate and automatic responses when something happens. Why wait for hours when you can alert your admin and block an attack right way?
How To Scan the System
RootCheck. is an extremely useful open source software for servers since it scans the server and finds any problems on it.
