Admins eHow

August 22, 2014

Kill a process with high CPU usage in Linux

Filed under: linux — Tags: , , , , , — admin @ 5:19 pm

Sometimes you may need to kill hanged processes with high CPU usage automatically. the following script can help you to do it :


L=$(ps aux | grep $PROCESSNAME)
for fn in $L; do
        PID=$(echo $fn | awk '{print $2'})
        LOAD=$(echo $fn | awk '{print $3'})
        if [ $(echo "$LOAD > $HL" | bc -l ) -eq 1 ]
                kill -9 $PID
                echo "Killed $PID"

Set PROCESSNAME to the process name which you want to be checked and HL to high load threshold.
Please note the load is based what ‘ps’ command reports and not what you see inside ‘top’.

August 20, 2014

Force public key authentication on SSH daemon (disable password authentication)

Filed under: Debian,linux,Security — Tags: , , , , , , — admin @ 2:18 pm

It is a very good security practice to completely disable password authentication on your Linux server and use public key authentication method.
In order to do that you need to create your own public/private key pair and put the public key in ~/.ssh/authorized_keys

mkdir -p ~/.ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHV80zPWjPAwKo8Be0k1ypBRMdYDC0H2eQchu3MFsEp8av2F/18GNuHsbyMWp0p1uovP5LGZ/oPZ1ISJxLxxOBiqv0fOyb8uTDYWUUITgGvq9Fppj3BNYTjnLCUAVMKdP3VJ7IPk69ygYR1nhAXiv3dSfeG74f2eo3ZYhrylsVS2G84DUh47FuEFOsfn5s2wXVjwAgqdKBhiVQZWrptf6TEK3fZTVg4rCiRJ+YiIwTZr/CfFHbdqOiwDlGR5fWo0PHHq31lrQXzkASfi3C+ahQFnHsy4+8LdCq+TjzC3J6PbuXP1wpLdm1iP35f61hU1wX2hwhyxdvE+SBXT/PpSVB' >> ~/.ssh/authorized_keys

DISCLAIMER : The above key is my public key, if you put it on your server, I will be able to login into your server :D
Now add/change the following config to /etc/ssh/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PubkeyAuthentication yes

and restart ssh service :

service ssh restart

Note : Before closing your current SSH session, I highly recommend you to test that actually you can login into your server by new method. otherwise you may be locked out of your server.

August 9, 2014

Exim Remove All messages From the Mail Queue

Filed under: linux — Tags: , , — admin @ 9:49 pm
exim -bp | exiqgrep -i | xargs exim -Mrm

August 7, 2014

Send email alerts if PERC H200 raid fails in Linux

Filed under: Debian,linux — Tags: , , — admin @ 11:18 pm

Recently I have bought a Dell PowerEdge R210 server which is equipped by PERC H200 raid controller.
As I have setup a raid 1 on this server, I needed to monitor its raid status, Here is what I did :
First you need “sas2ircu” utility which can be found on following website :
Running “sas2ircu 0 STATUS” give you following output :

root@x:/# sas2ircu 0 STATUS
LSI Corporation SAS2 IR Configuration Utility.
Version (2013.03.01)
Copyright (c) 2009-2013 LSI Corporation. All rights reserved.

Background command progress status for controller 0...
IR Volume 1
  Volume ID                               : 79
  Current operation                       : None
  Volume status                           : Enabled
  Volume state                            : Optimal
  Volume wwid                             : xxxxxxxxxxxxxx
  Physical disk I/Os                      : Not quiesced
SAS2IRCU: Command STATUS Completed Successfully.
SAS2IRCU: Utility Completed Successfully.

What we are interested in is “Optimal” status. so if Optimal changes to anything, we want to be notified.
You can use the following script to do that (change MAIL variable to your own email address) :

RESULT=`sas2ircu 0 STATUS | grep Optimal`
if [ -z "$RESULT" ]; then
    echo "RAID ERROR ON SERVER" | mail -s 'Raid Error' "$MAIL"
    else echo "Raid is OK"

as always do not forget to test if your server is actually able to send mails and you receive them.
Finally save the script in a file and put it in cronjob. I have chosen to run it every 12 hours :

0 */12 * * * /usr/bin/raidcheck

July 23, 2014

How to block ongoing DDOS attack on Linux Server

Filed under: General — admin @ 10:44 am

DDOS attacks are one of hardest types of network attacks to encounter and stop. Usually the attacker uses many different IPs to request legitimate resources from your network to the point of exhaustion of your system resources and takes it down.
If you can somehow filter the IP addresses of the attacker on your system, then it is possible to block them in iptables easily and stop the attack.
In my case the attacker was attacking a website hosted on a dedicated IP address, so I was easily able to filter the attacker IP addresses by following command :

netstat -n | grep a.b.c.d | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq

a.b.c.d : IP address of my server which the victim website was hosted on
You may do all kinds of filtering using grep and awk.
After I identified attacker IP addresses, blocking them was easy. first create a file named block and put it in /usr/bin with following contents :

iptables -I INPUT -s $1/32 -j DROP

make it executable :

chmod +x /usr/bin/block

then run the following command :

netstat -n | grep a.b.c.d | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq | xargs -n1 block

It will automatically block all attacker IPs in server firewall.
You may run the command every 5-10 minutes until the attack stops completely.
The problem of this approach is that you may end up blocking some legitimate users mixed with attacker IPs, but it is still better than having your whole server down indefinitely.
Also after the attack stops, you can remove all firewall rules or simply reboot your server and everything will be good :)

Edit :
In fact you can turn this into a real one liner without creating block file :D, here it is :

netstat -n | grep a.b.c.d | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq | xargs -n1 -I {} iptables -I INPUT -s {}/32 -j DROP

July 20, 2014

Send email alerts when HP Proliant RAID fails in Linux

Filed under: linux — Tags: , , , , , , , — admin @ 7:51 pm

As a minimalist person, I am not a fan of running heavy monitoring tools of HP on my server. so I have written a very small bash script to monitor my server RAID status and send me email alerts if it fails.
For this script to work, first you need to install hpacucli (HP Array Configuration Utility) on your server. you can download it from HP website for your Linux distribution.
The script is very easy to understand but you may need to tweak it a little bit to fit your server.
The heart is this line :

hpacucli ctrl slot=1 pd all show

which returns following on my server :

Smart Array P222 in Slot 1

   array A

      physicaldrive 2I:1:1 (port 2I:box 1:bay 1, SATA, 3 TB, OK)
      physicaldrive 2I:1:2 (port 2I:box 1:bay 2, SATA, 3 TB, OK)
      physicaldrive 2I:1:3 (port 2I:box 1:bay 3, SATA, 3 TB, OK)
      physicaldrive 2I:1:4 (port 2I:box 1:bay 4, SATA, 3 TB, OK)

but we only need lines 6-9 which are showing the drives status. It is where you may need to tweak it as you may have more or less drives.
So it may not be 6-9 for you and you may need to change 6,9 in sed command.
Here is the final script :

RESULT=`hpacucli ctrl slot=1 pd all show | sed -n '6,9 p' | grep -v OK`
if [ -n "$RESULT" ]; then
	echo "$RESULT" | mail -s 'Raid Error' "$MAIL"
	else echo "Raid is OK"

Dont forget to change MAIL variable to your own email address.
You may test the script once to make sure your server is able to send emails and you actually receive them.
Finally save the script in a file and put it in cronjob. I have chosen to run it every 12 hours :

0 */12 * * * /usr/bin/raidcheck

May 12, 2014

SPF Policy Tester & Syntax Validator

Filed under: dns — Tags: , , , , — admin @ 1:54 pm

This website is super useful for verifying and testing SPF records :

SPF Syntax Validator :
SPF Policy Tester :

May 11, 2014

How to enable mod_deflate on Apache 2.4

Filed under: Apache — Tags: , , , — admin @ 7:02 am

Well, I am writing this guide because enabling mod_deflate on Apache 2.4 has become more complex than enabling a single module like it was on Apache 2.2
Now you have to enable 3 modules in httpd.conf for mod_deflate to work properly :

LoadModule deflate_module modules/
LoadModule headers_module modules/
LoadModule filter_module modules/

Also you have to enable compression by this config :

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
DeflateCompressionLevel 9

May 9, 2014

Auto update Atomicorp mod_security rules script

Filed under: cPanel,linux — Tags: , , , , — admin @ 6:31 pm

Here is a very simple script, I have written for my own use to auto update mod_security rules from Atomicorp server. You can use cronjobs to automate the process.
Dont forget to put your Atomicorp subscription username and password in the script.



VER=`wget -q --user=$USER --password=$PASS -O - | grep MODSEC_VERSION | sed -r 's/^.{15}//'`
wget -q --user=$USER --password=$PASS$FILE_NAME -O - | tar jxf - -C $DIR
/etc/init.d/httpd -k graceful

In this case, the script will install the rules in /var/cpanel/modsec directory and reload the server gracefully.
Apparently you should have the following in your modsec2.user.conf

Include "/var/cpanel/modsec/000000_asl_modreqtimeout.conf"
Include "/var/cpanel/modsec/00_asl_0_global.conf"
Include "/var/cpanel/modsec/00_asl_rbl.conf"
Include "/var/cpanel/modsec/00_asl_z_antievasion.conf"
Include "/var/cpanel/modsec/00_asl_zz_strict.conf"
Include "/var/cpanel/modsec/01_asl_content.conf"
Include "/var/cpanel/modsec/01_asl_rules_special.conf"
Include "/var/cpanel/modsec/03_asl_dos.conf"
Include "/var/cpanel/modsec/05_asl_exclude.conf"
Include "/var/cpanel/modsec/05_asl_scanner.conf"
Include "/var/cpanel/modsec/09_asl_rules.conf"
Include "/var/cpanel/modsec/09_asl_rules_antievasion.conf"
Include "/var/cpanel/modsec/10_asl_antimalware.conf"
Include "/var/cpanel/modsec/10_asl_antimalware_output.conf"
Include "/var/cpanel/modsec/10_asl_rules.conf"
Include "/var/cpanel/modsec/11_asl_adv_rules.conf"
Include "/var/cpanel/modsec/11_asl_data_loss.conf"
Include "/var/cpanel/modsec/11_asl_rules.conf"
Include "/var/cpanel/modsec/12_asl_brute.conf"
Include "/var/cpanel/modsec/20_asl_useragents.conf"
Include "/var/cpanel/modsec/30_asl_antimalware.conf"
Include "/var/cpanel/modsec/30_asl_antispam.conf"
Include "/var/cpanel/modsec/30_asl_antispam_referrer.conf"
Include "/var/cpanel/modsec/31_asl_urispam.conf"
Include "/var/cpanel/modsec/40_asl_apache2-rules.conf"
Include "/var/cpanel/modsec/50_asl_rootkits.conf"
Include "/var/cpanel/modsec/51_asl_rootkits.conf"
Include "/var/cpanel/modsec/60_asl_recons.conf"
Include "/var/cpanel/modsec/61_asl_recons_dlp.conf"
Include "/var/cpanel/modsec/98_asl_adv_redactor.conf"
Include "/var/cpanel/modsec/98_asl_jitp.conf"
Include "/var/cpanel/modsec/99_asl_a_redactor.conf"
Include "/var/cpanel/modsec/99_asl_exclude.conf"
Include "/var/cpanel/modsec/99_asl_jitp.conf"
Include "/var/cpanel/modsec/99_asl_redactor.conf"
Include "/var/cpanel/modsec/99_asl_redactor_post.conf"
Older Posts »

Powered by WordPress