A quick and usefull command for checking if a server is under ddos is:

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Incoming search terms:

• centos ddos güvenlik (1)
• centos malicious script scan (1)
• print $telnet->cmd \ps -ef | grep -i with awk with windows (1)
• script ddos (1)

netstat -n --tcp --udp --numeric-hosts | \
grep -v 127.0.0.1 | \
awk '{if (/(tcp|udp)/) { print $5 }}' | \
sed 's/:.*//' | \
sort | \
uniq -c | \
sort -n | \
awk '{if ($1 > 25) {print "Count: "$1"\t"$2; }}'

and here is an example output:

Count: 26       92.80.103.61
Count: 27       77.246.104.149
Count: 35       88.232.169.103
Count: 44       88.226.7.150

If we want to list only the ip addresses, not the counter, change the last line as below:

awk '{if ($1 > 25) {print $2; }}'

Incoming search terms:

• networksolution ssl direct admin (1)

This howto is meant
as a practical guide; it does not cover the theoretical backgrounds. They are
treated in a lot of other documents in the web.

This document comes
without warranty of any kind!

1 Get the Sources

We need the following
software: openssl, cyrus-sasl2, and sendmail. We will install the software from
the /tmp directory.

cd /tmp

wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz

wget –passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz

wget –passive-ftp
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.11.tar.gz

2 Install Openssl

tar xvfz openssl-0.9.7c.tar.gz

cd openssl-0.9.7c

./config

make

make install

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

3 Install Cyrus-sasl2

cd /tmp

tar
xvfz cyrus-sasl-2.1.17.tar.gz

cd cyrus-sasl-2.1.17

./configure –enable-anon –enable-plain –enable-login –disable-krb4 –with-saslauthd=/var/run/saslauthd
–with-pam –with-openssl=/usr/local/ssl –with-plugindir=/usr/local/lib/sasl2
–enable-cram –enable-digest –enable-otp (1
line!)

make

make install

If /usr/lib/sasl2
exists:

mv /usr/lib/sasl2 /usr/lib/sasl2_orig

echo “pwcheck_method:
saslauthd” > /usr/local/lib/sasl2/Sendmail.conf

echo “mech_list: login plain” >> /usr/local/lib/sasl2/Sendmail.conf

mkdir -p /var/run/saslauthd

4 Create Certificates
for TLS

mkdir -p /etc/mail/certs

cd /etc/mail/certs

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365

<- Enter your
password for smtpd.key.

<- Enter your Country Name (e.g., “DE”).

<- Enter your State or Province Name.

<- Enter your City.

<- Enter your Organization Name (e.g., the name of your company).

<- Enter your Organizational Unit Name (e.g. “IT Department”).

<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).

<- Enter your Email Address.

openssl req -nodes -new
-x509 -keyout sendmail.pem -out sendmail.pem -days 365

<- Again, enter
your password for smtpd.key.

<- Enter your Country Name (e.g., “DE”).

<- Enter your State or Province Name.

<- Enter your City.

<- Enter your Organization Name (e.g., the name of your company).

<- Enter your Organizational Unit Name (e.g. “IT Department”).

<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).

<- Enter your Email Address.

openssl x509 -noout -text
-in sendmail.pem

chmod 600 ./sendmail.pem

5 Install Sendmail

cd /tmp

tar xvfz sendmail.8.12.11.tar.gz

cd sendmail-8.12.11/devtools/Site/

Create the
file site.config.m4
(in
devtools/Site/):

# SASL2 (smtp authentication)
APPENDDEF(`confENVDEF’, `-DSASL=2′)
APPENDDEF(`conf_sendmail_LIBS’, `-lsasl2′)
#
# STARTTLS (smtp + tls/ssl)
APPENDDEF(`conf_sendmail_ENVDEF’, `-DSTARTTLS’)
APPENDDEF(`conf_sendmail_ENVDEF’, `-D_FFR_SMTP_SSL’)
APPENDDEF(`conf_sendmail_LIBS’, `-lssl -lcrypto -L/usr/local/ssl/lib’)

mkdir -p /usr/man

mkdir -p /usr/man/man1

mkdir -p /usr/man/man8

cp -pfr /usr/local/lib/sasl2 /usr/lib/sasl2

echo /usr/lib/sasl2 >> /etc/ld.so.conf

ldconfig

ln -s /usr/local/ssl/include/openssl /usr/include/openssl

Now we can compile
sendmail:

cd /tmp/sendmail-8.12.11/

useradd smmsp

groupadd smmsp

sh Build -c

sh Build install

Let’s create our
sendmail.cf:

cd cf/cf/

Create the file
sendmail.mc with the
following contents:

### do SMTPAUTH
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN DIGEST-MD5 CRAM-MD5′) ;
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5′) ;

### do STARTTLS
define(`confCACERT_PATH’, `/etc/mail/certs’) ;
define(`confCACERT’, `/etc/mail/certs/cacert.pem’) ;
define(`confSERVER_CERT’, `/etc/mail/certs/sendmail.pem’) ;
define(`confSERVER_KEY’, `/etc/mail/certs/sendmail.pem’) ;
define(`confCLIENT_CERT’, `/etc/mail/certs/sendmail.pem’) ;
define(`confCLIENT_KEY’, `/etc/mail/certs/sendmail.pem’) ;
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s’) ;

###
define(`confDEF_CHAR_SET’, `iso-8859-1′) ;
define(`confMAX_MESSAGE_SIZE’, `15000000′) ; Denial of Service Attacks
define(`confMAX_DAEMON_CHILDREN’, `30′) ; Denial of Service Attacks
define(`confCONNECTION_RATE_THROTTLE’, `2′) ; Denial of Service Attacks
define(`confMAXRCPTSPERMESSAGE’, `50′) ; Denial of service Attacks
define(`confSINGLE_LINE_FROM_HEADER’, `True’) ;
define(`confSMTP_LOGIN_MSG’, `$j’) ;
define(`confDONT_PROBE_INTERFACES’, `True’) ;
define(`confTO_INITIAL’, `6m’) ;
define(`confTO_CONNECT’, `20s’) ;
define(`confTO_HELO’, `5m’) ;
define(`confTO_HOSTSTATUS’, `2m’) ;
define(`confTO_DATAINIT’, `6m’) ;
define(`confTO_DATABLOCK’, `35m’) ;
define(`confTO_DATAFINAL’, `35m’) ;
define(`confDIAL_DELAY’, `20s’) ;
define(`confNO_RCPT_ACTION’, `add-apparently-to’) ;
define(`confALIAS_WAIT’, `0′) ;
define(`confMAX_HOP’, `35′) ;
define(`confQUEUE_LA’, `5′) ;
define(`confREFUSE_LA’, `12′) ;
define(`confSEPARATE_PROC’, `False’) ;
define(`confCON_EXPENSIVE’, `true’) ;
define(`confWORK_RECIPIENT_FACTOR’, `1000′) ;
define(`confWORK_TIME_FACTOR’, `3000′) ;
define(`confQUEUE_SORT_ORDER’, `Time’) ;
define(`confPRIVACY_FLAGS’, `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo’) ;
OSTYPE(linux) ;
FEATURE(`delay_checks’) ;
FEATURE(`generics_entire_domain’) ;
FEATURE(`local_procmail’) ;
FEATURE(`masquerade_envelope’) ;
FEATURE(`nouucp’,`reject’) ;
FEATURE(`redirect’) ;
FEATURE(`relay_entire_domain’) ;
FEATURE(`use_cw_file’)dnl
FEATURE(`virtuser_entire_domain’)dnl

FEATURE(dnsbl,`blackholes.mail-abuse.org’,
` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr}’) ;
FEATURE(dnsbl,`dialups.mail-abuse.org’,
` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm’) ;

FEATURE(`virtusertable’,`hash -o /etc/mail/virtusertable’) ;
FEATURE(access_db) ;
FEATURE(lookupdotdomain) ;
FEATURE(`blacklist_recipients’) ;
FEATURE(`no_default_msa’) ;
DAEMON_OPTIONS(`Port=smtp, Name=MTA’) ;
MAILER(local) ;
MAILER(smtp) ;
MAILER(procmail) ;

In order to create
/etc/mail/sendmail.cf
run the following commands:

sh Build sendmail.cf

cp sendmail.cf /etc/mail/sendmail.cf

Finally we have
to create some files:

cd /etc/mail/

touch /etc/mail/local-host-names

touch /etc/mail/virtusertable

/usr/sbin/makemap hash virtusertable < virtusertable

mkdir -p /var/spool/mqueue

chmod 700 /var/spool/mqueue

chown root:root /var/spool/mqueue

chown root:root /etc/mail/sendmail.cf

chmod 444 /etc/mail/sendmail.cf

chown root:root /etc/mail/submit.cf

chmod 444 /etc/mail/submit.cf

touch /etc/mail/aliases

newaliases

touch /etc/mail/access

/usr/sbin/makemap hash access < access

We need an init
script for sendmail (this should be copied to /etc/init.d/sendmail):

#! /bin/sh

case “$1″ in
start)
echo “Initializing SMTP port. (sendmail)”
/usr/sbin/sendmail -bd -q1h
;;
stop)
echo “Shutting down SMTP port:”
killall /usr/sbin/sendmail
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo “Usage: $0 {start|stop|restart|reload}”
exit 1
esac
exit 0

chmod 755 /etc/init.d/sendmail

In order to start
sendmail at boot time
do the following:

ln -s /etc/init.d/sendmail
/etc/rc2.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc3.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc4.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc5.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc0.d/K20sendmail

ln -s /etc/init.d/sendmail /etc/rc1.d/K20sendmail

ln -s /etc/init.d/sendmail /etc/rc6.d/K20sendmail

6 Configure
Saslauthd

Create /etc/init.d/saslauthd:

#!/bin/sh -e

NAME=saslauthd
DAEMON=”/usr/sbin/${NAME}”
DESC=”SASL Authentication Daemon”
DEFAULTS=/etc/default/saslauthd

test -f “${DAEMON}” || exit 0

# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. “${DEFAULTS}”
fi

# If we’re not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi

# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo “You need to configure ${DEFAULTS} with mechanisms to be used”
exit 0
fi

# Add our mechanimsms with the necessary flag
for i in ${MECHANISMS}; do
PARAMS=”${PARAMS} -a ${i}”
done

# Consider our options
case “${1}” in
start)
echo -n “Starting ${DESC}: ”
ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME}
${DAEMON} ${PARAMS}
echo “${NAME}.”
;;
stop)
echo -n “Stopping ${DESC}: ”
PROCS=`ps aux | grep -iw ‘/usr/sbin/saslauthd’ | grep -v ‘grep’ |awk ‘{print $2}’ | tr ‘\n’ ‘ ‘`
if [ "x${PROCS}" != "x" ]; then
kill -15 ${PROCS} &> /dev/null
fi
echo “${NAME}.”
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
echo “${NAME}.”
;;
*)
echo “Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}” >&2
exit 1
;;
esac

exit 0

chmod 755 /etc/init.d/saslauthd

In order to start
saslauthd at boot time
do the following:

ln -s /etc/init.d/saslauthd
/etc/rc2.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd

Then create /etc/default/saslauthd:

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to “pam” for PAM support, but may also include
# “shadow” or “sasldb”
MECHANISMS=shadow

If you find out
that saslauthd is located
in /usr/local/sbin instead
of /usr/sbin create a
symbolic link:

ln -s /usr/local/sbin/saslauthd
/usr/sbin/saslauthd

Then start saslauthd
and sendmail:

/etc/init.d/saslauthd start

/etc/init.d/sendmail start

7 Test your
Configuration

To verify that
your sendmail was compiled with the right options type

/usr/sbin/sendmail -d0.1
-bv root

You should see
that sendmail was compiled with SASLv2
and STARTTLS:

To see if SMTP-AUTH
and TLS work properly now run the following command:

telnet
localhost 25

After you have
established the connection to your sendmail mail server type

ehlo
localhost

If you see the
lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the
system’s shell.

Links

Sendmail MTA: http://www.sendmail.org/

OpenSSL: http://www.openssl.org/

Cyrus-SASL: http://asg.web.cmu.edu/sasl/

Incoming search terms:

• mod_qos centos (5)
• mod_qos (5)
• mod_qos directadmin (3)
• mod_qos debian (2)
• mod_qos cpanel (2)
• configure mod qos in cpanel (2)
• setup mod_qos on windows (1)
• saslauthd ddos (1)
• slowloris ddos (1)
• oracle web mod_qos (1)

Incoming search terms:

• centos ddos (1)
• ddos scripts find linux (1)
• detect ddos centos (1)
• script detect ddos with apache (1)