Empulse Group a collection of notes from a sys admin, musician, and father

Linux One-Liners

Apache and Networking


Conncurrent connections to Apache:

[root@www ~]# netstat -nap --inet | grep -i :80 | wc -l

Top connections to port 80

[root@www ~]# netstat -anpt|egrep -v ^Active\|^Proto\|LISTEN |awk '{ print $4":"$5 }' |cut -f 3,2 -d ':'|sort |uniq -c|sort -n

See number of apache processes:

[root@www ~]# pstree -G | grep httpd

See top apache connections:

[root@www ~]# netstat -plan | grep :80 | awk '{print $5}' | sed 's/:.*$//' | sort | uniq -c | sort -n

See current apache connection flags:

[root@www ~]# netstat -plan | grep :80 | awk '{print $6}' | sort | uniq -c | sort -rn

PTR finder:

[root@www ~]# cat list | while read ip ; do dig -x $ip | grep PTR | grep -v "^;" ; done
dig -x x.x.x.x | grep PTR | grep -v "^;"

Watch a dig in progress:

[root@www ~]# watch -n1 dig domain.com

Other


Loop thru items and do something to them:

[root@www ~]# for i in `mysql -Ne "show tables" dbName`; do echo $i; done

Hard Drive I/O Stress Tests

[root@www ~]# dd if=/dev/hda of=/dev/null bs=4096
find / -type f -print0 | xargs -0 cat > /dev/null

See current iptable rules & add drop rule:

[root@www ~]# iptables -L -n
iptables -I INPUT -s 78.107.28.1 -j DROP

Find large files by size

[root@www ~]# find / -type f -size +20000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'

Check for dead services

[root@www ~]# for i in `chkconfig --list | awk '{print $1}' | grep -v :`; do service $i status; done | grep dead | awk '{print $1}'

iptraf

yum list updates

Run mail queue through spamc

[root@www ~]# for i in `qmHandle -L|grep ^[0-9]|awk '{ print $1 }'|xargs -iX find /var/qmail/queue/mess -type f -name X `; do spamc -c < $i| for j in `awk -F'/' '$1 > 4 {print "'$i'"}'| awk -F"/" '{ print $7}'`; do qmHandle -d$j; done ; done

Log Searches

Search on SSHD

[root@www ~]# cat /var/log/secure | grep sshd | grep Failed | sed 's/invalid//' | sed 's/user//' | awk '{print $11}' | sort | uniq -c | sort -n
[root@www ~]# awk '/Received disconnect/ {print $9}' /var/log/secure | sort | uniq -c | sort -rn
[root@www ~]# awk '/auth.*fail/ {print $13}' /var/log/messages | cut -d= -f2 | sort | uniq -c | sort -n

On RHEL 3

[root@www ~]# cat /var/log/secure | grep sshd | grep Failed | awk '{print $13}' | sort | uniq -c | sort -rn

MAIL

[root@www ~]# awk '/smtp/ {print $9}' /var/log/secure | cut -d= -f2 | sort | uniq -c | sort -n | tail
[root@www ~]# cat /var/log/secure | grep smtp | awk '{print $9}' | cut -f2 -d= | sort | uniq -c | sort -n | tail
[root@www ~]# cat /var/log/secure | grep -v sshd | grep -v ftpd | grep fail | awk '{print $14}' | cut -f2 -d= | sort | uniq -c
[root@www ~]# cat /usr/local/psa/var/log/maillog | grep "LOGIN FAILED" | grep -v IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $9}' | sort -n | uniq -c | sort -nr
[root@www ~]# cat /usr/local/psa/var/log/maillog | grep "LOGIN FAILED" | grep IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $10}' | sort -n | uniq -c | sort -nr

Compare Successful Logins

[root@www ~]# cat maillog | grep -i login | awk '{print $12 " " $13}' | sort | uniq -c

Plesk Servers
-Additionally, I also checked your maillogs for failed login attempts. These are all connecting to POP3:

[root@www ~]# cat /usr/local/psa/var/log/maillog | grep "Mar 23" | grep "LOGIN FAILED" | grep -v IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $9}' | sort -n | uniq -c | sort -nr

-Additionally, here is everyone connecting to IMAP and failing:

[root@www ~]# cat /usr/local/psa/var/log/maillog | grep "Mar 9" | grep "LOGIN FAILED" | grep IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $10}' | sort -n | uniq -c | sort -nr

cat /usr/local/psa/var/log/maillog | grep "LOGIN FAILED" | grep -v IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $9}' | sort -n | uniq -c | sort -nr
cat /usr/local/psa/var/log/maillog | grep "LOGIN FAILED" | grep IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $10}' | sort -n | uniq -c | s
SMTP_auth - may need to check /var/log/messages or /var/log/secure

[root@www ~]# awk '/smtp_auth.*logged in/ {print $9}' maillog* | sort | uniq -c | sort -n
[root@www ~]# awk '/smtp_auth.*user/ {print $9 " " $15}' maillog | sort | uniq -c | sort -n

SMTP_AUTH FAILURES

[root@www ~]# awk '/smtp_auth.*FAIL/ {print $14}' maillog | sort | uniq -c | sort -n

the bomb!

[root@www ~]# echo "1 of 6 - Attacks on SSH..."; cat /var/log/secure | grep sshd | grep Failed | sed 's/invalid//' | sed 's/user//' | awk '{print $11}' | sort | uniq -c | sort -rn; echo "2 of 6 - Attacks on SMTP..."; cat /var/log/secure | grep smtp | awk '{print $9}' | cut -f2 -d= | sort | uniq -c | sort -rn; echo "3 of 6 - Attacks on Dovecot..."; cat /var/log/secure | grep -v sshd | grep -v ftpd | grep fail | awk '{print $14}' | cut -f2 -d= | sort | uniq -c; echo "4 of 6 - Plesk popd and imapd..."; cat /usr/local/psa/var/log/maillog | grep "LOGIN FAILED" | grep -v IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $9}' | sort -n | uniq -c | sort -nr; echo "5 of 6 - Plesk IMAP..."; cat /usr/local/psa/var/log/maillog | grep "LOGIN FAILED" | grep IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $10}' | sort -n | uniq -c | sort -nr; echo "6 of 6 - ftp connections..."; awk '/xinetd.*ftp/ {print $9}' /var/log/secure | sort | uniq -c | sort -n
[root@www ~]# echo "1 of 6 - Attacks on SSH..."; cat /var/log/secure | grep sshd | grep Failed | sed 's/invalid//' | sed 's/user//' | awk '{print $11}' | sort | uniq -c | sort -rn;
echo "2 of 6 - Attacks on SMTP..."; cat /var/log/secure | grep smtp | awk '{print $9}' | cut -f2 -d= | sort | uniq -c | sort -rn;
echo "3 of 6 - Attacks on Dovecot..."; cat /var/log/secure | grep -v sshd | grep -v ftpd | grep fail | awk '{print $14}' | cut -f2 -d= | sort | uniq -c;
echo "4 of 6 - Plesk popd and imapd..."; cat /usr/local/psa/var/log/maillog | grep "LOGIN FAILED" | grep -v IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $9}' | sort -n | uniq -c | sort -nr;
echo "5 of 6 - Plesk IMAP..."; cat /usr/local/psa/var/log/maillog | grep "LOGIN FAILED" | grep IMAP | sed 's/\[/\ /g' | sed 's/\]/\ /g' | awk '{print $10}' | sort -n | uniq -c | sort -nr;
echo "6 of 6 - ftp connections..."; awk '/xinetd.*ftp/ {print $9}' /var/log/secure | sort | uniq -c | sort -n

MORE STUFF
Search for hidden iframes in PHP scripts. May want to check "base64" and "javascript".

[root@www ~]# find . -name "*.php" -exec egrep -iH 'iframe.*http\:\/\/' {} \;

Find the 50 largest files:

[root@www ~]# find / -path /dev -prune -o -path /sys -prune -o -path /proc -prune -o -type f \
-size '+1024k' -printf "%s %h/%f\n" | sort -rn -k1 | head -n50 | \
awk '{ printf("%5dMB\t%s\n", $1/1048576, substr($0, index($0, " ")+1, length($0))) }'

Apache memory usage:

[root@www ~]# ps auxf | grep httpd | grep -v grep | grep -v defunct | awk '{sum=sum+$6}; END {print sum/1024}'

Removing a large number of file in Linux

[root@www ~]# find . -type f -exec rm -v {} \;
find . -type f -delete

Find and run files though sed

[root@www ~]# find . -type f -exec sed -i -e 's/pattern/replace/g' {} \;

The same thing with Perl

[root@www ~]# find . -name settings.xml -exec perl -e /s/pattern/replace/g' -p -i {} \;

Check for SSH brute force attacks on Debian

[root@www ~]# awk '/Connection/ {print $8}' /var/log/auth.log | cut -d: -f4 | sort | uniq -c | sort -rn

Check for FTP brute force attacks on Debian

[root@www ~]# awk '/vsftpd/' /var/log/auth.log | awk '/failure/ {print $14}' | cut -d= -f2 | sort | uniq -c | sort -rn

Check for SMTP brute force attacks on Debian

[root@www ~]# awk '/ connect from/ {print $8}' /var/log/mail.log | cut -d[ -f2 | cut -d] -f1 | sort | uniq -c | sort -rn
[root@www ~]# grep -2 -iIr "err\|warn\|fail\|crit" /var/log/*

Check for PHP mailer scripts (in action):

[root@www ~]# /usr/sbin/lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.