Hey Guys,

I've been reading forums all day long, I've been hosting account for my client and just today received an e-mail from another company stating that the IP my server is on has been sending Dissuasion on Denial-Of-Service attacks (DDOS), been attacking their side. Now I know, that I'm not running nothing of that sort, it might be easily one of the clients.

If someone could help, I just have one simple question if there is a command or some way that I could check who is running this or running some sort of script etc.

All answer are greatly appriciated.

Warm Regards,

AJ

Well, usually when your server is sending DDOS attacks out that is not good, most of the time you server could be compromised, have you checked your /tmp, /var/tmp, /var/spool/mail? those are common hiding spots for malicious files. Do you have an old kernel on the box? Have you installed any security mesures? Do you give your clients ssh access?

Umm.. well I do provide users with SSH only if requested, and currently, there is just 2 users that actually have SSH. I do not believe they'd be sending any DDOS attacks, as their are family related.

I will check the locations you have specified above though. Im also speaking with the provider of the server to see if they can help me out on it.

What security measures might you be referring to, or maybe you can provide me with some help on which ones I should be running or configure.

Thank you for the help.

secure your compilers:
http://admin0.info/articles/security/step02.html

noexex,nosuid tempoary directorys:
http://admin0.info/articles/security/step03.html

securing php/cgi
http://admin0.info/articles/security/step06.html


Install a firewall limiting outgoing and incoming ports
http://www.rfxnetworks.com/apf.php
http://www.webhostgear.com/61.html



http://www.webhostingtalk.com/showthread.php?s=&threadid=227068

Syn attacks can easily be spoofed.

Greetings:

For Unix-based systems, this should include the following:

* Disable telnet.
* Limit SSH access to specific IP addresses.
* Disable direct root login.
* Remove unnecessary packages / software.
* Harden the kernel against synflood and basic DOS attacks.
* Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).
* Ensure /tmp is in its own partition with noexec, nosuid.
* Ensure kernel and software is up to date.
* Remove unnecessary users and groups.
* Install chkrootkit, logwatch, tripwire.
* Install a firewall, and port scan detector.
* For Apache servers, install mod_security and configure for use with FrontPage, PHPMyAdmin, Site Studio, and common applications.
* Secure DNS Servers
* Utilize firewall automation to mitigate brute force FTP, syn floods, mail bombs, and out-of-network trojan’d servers from impacting your servers

It is important to note that security is an ongoing venture. Even if you were to take all of the steps listed above, you would still have a regular routine of review, update, research, patch, etc.

Thank you.

Originally posted by genlee
Syn attacks can easily be spoofed.

 

Very true, but he did not state what kind of attack was originating from his server, it could be icmp, udp, syn, etc.