Results 1 to 23 of 23
  1. #1
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241

    Script to kill suspicious processes

    I wrote a little script a while ago that might be of interest. It basically kills all processes on a server that doesn't match criteria for allowed processes.

    You can whitelist based on username, process name and uid range. Processes are given a few minutes grace time so that short lived ones (like ls, mkdir etc etc) doesn't get killed

    The idea is that this will stop users from running their own daemons, as well as stop lame php exploits that slip through mod_security (that i hope you're all using nowadays!) from being able to spread (much). You need to be running suphp or suexec or similar that breaks those processes away from apache though.

    If anybody wants to take a look at it I'll make it look a little nicer and post an url.
    We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.

    Remember, the best backup in the world is the one you make yourself.

  2. #2
    Join Date
    Jan 2003
    Posts
    1,715
    I hope that it also logs what it kills. Just killing 'r0nin' won't help much unless you know how, when, and where it got in (and what it accomplished). Similarly, shell daemons (especially root shell daemons) tend to hide as innocuous names like 'ls' or 'httpd'.
    Game Servers are the next hot market!
    Slim margins, heavy support, fickle customers, and moronic suppliers!
    Start your own today!

  3. #3
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    Yeah there is a log file as well, useful for when you want to tune the rules so that you dont mess with legitimate processes.
    We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.

    Remember, the best backup in the world is the one you make yourself.

  4. #4
    Join Date
    Aug 2003
    Location
    Pittsburgh
    Posts
    3,490
    The_Overl, I'd definitely be interested in taking a look at it.

  5. #5
    Join Date
    Aug 2003
    Location
    USA
    Posts
    1,036
    Sure, if you could give it a whirl around a few forums, you'd get some great constructive criticism.
    CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
    ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
    :: Pay for your discount ModernBill license with PayPal
    :: admin[at]cybexhost.com :: AIM: CybexH

  6. #6
    This sounds very good, I would be interested too.

    Michael

  7. #7
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    Ok, i made it look a little nicer, you can download here:

    http://www.scorpiondata.com/pg3.tar.gz

    Anyone can look through it and see that im not doing anything weird

    Give it a try, and post your comments here. Look inside the script for configuration and some comments.
    We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.

    Remember, the best backup in the world is the one you make yourself.

  8. #8
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    Anyone test if out and find it useful? I know at least 8 of you guys downloaded it

    I have another little script that detects people that use a lot of mysql resources and automatically sends an email to them explaining it. For the moment it only works with my custom made system, but i should be able to make it work on cpanel etc, at least if it stores an email adress somewhere where the script can figure it out based on database name. But that would take a little work. Useful?
    We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.

    Remember, the best backup in the world is the one you make yourself.

  9. #9
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Firstly, great script. This isn't the be all and end all of systems administration, but it's a very decent script.

    That said:
    -- The log file should be made something static (ie: /var/log/pg.log)
    -- Email should be sent to the systems admin when processes are killed

    I've made those adjustments, and added the file to do so as an attatchment. In order to uncompress it, you'll need to realize this is a tgz file (zip compressed), NOT a straight tar file. To use it

    -- Download to your system
    -- tar zxpf pg3.pl.tar
    -- Edit as necessary
    -- perl pg3.pl


    I've fixed this so that CPanel stuff doesn't get killed (mailman, cpanel, mailnull), as those users contain some pretty vital systems processes . Feel free to incorporate that into future distributions, just remember, give credit where it's due
    Attached Files Attached Files
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  10. #10
    Join Date
    Jun 2005
    Location
    Northern Ireland
    Posts
    105
    Thanks for the script
    How do I set it up?

  11. #11
    Join Date
    Jun 2004
    Posts
    1,961
    Thanks for the script, and modified script.

    Working a treat right now.
    It's Scott!

  12. #12
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Originally posted by Ericsson
    Thanks for the script
    How do I set it up?
    If you downloaded the attatchment I enclosed, the instructions are in my post It's pretty simple to setup, really.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  13. #13
    I have it installed and its working fine.
    But by the way, wont this script does the same thing that
    http://www.rfxnetworks.com/lsm.php and/or http://www.rfxnetworks.com/nsiv.php ?
    The Cloud Platform for Bare Metal
    Instant Deployment of High-Performance Bare Metal Servers in 15 cities globally
    Latitude.sh (Formerly Maxihost)

  14. #14
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    LSM is a socket monitor, a port monitor, not an application monitor.
    NSIV is, well, not really advised for systems. I've attempted to use this multiple times on multiple systems. Besides, I think NSIV only works on certain applications.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  15. #15
    Join Date
    Jun 2004
    Location
    Bay Area -USA
    Posts
    1,740
    Do you set this up to run in crontab?

    Sounds like a neat script, thanks!
    <<< Please see Forum Guidelines for signature setup. >>>

  16. #16
    Ive set up in crontab to run every hour.
    The Cloud Platform for Bare Metal
    Instant Deployment of High-Performance Bare Metal Servers in 15 cities globally
    Latitude.sh (Formerly Maxihost)

  17. #17
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    I've made some modifications to the original script based on suggestions by linux-tech, including configurable log file, some extra whitelist settings to make the script work better for cpanel, and some extra clarifying comments. I've also added log file rotation based on file size.

    What uids do those cpanel processes normally use? I though my default 0-500 uid range whitelist was pretty broad .

    I didn't put the email notification in, because if you run it through cron (as intended), cron will email any details to you automatically, and if you run it interactively, you get all the info on the screen anyways.

    Script is at the same location as before, http://www.scorpiondata.com/pg3.tar.gz (might wanna clear your cache if you get the old, 2005071601 version. You should have the 2005072401 version).
    We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.

    Remember, the best backup in the world is the one you make yourself.

  18. #18
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    cron will email any details to you automatically,
    Not always
    If you've got the crons setup as they should be, with mailto output disabled (you REALLY don't want all that */5 spam, now do you?), then you're not going to see anything, unless the application actually mails the individuals.

    It's a matter of preference and spam. I'd rather not be notified every 5 minutes when cron does something that it's supposed to do, such as showing mysql processes, because that's more crap for me to have to go through. If an application is configured properly, it will mail the output if necessary.

    And cpanel is setup as the default first user in the system (in mine, 32001). There's more to it than that though, you need to make sure to not kill processes by mailnull (which were getting killed), mailman, etc. All of these are valid processes by the system.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  19. #19
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    If you get a lot of */5 (or whatever) spam, then the program you run isn't set up to be quiet on success anyways, which is wrong
    We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.

    Remember, the best backup in the world is the one you make yourself.

  20. #20
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    that's not it at all. You're going to get output from anything, unless you specifically redirect output to /dev/null. The point is that mail should be handled inside of the script/application, not by cron.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  21. #21
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    Most little scripts and hacks you might have in your crontab usually can't send emails when they foul up, thats why you should have cron do it for you. They should be written so that they only produce output if something goes wrong. This is the whole idea with that, so you dont have to send emails yourself every time. Thats what i believe, but you're free to feel different of course .
    We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.

    Remember, the best backup in the world is the one you make yourself.

  22. #22
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    Never mind about the email thing, it doesn't really matter if its in there i guess. I'll put it in my script for whoever wants it when i got a few minutes to spare.
    We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.

    Remember, the best backup in the world is the one you make yourself.

  23. #23
    Join Date
    Mar 2005
    Location
    Ekaterinburg, Russia
    Posts
    26
    Looks interesytimg, I will definetly give it a try later on, when it's more mature

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •