Results 1 to 23 of 23
-
07-15-2005, 03:36 PM #1Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
Script to kill suspicious processes
I wrote a little script a while ago that might be of interest. It basically kills all processes on a server that doesn't match criteria for allowed processes.
You can whitelist based on username, process name and uid range. Processes are given a few minutes grace time so that short lived ones (like ls, mkdir etc etc) doesn't get killed
The idea is that this will stop users from running their own daemons, as well as stop lame php exploits that slip through mod_security (that i hope you're all using nowadays!) from being able to spread (much). You need to be running suphp or suexec or similar that breaks those processes away from apache though.
If anybody wants to take a look at it I'll make it look a little nicer and post an url.We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.
Remember, the best backup in the world is the one you make yourself.
-
07-15-2005, 04:15 PM #2Web Hosting Master
- Join Date
- Jan 2003
- Posts
- 1,715
I hope that it also logs what it kills. Just killing 'r0nin' won't help much unless you know how, when, and where it got in (and what it accomplished). Similarly, shell daemons (especially root shell daemons) tend to hide as innocuous names like 'ls' or 'httpd'.
Game Servers are the next hot market!
Slim margins, heavy support, fickle customers, and moronic suppliers!
Start your own today!
-
07-15-2005, 04:26 PM #3Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
Yeah there is a log file as well, useful for when you want to tune the rules so that you dont mess with legitimate processes.
We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.
Remember, the best backup in the world is the one you make yourself.
-
07-15-2005, 05:03 PM #4Retired Moderator
- Join Date
- Aug 2003
- Location
- Pittsburgh
- Posts
- 3,490
The_Overl, I'd definitely be interested in taking a look at it.
-
07-15-2005, 09:45 PM #5Web Hosting Master
- Join Date
- Aug 2003
- Location
- USA
- Posts
- 1,036
Sure, if you could give it a whirl around a few forums, you'd get some great constructive criticism.
CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
:: Pay for your discount ModernBill license with PayPal
:: admin[at]cybexhost.com :: AIM: CybexH
-
07-16-2005, 01:56 AM #6Web Hosting Evangelist
- Join Date
- Aug 2001
- Posts
- 466
This sounds very good, I would be interested too.
Michael
-
07-16-2005, 04:58 PM #7Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
Ok, i made it look a little nicer, you can download here:
http://www.scorpiondata.com/pg3.tar.gz
Anyone can look through it and see that im not doing anything weird
Give it a try, and post your comments here. Look inside the script for configuration and some comments.We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.
Remember, the best backup in the world is the one you make yourself.
-
07-22-2005, 08:51 PM #8Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
Anyone test if out and find it useful? I know at least 8 of you guys downloaded it
I have another little script that detects people that use a lot of mysql resources and automatically sends an email to them explaining it. For the moment it only works with my custom made system, but i should be able to make it work on cpanel etc, at least if it stores an email adress somewhere where the script can figure it out based on database name. But that would take a little work. Useful?We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.
Remember, the best backup in the world is the one you make yourself.
-
07-23-2005, 05:30 AM #9
Firstly, great script. This isn't the be all and end all of systems administration, but it's a very decent script.
That said:
-- The log file should be made something static (ie: /var/log/pg.log)
-- Email should be sent to the systems admin when processes are killed
I've made those adjustments, and added the file to do so as an attatchment. In order to uncompress it, you'll need to realize this is a tgz file (zip compressed), NOT a straight tar file. To use it
-- Download to your system
-- tar zxpf pg3.pl.tar
-- Edit as necessary
-- perl pg3.pl
I've fixed this so that CPanel stuff doesn't get killed (mailman, cpanel, mailnull), as those users contain some pretty vital systems processes . Feel free to incorporate that into future distributions, just remember, give credit where it's dueTom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
07-23-2005, 09:42 AM #10WHT Addict
- Join Date
- Jun 2005
- Location
- Northern Ireland
- Posts
- 105
Thanks for the script
How do I set it up?
-
07-23-2005, 10:43 AM #11Web Hosting Master
- Join Date
- Jun 2004
- Posts
- 1,961
Thanks for the script, and modified script.
Working a treat right now.It's Scott!
-
07-23-2005, 11:34 PM #12Originally posted by Ericsson
Thanks for the script
How do I set it up?Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
07-24-2005, 12:28 AM #13Aspiring Evangelist
- Join Date
- May 2002
- Posts
- 388
I have it installed and its working fine.
But by the way, wont this script does the same thing that
http://www.rfxnetworks.com/lsm.php and/or http://www.rfxnetworks.com/nsiv.php ?█ The Cloud Platform for Bare Metal
█ Instant Deployment of High-Performance Bare Metal Servers in 15 cities globally
█ Latitude.sh (Formerly Maxihost)
-
07-24-2005, 12:34 AM #14
LSM is a socket monitor, a port monitor, not an application monitor.
NSIV is, well, not really advised for systems. I've attempted to use this multiple times on multiple systems. Besides, I think NSIV only works on certain applications.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
07-24-2005, 02:00 AM #15Web Hosting Master
- Join Date
- Jun 2004
- Location
- Bay Area -USA
- Posts
- 1,740
Do you set this up to run in crontab?
Sounds like a neat script, thanks!<<< Please see Forum Guidelines for signature setup. >>>
-
07-24-2005, 03:36 PM #16Aspiring Evangelist
- Join Date
- May 2002
- Posts
- 388
Ive set up in crontab to run every hour.
█ The Cloud Platform for Bare Metal
█ Instant Deployment of High-Performance Bare Metal Servers in 15 cities globally
█ Latitude.sh (Formerly Maxihost)
-
07-24-2005, 07:21 PM #17Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
I've made some modifications to the original script based on suggestions by linux-tech, including configurable log file, some extra whitelist settings to make the script work better for cpanel, and some extra clarifying comments. I've also added log file rotation based on file size.
What uids do those cpanel processes normally use? I though my default 0-500 uid range whitelist was pretty broad .
I didn't put the email notification in, because if you run it through cron (as intended), cron will email any details to you automatically, and if you run it interactively, you get all the info on the screen anyways.
Script is at the same location as before, http://www.scorpiondata.com/pg3.tar.gz (might wanna clear your cache if you get the old, 2005071601 version. You should have the 2005072401 version).We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.
Remember, the best backup in the world is the one you make yourself.
-
07-24-2005, 07:30 PM #18cron will email any details to you automatically,
If you've got the crons setup as they should be, with mailto output disabled (you REALLY don't want all that */5 spam, now do you?), then you're not going to see anything, unless the application actually mails the individuals.
It's a matter of preference and spam. I'd rather not be notified every 5 minutes when cron does something that it's supposed to do, such as showing mysql processes, because that's more crap for me to have to go through. If an application is configured properly, it will mail the output if necessary.
And cpanel is setup as the default first user in the system (in mine, 32001). There's more to it than that though, you need to make sure to not kill processes by mailnull (which were getting killed), mailman, etc. All of these are valid processes by the system.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
07-24-2005, 08:56 PM #19Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
If you get a lot of */5 (or whatever) spam, then the program you run isn't set up to be quiet on success anyways, which is wrong
We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.
Remember, the best backup in the world is the one you make yourself.
-
07-24-2005, 08:59 PM #20
that's not it at all. You're going to get output from anything, unless you specifically redirect output to /dev/null. The point is that mail should be handled inside of the script/application, not by cron.
Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
07-24-2005, 09:07 PM #21Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
Most little scripts and hacks you might have in your crontab usually can't send emails when they foul up, thats why you should have cron do it for you. They should be written so that they only produce output if something goes wrong. This is the whole idea with that, so you dont have to send emails yourself every time. Thats what i believe, but you're free to feel different of course .
We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.
Remember, the best backup in the world is the one you make yourself.
-
07-24-2005, 09:28 PM #22Junior Guru
- Join Date
- Apr 2005
- Location
- Sweden
- Posts
- 241
Never mind about the email thing, it doesn't really matter if its in there i guess. I'll put it in my script for whoever wants it when i got a few minutes to spare.
We do co-location and system management in Stockholm, Sweden. Unfortunately we cannot host you, but i'm sure you'll be ok.
Remember, the best backup in the world is the one you make yourself.
-
07-24-2005, 10:12 PM #23Newbie
- Join Date
- Mar 2005
- Location
- Ekaterinburg, Russia
- Posts
- 26
Looks interesytimg, I will definetly give it a try later on, when it's more mature