Back in July, http://ha.ckers.org/slowloris/ published an exploit against Apache and other web servers (go to the link for further) that takes advantage of multi-threaded applications. It works by tying up web server threads with partial HTTP requests, then sends TCP handshakes to keep the socket open. In general, multi-threaded web servers such as httpd, apache, and apache2 are vulnerable. IIS and most proxies are not vulnerable

CERT suggested using iptables to rate limit incoming port 80 requests. In general, this should be fine for many applications, though CERT has warned that some large clients behind NAT’s may be affected and thus the hitcount/time ratio should be adjusted according to your needs.

http://www.funtoo.org/en/security/slowloris/ offers tips on mitigating this attack by enabling delayed binding on hardware load balancers.

In short, it appears as though the consensus mitigation method involves connection restrictions in the form of iptables or apache modules (most are of limited value, frankly), or shielding the web servers behind load balancers (such as HA-Proxy).

This is very much a poorly written hack-job script, and I very much expect that some of you will be able to identify some serious n00b mistakes (probably in that I still haven’t figured out how to properly localize variables), but hey, I don’t think this is half bad for my first PERL script. Yes, PERL. I’ve already been lectured about learning Python instead, but while that’s definitely on the to-do list, this script needed finishing, and I was already halfway through. It’s a tool that’s customized for me, so please hack away, and let me know what you do, as I may like it too!

So, I present, for your consideration and for your critique (please do), ‘ch.pl’ v 0.1.

I generally alias ch=/usr/local/bin/ch.pl for this script in Linux and MacOS, as this lets me leave the file extension the same for when I use it in Windows. To use this in Windows, you’ll need to install PERL first. I use ActivePerl. However please note, I’m still working on making this script Windows friendly.

To install in Linux/MacOS:

• download ch.pl using FTP or wget to /usr/local/bin/
• chmod +x /usr/local/bin/ch.pl
• modify your ~/.bash_aliases file (ubuntu), or your ~/.bashrc (RedHat) to include the following:
  • ‘alias ch=/usr/local/bin/ch.pl’

Usage: ch [hostname or IP] [optional: port(s) to check, separated by commas]

ls -alh /boot/grub #the majority of files in this folder don’t change from the time of install except for menu.lst

ls -alh /restore #BSD

Windows:

Systeminfo #from the command line

- or –

CMD /K WMIC OS GET InstallDate

You’ll see the Operating System installation date (in WMI format). The first eight characters in that output gives you the installation date.

*Windows bit stolen from http://windowsxp.mvps.org/getosdate.htm

Overview: fdisk w/ a W95 partition table
mkdosfs

If you need the step by step, it’s below:

fdisk /dev/sd(whatever drive you want to reparition, ‘b’ in this case), then follow along:

The number of cylinders for this disk is set to 20023.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition’s system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)

Command (m for help): n

Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-20023, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-20023, default 20023):
Using default value 20023

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): c
Changed system type of partition 1 to c (W95 FAT32 (LBA))

Command (m for help): p

Disk /dev/sdb: 164.6 GB, 164696555520 bytes
255 heads, 63 sectors/track, 20023 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000f0136

Device Boot Start End Blocks Id System
/dev/sdb1 1 20023 160834716 c W95 FAT32 (LBA)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: If you have created or modified any DOS 6.x
partitions, please see the fdisk manual page for additional
information.
Syncing disks.

root@sbrescue:/# mkdosfs /dev/sdb1
mkdosfs 3.0.1 (23 Nov 2008)
root@sbrescue:/# mount /dev/sdb1 /mnt
root@sbrescue:/# cd /mnt
root@sbrescue:/mnt# touch asdf
root@sbrescue:/mnt# ls
asdf
root@sbrescue:/mnt#

All done! =D

Well this isn’t one of those times, because this tool hit me from left field while I was researching ways to mitigate a DDoS attack. Though there are many, many ways to do it, if all you have is a Linux box facing the world with nothing to hide its private parts except iptables, then this “flexible (and fun)” toolset is another weapon you can deploy when you get that 2:30AM call saying “our website’s down and I think it’s being DDoS’d.”

The tool is a simple set of scripts that make adding and removing specific IP’s quick and simple. The main site of the author is at http://www.ibm.com/developerworks/library/l-fw/, or is available (hosted locally) here.

Once installed, you can simply ban/unban an IP by typing ipdrop {IP ADDRESS} {on|off}

While perusing this thread at webhostingtalk.com, member dynamicnet mentioned grep-ing for ridiculous levels of SYN_RECV ‘d connections (this is indicative of a TCP SYN Flood attack) and generating ipdrop commands for quick banning of a SYN Flood-ing IP’s. Though you may accidentally drop one or two legitimate IP’s (have a rule already in place so you don’t ban yourself out of a remote box), you’ll likely get the bulk of the attacking IP’s.

Use netstat -n -p|grep SYN_REC | wc -l to count how many SYN_RECV connections you have.

Use netstat -n -p | grep SYN_REC | awk '{print $5}' | sort -u | awk -F: '{print "ipdrop "$1 " on"}' to generate code to ban IP’s in SYN_RECV status.

Use cat /root/.dynfw-ipdrop |awk -F: '{print "ipdrop "$1" off"}' to generates code to “undrop” those IP’s.

##########################

Re: [sshfs] failed to open /dev/fuse: msg#00009
file-systems.fuse.sshfs
Subject: Re: [sshfs] failed to open /dev/fuse

David Liontooth wrote:

>I just installed the Debian version on an amd64 system with linux
>2.6.14. I loaded the fuse module from the (vanilla) kernel, but the
>/dev/fuse device node did not get created. I created it manually:
>
> mknod /dev/fuse c 0 0
> chown root.fuse /dev/fuse
> chmod 0666 /dev/fuse
>
>But this does not appear to be what sshfs needs:
>
> $ sshfs chi:/tv4 tv4
> fusermount: failed to open /dev/fuse: No such device or address
>
>I don’t think it’s a permissions issue — same response from user root.
>I’m not using udev (it thoroughly messes up my system). How do I do this
>manually?
>
>Dave
>
>
PS here’s what my kernel module says — don’t know why it’s not creating
/dev/fuse:

# modinfo fuse
filename: /lib/modules/2.6.14/kernel/fs/fuse/fuse.ko
alias: char-major-10-229
license: GPL
description: Filesystem in Userspace
author: Miklos Szeredi
depends:
vermagic: 2.6.14 SMP gcc-4.0

linux/Doc*/devices.txt has

10 char Non-serial mice, misc features
229 = /dev/fuse Fuse (virtual filesystem in user-space)

I have fuse-utils 2.4.0-1 and libfuse2
2.4.0-1

I tried creating

mknod -m 666 /dev/fuse c 10 229

OK — that seems to have done it! Nice.

It doesn’t show up in df, but the drive is mounted (with “sshfs
machine:/dir mountpoint”.
It unmounts with “fusermount -u mountpoint”.

Great stuff. Worth adding the device node creation instructions in the
man page or somewhere though.

Dave

##########################

PS. Almost forgot. Once you install the PAM module and lock down SSH for your admin accounts, don’t forget to disable su for your normal users. They shouldn’t need it anyways, but if it is enabled, then all someone has to do is crack a normal user account and su into your admin account, without having to get a hold of your passcode card.