Here I would like to tell how an administrator find whether his Apache server is Under Attack.
1.First checkout the load of the server
top -u apache (Here apache means the web server user)
Tasks: 126 total, 1 running, 125 sleeping, 0 stopped, 0 zombie
Cpu(s): 3.8%us, 0.7%sy, 0.0%ni, 94.3%id, 1.1%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1027224k total, 927296k used, 99928k free, 46428k buffers
Swap: 3004112k total, 0k used, 3004112k free, 410736k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5573 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5575 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5576 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5577 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5578 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
This is the normal stage of Apache. If the CPU usage is increasing,take care you are in trouble
2.Check the number of running Apache processes
ps -ef | grep apache | wc -l
If you get a number below 50,no problem. Other wise something nasty is happening
3.Check how many listening connection to port 80
ps -ef | grep apache | wc -l
If the number goes beyong 100,an attacker closely watching your servers
4.Check your listening foriegn IPs
netstat -tn
You can see that the same IP or IPrange is listening on your Web port (80). If you made a DNS lookup to those IPs You can found that all those IPS are come from a DHCP pool,it means ATTACK.
No comments:
Post a Comment