-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 17 July 2004 20:40, Jonathan T. Steadman wrote: > Sorry this is yet another lame question, but I am new to hosting web > server ect. just kinda experimenting actually and in my logs i came > across some garbage (its at the bottom of this email) what do you do Interesting... I had a guy from interbusiness.it doing same on a server of mine. I had already added this to /etc.crontab 10 * * * * root hostname ; date; txf ; top -b -n1 ; tail /var/log/messages I also changed the MAILTO line to this in the same file MAILTO=andy@xxxxxxxxxxx and set up postfix to be able to send mail (but not receive it in this case). I saved this as /usr/bin/txf and made it executable #!/bin/bash RX=`cat /proc/net/dev | grep eth0 | cut -d: -f2 | cut -d' ' -f1` TX=`cat /proc/net/dev | grep eth0 | cut -d: -f2 | tr -s ' ' | cut -d' ' -f9` if [ -e /var/cache/txf-rx-last ] ; then RXOLD=`cat /var/cache/txf-rx-last` else RXOLD=0 fi if [ -e /var/cache/txf-tx-last ] ; then TXOLD=`cat /var/cache/txf-tx-last` else TXOLD=0 fi if [ -e /var/cache/txf-rx-last ] ; then RXNV=`cat /var/cache/txf-rx-nonvolatile` else RXNV=0 fi if [ -e /var/cache/txf-tx-last ] ; then TXNV=`cat /var/cache/txf-tx-nonvolatile` else TXNV=0 fi echo $(( ($RX-$RXOLD) + ($RXNV) )) >/var/cache/txf-rx-nonvolatile echo $(( ($TX-$TXOLD) + ($TXNV) )) >/var/cache/txf-tx-nonvolatile printf "since Month Reboot Last Check\n" printf " RX: %8dMB %8dMB %8dMB\n" $((($RXNV+($RX-$RXOLD))/1000000)) $(($RX/1000000)) $((($RX -$RXOLD)/1000000)) printf " TX: %8dMB %8dMB %8dMB\n" $((($TXNV+($TX-$TXOLD))/1000000)) $(($TX/1000000)) $((($TX -$TXOLD)/1000000)) printf "TOTAL: %8dMB %8dMB %8dMB\n" $((($RXNV-($RX-$RXOLD)+$TXNV-($TX-$TXOLD))/1000000)) $((($RX+$TX)/1000000)) $(((($TX+$RX) - ($TXOLD+$RXOLD))/1000000)) echo $RX >/var/cache/txf-rx-last echo $TX >/var/cache/txf-tx-last I'm not saying the program list is optimal, but with is I get hourly notification 1) That my remote server is up - this already allowed me to contact my host a few minutes after it missed a mail and to complain about lost connectivity quickly. 2) To see what the bandwidth is like. On my host there is a generous monthly allocation and then it starts costing bodyparts. This allows me to track hour by hour what's happening. I can catch a DDoS inside an hour if I'm awake or within a few hours if I'm asleep, either way before it can do any real damage to the bandwidth allowance. (You can expect 2-4MBytes/hr bandwidth even if you are doing nothing, from ARP and router traffic on the same subnet.) 3) To catch runaway processes. I made a mistake in a batch file that runs as a cronjob, they never completed and started piling up. top will show such things up, as well as memory leaks, swap situation and so on. 4) tail /var/log/messages caught the failed ssh login attempts on the next hourly checkin. I moved sshd to another, unusual port and since then I didn't see anything. Another powerful technique is to use iptables to filter on source address, unfortunately for ssh this is not very safe in case you are unable to make contact from that source IP for some reason. But if you expect email from only one upstream server, for example, filtering on source IP is ultrapowerful since spammers get dropped but your real mail keeps on trucking. Logwatch should also send you stuff daily. With this level of email contact from the server, and the nightly yum service set up, you can have some confidence that the server is still up and happy, and in a bad case get a fast idea that there is a problem. (Of course if you are hacked by a smart guy, there is nothing you can do, and he will probably leave everything else running anyway to avoid detection). The hassle of getting the emails is low since 99% of the time you glance and delete since all is well. For your particular case, there is a very low chance you were broken into successfully, since even an idiot would have scrubbed the logs. - -Andy - -- Automatic actions for USB cameras, cardreaders, memory sticks, MP3 players http://warmcat.com/usbautocam -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA+aIojKeDCxMJCTIRAldkAJ45GKvT87MkifFgX9H1kpU1GA+0/gCfYWz0 gwc0jFguoklednNzZcyS7fU= =5k/u -----END PGP SIGNATURE-----
