Complete uninstallation of Mysql Server on centos

Step 1: Check list the mysql rpm which is installed on server


rpm -qa | grep mysql
or
yum list installed | grep mysql


Step 2 : Removing all mysql-related packages (with “yum command”)


yum remove mysql-client mysql-server mysql-common mysql-devel


Step 3: Delete the databases folder


rm -rf /var/lib/mysql/
rm -rf /etc/my.cnf


Congratulation’s! You have successfully removes MySQL.

Read More

Finding and preventing ddos attack on Linux Server

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems flooding the targeted system with traffic.A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

check ddos attack

netstat -anp|grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort –n

This command will show you the list of IP's which have logged in is maximum number of connections to your server.

ddos becomes more complex as attackers  use fewer connections with more number of attacking IP's.In such cases, you should get less number of connections even when your server is under ddos.One important thing that you should check is the number of active connections that your server currently has by executing below command:

netstat -n | grep :80 |wc –l

netstat -n  | grep :80 | grep SYN |wc –l

Result of active connections from the first command will vary but if it shows connections more than 500, then you will be definitely having problems. If the result after you fire second command is 100 or above then you are having problems with sync attack.
This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p|grep SYN_REC | wc -l

netstat -n -p | grep SYN_REC | sort -u

Once you find the ip attacking your server, you can easily block it.Fire the following command to block that ip or any other specific ip:

check ip blocked or not by using the following command:

route -n |grep IPaddress

You can also block a IP with iptables on the server by using the following command.

iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT

service iptables restart

service iptables save

After firing the above command, KILL all httpd connection and than restart httpd service by
using following command:

killall -KILL httpd

service httpd startssl

Read More

Tracing the execution of processes using strace

Strace is quite simply a tool that traces the execution of system calls. It can trace the execution of a binary from start to end, and output a line of text with the name of the system call, the arguments and the return value for every system call over the lifetime of the process.

   1.Find out which config files a program reads on startup

strace php 2>&1 | grep php.ini

open("/usr/local/bin/php.ini", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/local/lib/php.ini", O_RDONLY) = 4

lstat64("/usr/local/lib/php.ini", {st_mode=S_IFLNK|0777, st_size=27, ...}) = 0

readlink("/usr/local/lib/php.ini", "/usr/local/Zend/etc/php.ini", 4096) = 27

lstat64("/usr/local/Zend/etc/php.ini", {st_mode=S_IFREG|0664, st_size=40971, ...}) = 0

2.What is that process doing RIGHT NOW?

Ever had a process suddenly eating lots of CPU? Or had a process seem to be hanging? Then you find the pid, and do this:

root@dev:~# strace -p 15427

Process 15427 attached - interrupt to quit

futex(0x402f4900, FUTEX_WAIT, 2, NULL

Process 15427 detached

3.MySQL with strace

Start MySQL Daemon

service mysqld start

Connect strace to mysqld

ps -elf | grep mysqld (and find out that mysqld is PID 1234)

sudo strace -p 1234 -f

Read More

SELinux mechanism in linux environment.

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. 

SELinux follows the model of least-privilege more closely. By default under a strict enforcing setting, everything is denied and then a series of exceptions policies are written that give each element of the system  only the access required to function. If a service, program or user subsequently tries to access or modify a file or resource not necessary for it to function, then access is denied and the action is logged.

SELinux has three basic modes of operation discussed below:

• Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions
• Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
• Disabled: SELinux is turned off

Some useful commands for understanding SELinux;

1.check SELinux status

  sestatus

2.Check port is open

   netstat -tlpn | grep 3306

3.check port is blocked by SELinux

   semanage port -l | grep 3306

4.Open port in SELinux

semanage port -a -t http_port_t -p tcp 3306

5.Drop port in SELinux

semanage port -d -t http_port_t -p tcp 3306

6.check SELinux status

cat /var/log/audit/audit.log|grep -i "mysql"

Hope this bring some basic understanding about SELinux !

Read More