# Detect if an attack is in progress…
netstat -plant
– Filtra per IP
netstat -plant |grep -c 185.11.147.63
– Filtra per utente hosting
ps faux |grep paganico
# Counts connections for IP [ottimo modo per contare le sessioni per IP]
netstat -anp |grep 'tcp|udp' | awk '{print $5}' | sed s/::ffff:// | cut -d: -f1 | sort | uniq -c | sort -n
# Sessions count for IP
netstat -nA inet |awk '/^[ut]/{split($5,a,":");print a[1]}'|sort |uniq -c |sort -n
#To view the total number of connections to a port, run the following command in ssh
netstat -tuna | awk -F':+| +' 'NR>2{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
#To view the total number of connections from a single ip, run the following command in ssh
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
#Show number of connections by state
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
#Show all IPs connected
netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
#Show number of connections per IP
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
#Per installare CSF su cPanel
To install CSF, run the following at the command line as the root user:
#wget http://configserver.com/free/csf.tgz
#tar -xzf csf.tgz
#cd csf & ./install.cpanel.sh
To configure CSF, use WHM's ConfigServer & Firewall interface (Home >> Plugins >> ConfigServer & Firewall).
SYNFLOOD = “1″
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10″
PORTFLOOD = 80;tcp;100;5,22;tcp;5;300
CT_LIMIT = 50 (25 forse è meglio)
CT_INTERVAL = 30
CT_PORTS = 80,443 (non mettere niente per tutte le porte)
Porte configurate attualmente sui server cPanel
TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,783,990,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,30000:50000
TCP_OUT = 20,21,22,25,26,37,43,53,80,111,113,443,465,587,873,990,2049,2077,2078,2079,2080,2089,2195,2703,30000:50000
UDP_IN = 53,161,465,783
UDP_OUT = 53,111,123,161,465,873,2049,20048,30000,33434:33523
| Port | Service | TCP | UDP | Inbound | Outbound | Notes |
| 1 | CPAN | X | X | The Show Available Modules option in cPanel's Perl Modules interface (cPanel >> Home >> Software >> Perl Modules) uses this port to improve the speed in which it appears. | ||
| 20 | FTP | X | X | X | ||
| 21 | FTP | X | X | X | ||
| 22 | SSH | X | X | (X) | ||
| 25 | SMTP | X | X | X | ||
| 26 | SMTP | X | X | X | ||
| 37 | rdate | X | X | |||
| 43 | whois | X | X | |||
| 53 | bind | X | X | X | X | |
| 80 | http | X | X | X | ||
| 110 | POP3 | X | X | |||
| 111 | NFS Sun | X | X | X | ||
| 113 | ident | X | X | |||
| 143 | IMAP | X | X | |||
| 443 | https | X | X | X | ||
| 465 | STMP, SSL/TLS | X | X | X | X | |
| 579 | cPHulk | |||||
| 783 | Apache SpamAssassin | X | X | X | ||
| 873 | rsync | X | X | X | ||
| 993 | IMAP SSL | X | X | |||
| 995 | POP3 SSL | X | X | |||
| 2049 | NFS Sun | X | X | |||
| 2703 | Razor | X | X | |||
| 2077 | WebDAV | X | X | X | ||
| 2078 | WebDAV SSL | X | X | X | ||
| 2079 | CalDAV and CardDAV | X | X | X | ||
| 2080 | CadDAV and CardDAV SSL | X | X | X | ||
| 2082 | cPanel | X | X | |||
| 2083 | cPanel SSL | X | X | |||
| 2086 | WHM | X | X | |||
| 2087 | WHM SSL | X | X | |||
| 2089 | cPanel Licensing | X | X | |||
| 2095 | WebMail | X | X | |||
| 2096 | WebMail SSL | X | X | |||
| 2195 | APNs | X | X | |||
| 3306 | MySQL | X | (X) | |||
| 6277 | DCC | X | X | X | X | |
| 30000:50000 | FTP Passive mode pool | X | X | X | ||
| 33434:33523 | Traceroute pool | X | X | |||