I Install the lotrotate from ports
cd /usr/ports/sysutils/logrotate
make install clean
II Create a new logrotate.conf file.
vi /usr/local/etc/logrotate.conf
# Added the following to rotate Apache and Squid logs
# see “man logrotate” for details
# rotate log files weekly
#weekly
daily
# keep 4 weeks worth of backlogs
rotate 7
# send errors to root
#errors root
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
compress
# RPM packages drop log rotation information into this directory
include /usr/local/etc/logrotate.d
/var/log/lastlog {
monthly
rotate 12
}
# system-specific logs may be configured here
III Create a directory for specific logrotate files
mkdir -p /usr/local/etc/logrotate.d
VI. First, create a logrotate file for Squid to rotate it’s access.log files for 90 days and cache.log for 7 days.
cd /usr/local/etc/logrotate.d/
vi /usr/local/etc/logrotate.d/squid
#Copy and paste the following
/var/log/squid/access.log {
daily
rotate 90
copytruncate
compress
notifempty
missingok
}
/var/log/squid/cache.log {
daily
rotate 7
copytruncate
compress
notifempty
missingok
}
V. Create the necessary directories and files for logrotate and test and debug logrotate
mkdir /var/lib/
touch /var/lib/logrotate.status
/usr/local/sbin/logrotate -d /usr/local/etc/logrotate.conf
/usr/local/sbin/logrotate -f /usr/local/etc/logrotate.conf
VI. Next, we will rotate and manage Apache logs
vi /usr/local/etc/logrotate.d/apache
#Add the following to rotate and manage Apache access_log and error_log for 30 days.
#Note: If your Apache logs may be in a different directory, simply change the directory.
/var/log/apache/access_log {
daily
rotate 30
copytruncate
compress
notifempty
missingok
}
/var/log/apache/error_log {
daily
rotate 30
copytruncate
compress
notifempty
missingok
}
If all goes well, that’s it. Your Apache and Squid logs should be rotated.
The last thing is to add an entry into crontab and letting the cron daemon rotate your Apache and Squid logs automatically.
VII. Automating logrotate using crontab
vi /etc/crontab
#Add the following to rotate your logs at 1 AM in the morning
#Logrotate
0 1 * * * root /usr/local/sbin/logrotate /usr/local/etc/logrotate.conf > /dev/null 2>&1
That’s it. Your Apache and Squid logs will be rotating without manual intervention!!
Sunday, June 20, 2010
pf
Hammering those Hammers
If your server gets under attack what can be done and how we will be able to prevent server going down with hammering from the attackers
Few simeple steps with pf can do magic instead of some high fi pocket crashing firewalls
Say the server we want to protect is our web server
Add the following to the /etc/pf.conf
# Ok all the attackers goes to presistant mode with a file in /etc/pf.blocklist so
table persist file "/etc/pf.blocklist"
# block all incoming connections from attackers on FTPD
block in quick on $ext_if from
# Let us allow FTP with bruteforce protection
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 keep state (max-src-conn-rate 5/40, overload flush global)
So what the previous lines gona do
i.e if any ip produces more than 5 connections in 40 seconds time, that ip gona end up in pf table of hammers and who are in pf table of hammers are blocked with block in command bfore that
But this work as long as system doesnt restart or pf looses the table so lets make it permamnet by adding it to rc.shutdown
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.blocklist' >> /etc/rc.shutdown
Woah next time even if the system reboots we have the list of those guys who tried to hammer our web server
See how easy and cool it is
Yes ofcoz I came across from the net and used it for my purpose
If your server gets under attack what can be done and how we will be able to prevent server going down with hammering from the attackers
Few simeple steps with pf can do magic instead of some high fi pocket crashing firewalls
Say the server we want to protect is our web server
Add the following to the /etc/pf.conf
# Ok all the attackers goes to presistant mode with a file in /etc/pf.blocklist so
table
# block all incoming connections from attackers on FTPD
block in quick on $ext_if from
# Let us allow FTP with bruteforce protection
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 keep state (max-src-conn-rate 5/40, overload
So what the previous lines gona do
i.e if any ip produces more than 5 connections in 40 seconds time, that ip gona end up in pf table of hammers and who are in pf table of hammers are blocked with block in command bfore that
But this work as long as system doesnt restart or pf looses the table so lets make it permamnet by adding it to rc.shutdown
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.blocklist' >> /etc/rc.shutdown
Woah next time even if the system reboots we have the list of those guys who tried to hammer our web server
See how easy and cool it is
Yes ofcoz I came across from the net and used it for my purpose
Subscribe to:
Posts (Atom)
