How to find and kill Abusers on OpenVZ Linux hosted Virtual Machines (Few bash scripts to protect OpenVZ CentOS server from script kiddies and easify the daily admin job)

OpenVZ Logo - Anti Denial Of Service shell scripts

These days, I’m managing a number of OpenVZ Virtual Machine host servers. Therefore constantly I’m facing a lot of problems with users who run shit scripts inside their Linux Virtual Machines.

Commonly user Virtual Servers are used as a launchpad to attack hosts do illegal hacking activities or simply DDoS a host..
The virtual machines users (which by the way run on top of the CentOS OpenVZ Linux) are used to launch a Denial service scripts like kaiten.pl, trinoo, shaft, tfn etc.

As a consequence of their malicious activities, oftenly the Data Centers which colocates the servers are either null routing our server IPs until we suspend the Abusive users, or the servers go simply down because of a server overload or a kernel bug hit as a result of the heavy TCP/IP network traffic or CPU/mem overhead.

Therefore to mitigate this abusive attacks, I’ve written few bash shell scripts which, saves us a lot of manual check ups and prevents in most cases abusers to run the common DoS and “hacking” script shits which are now in the wild.

The first script I’ve written is kill_abusers.sh , what the script does is to automatically look up for a number of listed processes and kills them while logging in /var/log/abusers.log about the abusive VM user procs names killed.

I’ve set this script to run 4 times an hour and it currently saves us a lot of nerves and useless ticket communication with Data Centers (DCs), not to mention that reboot requests (about hanged up servers) has reduced significantly.
Therefore though the scripts simplicity it in general makes the servers run a way more stable than before.

Here is OpenVZ kill/suspend Abusers procs script kill_abusers.sh ready for download

Another script which later on, I’ve written is doing something similar and still different, it does scan the server hard disk using locate and find commands and tries to identify users which has script kiddies programs in their Virtual machines and therefore are most probably crackers.
The scripts looks up for abusive network scanners, DoS scripts, metasploit framework, ircds etc.

After it registers through scanning the server hdd, it lists only files which are preliminary set in the script to be dangerous, and therefore there execution inside the user VM should not be.

search_for_abusers.sh then logs in a files it’s activity as well as the OpenVZ virtual machines user IDs who owns hack related files. Right after it uses nail mailing command to send email to a specified admin email and reports the possible abusers whose VM accounts might need to either be deleted or suspended.

search_for_abusers can be download here

Honestly I truly liked my search_for_abusers.sh script as it became quite nice and I coded it quite quickly.
I’m intending now to put the Search for abusers script on a cronjob on the servers to check periodically and report the IDs of OpenVZ VM Users which are trying illegal activities on the servers.

I guess now our beloved Virtual Machine user script kiddies are in a real trouble ;P
 

Share this on:

Download PDFDownload PDF

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

30 Responses to “How to find and kill Abusers on OpenVZ Linux hosted Virtual Machines (Few bash scripts to protect OpenVZ CentOS server from script kiddies and easify the daily admin job)”

  1. Josh says:
    Google Chrome 12.0.742.122 Google Chrome 12.0.742.122 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

    Thankyou for these scripts, I have installed them and ran them to test, and they do what they are suppose to do!

    🙂

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      I’m glad it helped somebody out there 😉

      View CommentView Comment
      • admin says:
        Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
        Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

        Hope to see ya around

        View CommentView Comment
        • admin says:
          Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
          Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

          By the way in kill_abusers.sh it’s nice to add to the list of PROCS

          PROCS=’ircd kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo slap.pl’;

          same goes also for the search of abusers script.
          There are plenty of abusers which use this slap.pl shit

          View CommentView Comment
  2. Josh says:
    Google Chrome 12.0.742.122 Google Chrome 12.0.742.122 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

    I ran them and it listed the clients that should be suspended, what is IRCd, idnt it a chat client?

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Heya Josh,

      IRCd is a chat (irc) server.
      You might not need it to be in the list of processes to be killed, in my case I thought it’s better if it’s there since. Sometimes people who are devoted to irc get in quarrels and their services might later be a target of DoS.

      View CommentView Comment
  3. Josh says:
    Google Chrome 12.0.742.122 Google Chrome 12.0.742.122 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

    Thanks for the description.

    🙂

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Two more processes which is good to enter the scripts list of abusive processes are:

      ‘pscan2 SpyEyeCollector’
      My current PROCS file variable, looks like so:

      PROCS=’ircd kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo slap.pl brute pscan2 SpyEyeCollector’;

      Best!
      Georgi
      🙂

      View CommentView Comment
  4. Josh says:
    Google Chrome 13.0.782.215 Google Chrome 13.0.782.215 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1

    Hey,

    How come in the script it has mail.santrex.net

    View CommentView Comment
    • admin says:
      Firefox 3.0.19 Firefox 3.0.19 Ubuntu 8.04 Ubuntu 8.04
      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010040119 Ubuntu/8.04 (hardy) Firefox/3.0.19

      Hi Josh, I’ve fixed that in the current version of the script. I did the script for the purpose to solve company problem. That’s why it seems in the script the company smtp has been left by mistake. Now i’ve added the script a variable in the config section where this can be set to any custom value.

      Best!
      Georgi

      View CommentView Comment
  5. jack says:
    Google Chrome 13.0.782.215 Google Chrome 13.0.782.215 Windows Vista Windows Vista
    Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1

    Any way to make one for cpanel server for dos.php ect?

    View CommentView Comment
    • admin says:
      Firefox 3.0.19 Firefox 3.0.19 Ubuntu 8.04 Ubuntu 8.04
      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010040119 Ubuntu/8.04 (hardy) Firefox/3.0.19

      Hi Jack,

      One can surely, be written. If you’re looking for someone to write you the script I can offer you my services for some fee?

      Best!
      Georgi

      View CommentView Comment
  6. Josh says:
    Google Chrome 13.0.782.220 Google Chrome 13.0.782.220 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1

    I use these scripts quite often, so thanks again ^___^

    However, the kill_abusers.sh script doesnt seem to work for me, tried two nodes it just goes blank :S

    View CommentView Comment
    • admin says:
      Firefox 3.6.17 Firefox 3.6.17 Ubuntu 8.04 Ubuntu 8.04
      Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17

      Hello Josh,

      The script works, I don’t know what you’re doing. Do you use the last version of the script. Previously I’ve by mistaken put online a version of the script which does echo the proccesses to kill instead of killing them, open the script and check your’re not using this old version.

      regards,
      Georgi

      View CommentView Comment
  7. Josh says:
    Google Chrome 13.0.782.220 Google Chrome 13.0.782.220 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1

    Hi there,

    I wget the latest one and it did the same :S

    Do you have teamviewer?

    View CommentView Comment
  8. Josh says:
    Google Chrome 13.0.782.220 Google Chrome 13.0.782.220 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1

    Care to take a look on my TV to see what could be the issue? :S

    View CommentView Comment
  9. Josh says:
    Google Chrome 13.0.782.220 Google Chrome 13.0.782.220 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1

    Added 🙂

    View CommentView Comment
  10. Josh says:
    Google Chrome 13.0.782.220 Google Chrome 13.0.782.220 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1

    Oops, spoke to soon.

    Having issues with skype, can you add my MSN/AIM/Yahoo?

    support [at] Dotvps.net

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      I was travelling, now I’m very tired and probably soon go to sleep, I’ve added you in ICQ but you seen unavailable. Whenever I’m online you should add me as well. Then I’ll quickly take a look.

      Best!
      Georgi

      View CommentView Comment
  11. QuentinM says:
    Safari 5.1.1 Safari 5.1.1 Mac OS X  10.7.2 Mac OS X 10.7.2
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22

    Hello

    Thanks for that.
    We also often have a DDoS script named lool.

    Cheers.

    View CommentView Comment
  12. Mark says:
    Google Chrome 17.0.963.79 Google Chrome 17.0.963.79 Windows 7 Windows 7
    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11

    How would i install this on centos

    View CommentView Comment
    • admin says:
      Firefox 10.0.2 Firefox 10.0.2 Ubuntu Ubuntu
      Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2

      Hi Mark,

      Do you get some errors. If you explain thoroughfully what you do, maybe I’ll be able to help
      By the way, I also offer pro-admin services for some fee. If you’re interested 🙂
      best
      Georgi

      View CommentView Comment
  13. Java Tomcat Hosting India says:
    Firefox 27.0 Firefox 27.0 Windows XP Windows XP
    Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0

    So far ….so good great experience !!! Thanks!!!

    View CommentView Comment
  14. Victor says:
    Google Chrome 39.0.2171.95 Google Chrome 39.0.2171.95 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

    How do I install this script? I need help please.

    My e-mail ; Victor@SpetsnazHost.com

    View CommentView Comment
    • admin says:
      Google Chrome 39.0.2171.95 Google Chrome 39.0.2171.95 Windows 7 x64 Edition Windows 7 x64 Edition
      Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

      Hi no need to install download and run it.
      Or place it in cron job with crontab -u root -e.

      View CommentView Comment

Leave a Reply

CommentLuv badge