Monthly Archives: March 2013

Set Unlimited Resources on Openvz for the guest OS

vzctl set 100 --applyconfig unlimited --save

This should be refected in /etc/vz/conf/100.conf

cat /etc/vz/conf/100.conf

# Configuration file generated by vzsplit for 1 containers
# on HN with total amount of physical mem 4037 Mb
# low memory 845 Mb, swap size 8189 Mb, Max treads 8000
# Resourse commit level 0:
# Free resource distribution. Any parameters may be increased
# Primary parameters
NUMPROC=”unlimited”
AVNUMPROC=”unlimited”
NUMTCPSOCK=”1801439850948198″
NUMOTHERSOCK=”1801439850948198″
VMGUARPAGES=”unlimited”

# Secondary parameters
KMEMSIZE=”unlimited”
TCPSNDBUF=”4611686018427387903:unlimited”
TCPRCVBUF=”4611686018427387903:unlimited”
OTHERSOCKBUF=”4611686018427387903:unlimited”
DGRAMRCVBUF=”unlimited”
OOMGUARPAGES=”unlimited”
PRIVVMPAGES=”unlimited”

# Auxiliary parameters
LOCKEDPAGES=”unlimited”
SHMPAGES=”unlimited”
PHYSPAGES=”0:unlimited”
NUMFILE=”unlimited”
NUMFLOCK=”unlimited”
NUMPTY=”unlimited”
NUMSIGINFO=”unlimited”
DCACHESIZE=”unlimited”
NUMIPTENT=”unlimited”
DISKSPACE=”440401920:440401920″
DISKINODES=”440000000:440000000″
CPUUNITS=”239962″
VE_ROOT=”/vz/root/$VEID”
VE_PRIVATE=”/vz/private/$VEID”
OSTEMPLATE=”centos-5-i386-default-5.2-20081210″
ORIGIN_SAMPLE=”unlimited”
HOSTNAME=”webserverpage.com”
IP_ADDRESS=”192.168.x.x”
NAMESERVER=”8.8.x.x”
ONBOOT=”yes”
DISK_QUOTA=”no”
SWAPPAGES=”0:2097152″

Reformat HDD in CentOS

fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 1044 8385898+ fd Linux raid autodetect
/dev/sda2 1045 60278 475797105 fd Linux raid autodetect
/dev/sda3 60279 60800 4192965 82 Linux swap / Solaris

Disk /dev/sdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sdb1 * 1 1044 8385898+ fd Linux raid autodetect
/dev/sdb2 1045 60278 475797105 fd Linux raid autodetect
/dev/sdb3 60279 60800 4192965 82 Linux swap / Solaris

Disk /dev/sdc: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sdc1 1 121601 976760001 83 Linux

Disk /dev/md0: 8587 MB, 8587051008 bytes
2 heads, 4 sectors/track, 2096448 cylinders
Units = cylinders of 8 * 512 = 4096 bytes

Disk /dev/md0 doesn't contain a valid partition table

Disk /dev/md1: 487.2 GB, 487216119808 bytes
2 heads, 4 sectors/track, 118949248 cylinders
Units = cylinders of 8 * 512 = 4096 bytes

Disk /dev/md1 doesn't contain a valid partition table

So as we can see /dev/sdc1 1 121601 976760001 83 Linux is the new HDD inserted.

Now we can format the new inserted HDD by typing the command below.
mkfs.ext3 /dev/sdc1
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
122109952 inodes, 244190000 blocks
12209500 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
7453 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 29 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

It’s ready to mount.
cd /mnt
mkdir mynewdisk
mount /dev/sdc1 mynewdisk

Linux Malware Detect Installation

root@choi [~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
2010-05-15 23:34:05 (148 MB/s) - `maldetect-current.tar.gz' saved [268031/268031]

root@choi [~]# tar xfz maldetect-current.tar.gz
root@choi [~]# cd maldetect-*
root@choi [~]# ./install.sh
Linux Malware Detect v1.3.4
(C) 1999-2010, R-fx Networks (C) 2010, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
cron.daily: /etc/cron.daily/maldet

maldet(32517): {sigup} performing signature update check...
maldet(32517): {sigup} local signature set is version 2010051510029
maldet(32517): {sigup} latest signature set already installed

root@choi [~]# vi /usr/local/maldetect/conf.maldet

vi /usr/local/maldetect/conf.maldet
#!/bin/bash
#
##
# Linux Malware Detect v1.4.2
# (C) 2002-2013, R-fx Networks # (C) 2013, Ryan MacDonald
# inotifywait (C) 2007, Rohan McGovern
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#

##
# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj=”maldet alert from $(hostname)”

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr=”test@webserverpage.com”

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1
# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500

##
# [ SCAN OPTIONS ]
##
# The maximum directory depth that the scanner will search
# [ changing this may have an impact on scan performance ]
maxdepth=15

# The minimum in bytes for a file to be included in a scan
# [ changing this may have an impact on scan performance ]
minfilesize=32

# The maximum file size for a file to be included in scan
# search results; use man find for accepted values
# [ changing this may have an impact on scan performance ]
maxfilesize=”768k”

# The maximum byte depth that the scanner will search into
# a files contents; default rules expect a 1024*60 depth
# [ changing this may have an impact on scan performance ]
hexdepth=61440

# Use named pipe (FIFO) for passing file contents hex data
# instead of stdin default; improved performance and greater
# scanning depth
# [ 0 = disabled, 1 = enabled; enabled by default ]
hex_fifo_scan=1

# The maximum byte depth that the scanner will search into
# a files contents; default rules expect a 1024*60 depth
# [ changing this may have an impact on scan performance ]
hex_fifo_depth=524288

# Attempt to detect the presence of ClamAV clamscan binary
# and use as default scanner engine; up to four times faster
# scan performance and superior hex analysis. This option
# only uses ClamAV as the scanner engine, LMD signatures
# are still the basis for detecting threats.
# [ 0 = disabled, 1 = enabled; enabled by default ]
clamav_scan=1

# Allow non-root users to perform malware scans. This must be
# enabled when using mod_security2 upload scanning or if you
# want to allow users to perform scans. When enabled, this will
# populate the /usr/local/maldetect/pub/ path with user owned
# quarantine, session and temporary paths to faciliate scans.
# These paths are populated through cron every 10min with the
# /etc/cron.d/maldet_pub cronjob.
public_scan=0

##
# [ STATISTICAL ANALYSIS ]
##
# The string length test is used to identify threats based on the
# length of the longest uninterrupted string within a file. This is
# useful as obfuscated code is often stored using encoding methods
# that produce very long strings without spaces (e.g: base64)
# [ string length in characters, default = 150000 ]
string_length_scan=”0″ # [ 0 = disabled, 1 = enabled ]

##
# [ MONITORING OPTIONS ]
##
# The base number of files that can be watched under a path
# [ maximum file watches = inotify_base_watches*users ]
inotify_base_watches=15360

# The sleep time in seconds between monitor runs to scan files
# that have been created/modified/moved
inotify_stime=30

# The minimum userid that will be added to path monitoring when
# the USERS option is specified
inotify_minuid=500

# This is the html/web root for users relative to homedir, when
# this option is set, users will only have the webdir monitored
# [ clear option to default monitor entire user homedir ]
inotify_webdir=/var/www/vhosts/

# The priority that monitoring process will run as
# [ -19 = high prio , 19 = low prio, default = 10 ]
inotify_nice=10

To scan you may type the command below.

maldet -a