bmon for Fedora Core
If you want to monitoring the bandwidth in/out of your linux server, a tool like bmon is essential. Use the fedora core RPMs from dries rather than compiling from source, it’s a lot easier. For some reason it refused to link to my ncurses, but once I installed the binary I got this beautiful graph:
You can run it with bmon -r .1 -R 30 to get a 30 second average, or with -o ascii to get terminal “plain” output for use with the standard linux pipes, cuts and other tools.
Iptables Bash Shell Cleanup Script
The following script will remove duplicate entries from your iptables banlist by first removing all the entries, making them unique (and sorted) and then adding them to iptables again. You may want, as extra insurance, to add your server / home ip to the sed delete line to protect against … accidents:
#!/bin/bash /sbin/iptables -L -n | cut -d " " -f 12 | sort | sed '/^\s*$/d' | sed '/^\(127\|localhost\|loopback\|0\.\|192.\|your_ips_here\).*$/d' | uniq > /root/ips /sbin/iptables -F for ip in `cat /root/ips` do /sbin/iptables -I INPUT -s $ip -j DROP done /sbin/iptables -L -n
I accidentally hosed my server for the last, oh, 30m or so by screwing around with iptables as root. After it came up, I added the sed rules to make sure I didn’t accidentally do it again, and then scheduled the cleanup job to run every 8 hours:
chrontab -l 0 */8 * * * /root/iptables-clean.sh
Hope this helps someone out there having trouble managing their server…
IPtables Permissions on Linux
If you want to, say, run iptables from a script to ban naughty users on your website, you’re going to quickly find yourself with an error:
Can't initialize iptables table 'some table': Permission denied (you must be root)
Since only root is allowed to run iptables, then we need to let apache be root to run it. Just edit /etc/sudoers and add the line apache (ALL)=(root) NOPASSWD: /sbin/iptables. This means that the user apache is allowed to run iptables as root for any server group, so it is not particularly security adverse. It certainly doesn’t grant apache all of root permissions, which would lead to instant disaster. After you make this change, you can now run sudo iptables as apache:
sudo -u apache sudo iptables -I INPUT -s 127.0.0.1 -j DROP
