Cron jobs

Cron jobs are perfect for executing a specific task or script at a scheduled time or different time periods.

Cron jobs can be run hourly, daily, weekly and monthly.

Cron configuration file is located:

/etc/crontab

This file should look like this:

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed

Execute a job every X minutes

*/5 * * * * /path/to/script/script.sh

Use */10 for every 10 minutes, */15 for every 15 minutes… and so forth..

Execute a job every X hours

0 */5 * * * /path/to/script/script.sh

Use */2 for every 2 hours, */3 for every 3 minutes… and so forth..

Execute a job every Xth day of the week

Lets assume you want to execute a cron job every Wednesday at midnight:

0 0 * * 3 /path/to/script/script.sh

or

0 0 * * Wed /path/to/script/script.sh

You can use the corresponding number or the three letters for each weekday:

0=Sun
1=Mon
2=Tue
3=Wed
4=Thu
5=Fri
6=Sat

Please note that numbers starts with 0 for Monday, and not 1.

Execute a job every X months

You need to specify the what specific month or months you want to job to be executed. Like January and September:

0 0 1 1,9 * /path/to/script/script.sh

or

0 0 1 Jan,Sep * /path/to/script/script.sh

If you only want January and September, you should use a comma. If you want the job to be executed starting January and ending September, you need to use this format: 1-9.

Advertisements

Linux Server under DDOS Attack

To find out what IP is causing the DDOS, we can run the next command:

tail -n 10000 logfile.log | cut -f 1 -d ' ' | sort | uniq -c | sort -nr | more

The top IP addresses would be the ones to block.

Another way is looking at what resources are being requested:

cut -f 2 -d '"' logfile.log | cut -f 2 -d ' ' | sort | uniq -c | sort -nr | more

It’s probably you will see that they are trying to request a specific resource know as a common attack. For example, a common attack to wordpress would be:

GET /index.php? HTTP/1.0

Block an IP address range using the .htaccess file

I detected an attack to one (compromised) server running Apache and PHP. A fair amount of request were being made to a hacked resource. So one of the steps to avoid so many request was to block the IP range of the attacker(s). This was made via .htaccess in the site configured in apache:

Order Allow,Deny
Deny from XXX.XXX.XXX.0/24

That would stop the attack (for a few moment at least!)