Useful commands to check if a server is getting ddos’d

Show IPs with more than 10 connections open:

# netstat -nat | grep ":80" | awk -F: '{print $8}' | sort | uniq -c | sort -n | awk '{ if ( $1 > 10) print $2 ; }'

Show # of connections open per IP

# netstat -nat | egrep ":80|:443" | awk -F: '{print $8}' | sort | uniq -c | sort -n 

Number of connections per IP

# netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Haynie’s version(better sorting):

# netstat -anp|awk '{print $5}'|awk -F: '{print $4}'|sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4|uniq -c|sort -n

Drop ips with 100 or more connections:

# netstat -nat | egrep ":80|:443" | awk -F: '{print $8}' | sort | uniq -c | sort -n | awk '{ if ( $1 > 100) print $2 ; }' | xargs -n1 echo iptables -I INPUT -j DROP -s

Graphic netstat connections(# of connections open per host)

# netstat -an | grep ESTABLISHED | awk ‘{print $5}’ | awk -F: ‘{print $1}’ | sort | uniq -c | awk ‘{ printf(“%s\t%s\t”,$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print "" }' [/bash]

Open the /etc/sysconfig/network file with your favorite text editor. Modify the HOSTNAME= value to match your FQDN host name.

# nano /etc/sysconfig/network

Change the host that is associated to your main IP address for your server, this is for internal networking (found at /etc/hosts):

nano /etc/hosts


The ‘hostname’ command will let you change the hostname on the server that the commandline remembers, but it will not actively update all programs that are running under the old hostname.

# hostname
# hostname

Restart Networking

At this point all the necessary changes that needed to be made have been made, you will want to restart networking on your server to make sure that changes will be persistent on reboot:

# /etc/init.d/network restart

* Hostname reports nothing

# hostname

Try this

$ stat /bin/hostname
File: `/bin/hostname'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 803h/2051d Inode: 40616045 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-03-13 05:10:01.000000000 -0700
Modify: 2014-12-15 15:33:57.000000000 -0700
Change: 2014-12-15 15:33:57.000000000 -0700

Notice the “empty file”
Reinstall the package – the package it’s included in (net-tools-1.60-110.el6_2.x86_64).

Now Check

# stat /bin/hostname
  File: `/bin/hostname'
  Size: 17848           Blocks: 40         IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 269246      Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-03-13 04:47:35.065993289 -0600
Modify: 2012-05-10 03:17:33.000000000 -0500
Change: 2015-01-30 03:29:41.959201490 -0600

To get the depth information of your network interfaces like IP Address, MAC Address information, use the following command as shown below.

# ip addr show

$ sudo ip addr show

]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:44:43:24 brd ff:ff:ff:ff:ff:ff
    inet 216.xx.xx.xx/24 brd 216.xx.xx.255 scope global eth0
    inet6 fe80::20c:29ff:fe44:4324/64 scope link
       valid_lft forever preferred_lft forever

# ip route show dev eth0  proto kernel  scope link  src dev eth0  scope link  metric 1002
default via dev eth0

#  ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:44:43:24 brd ff:ff:ff:ff:ff:ff


When installing Centos 7, You may not able to connect network in that machine. This will happen because Ethernet interfaces are not enabled by default and need additional configuration.

Type “nmcli d” command in your terminal

# nmcli d

Recommended for beginners
Step 1 » Type this command “nmtui” to open Network manager and press enter after choosing ” Edit a connection” ( Use TAB for choosing options ) .

Command Line

Network interface config files are located in /etc/sysconfig/network-scripts/ directory. Open ifcfg-en…

nano /etc/sysconfig/network-scripts/ifcfg-en



and replace with


And add the below lines at the end of the file.

DNS1= will look like below after changes.

# systemctl restart network

Additionally you can use /etc/sysconfig/network file for hostname and DNS.

Install tcpdump

$ sudo apt install tcpdump -y

List Network Interfaces

$ sudo tcpdump -D


1.eth0 [Up, Running]
2.eth1 [Up, Running]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.lo [Up, Running, Loopback]
5.nflog (Linux netfilter log (NFLOG) interface)
6.nfqueue (Linux netfilter queue (NFQUEUE) interface)

Capture packets from a particular ethernet interface using

$ sudo tcpdump -i eth0

You can use the -v option to increase the verbosity of the output, or -vv and -vvv to increase it even further.

$ sudo tcpdump -i eth0 -vv

If you don’t want tcpdump to endlessly output data to your terminal, you can use the -c option to specify how many packets you’d like the utility to capture. tcpdump will quit executing the command after the threshold has been reached, rather than waiting for you to interrupt. The following command will allow us to capture only the first 15 packets.

$ sudo tcpdump -c 15

If you don’t want tcpdump to perform DNS resolution on the network addresses in the output, you can use the -n option in your command. This will display all network addresses as IP addresses, rather than resolving them to domain names.

$ sudo tcpdump -n

If you would rather save the network traffic output to file, instead of having it listed on your screen, you can always redirect the tcpdump output with the usual > and >> operators.

$ sudo tcpdump > traffic.txt

Another option is to write the network capture to file. These files usually have the .pcap file extension, and can’t be read by an ordinary text editor.

$ sudo tcpdump -n -w traffic.pcap

To open the file for later analysis, use the -r option and the name of your file.

$ sudo tcpdump -r traffic.pcap

To read pcap files, you will need tcpick or tcpxtractor wireshark

Interpret tcpdump command output

Each packet that tcpdump captures is written as an individual line. One of those lines will look something like this:

23:36:59.581280 IP > Flags [P.], seq 448976:449152, ack 1761, win 501, length 176

Here’s how to interpret that line of data:

    23:36:59.581280 - Timestamp of when the packet was captured.
    IP - IP and port number of the source host. - IP and port number of the destination host.
    Flags [.] - TCP flags (SYN, ACK, PSH, etc). [.] means ACK.
    ack 2915 - The acknowledgment number.
    win 63000 - The window number (bytes in receiving buffer).
    length 0 - The length of the payload data.

Specific Port

$ sudo tcpdump -i eth0 port 80

Filter records with source and destination IP

To Capture packets from a source IP you can use the following command:

$ sudo tcpdump -i eth0 src

You can monitor packets from a destination IP as well with the command below:

$ tcpdump -i eth0 dst

Sometimes the resolvers in the server cannot find a server. You can update the DNS resolvers (/etc/resolv.conf) to rotate between a number of nameservers to try and resolve the issue. Add google nameservers to the mix with your Host resolvers.

# nano /etc/redolv.conf

nameserver 69.xx.xx.xx
nameserver 69.xx.xx.xx

Here is how to add additional IP’s to your Ubuntu server

Add it to the server just on a temporary basis. A reboot will erase the changes.

Using ifconfig

If you want to add a secondary IP address to a NIC already in use in Linux, and have that change only temporary. Enter this command:

# ifconfig [nic]:0 [IP-Address] netmask [mask] up


#ifconfig eth0:0 netmask up

If you prefer to use the ip command instead of ifconfig

# ip address add [ip]/[mask-digits] dev [nic]

IP command example

#ip address add dev eth0

With this command you can add more ip address to the same NIC, the second is considered as secondary.

Add a permanent IP address to the Server

For Ubuntu systems, edit the /etc/network/interfaces file

# nano /etc/network/interfaces


auto eth0:1
iface eth0:1 inet static

The restart networking for the changes to take effect

~# service networking restart
 * Reconfiguring network interfaces... 

Check to see if the IP’s re enabled

# ifconfig

You should see the additional IP’s here

You can add What you need. Just change eth0:1 for eth0:2, eth0:3 etc. This can also be done for any other network cards like eth1, eth2, etc.

If the network show this:

# nano /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

auto em1
iface em1 inet static
address 162.xx.xx.xx
gateway 162.xx.xx.1
broadcast 162.xx.xx.255

Add this

auto em2
iface em1 inet static

Edit the netowrk file

# nano /etc/sysconfig/network

You should see this:
# =============================================================
# Network Script generated by BareMetal
# =============================================================

Change the Gateway and save then restart networking

# service  network restart

ssh to the server.

#nano /etc/sysconfig/network-scripts/ifcfg-eth0

You will find…

# =============================================================
# Network Interface Script generated by BareMetal
# =============================================================

Change this line only to the new IP


Note: If you are changing to an IP on a different subnet and need to change your default gateway, this can be configured under /etc/sysconfig/network

Save the file and restart

# service network restart

Need to setup a VPN? Here’s how to download and install OpenVPN.


Download the installer from and run it on the server computer.

Open the installer file and start the installation.


  1. Remember to adjust the Windows firewall (open the 1194 UDP port).
  2. Assign a static IP to the new created TAP interface (like
  3. Install OpenVPN on each client. (This step can be skipped for now and done at any convenient time)
  4. Choose All check boxes for the install

Certificates and Keys

Preparatory Steps

Navigate to the C:\Program Files\OpenVPN\easy-rsa folder in the command prompt:

Press Windows Key + R
Type “cmd.exe” and press Enter.

Right click to run as administrator
Navigate to the correct folder:

cd "C:\Program Files\OpenVPN\easy-rsa"
<a href=""><img class="alignnone size-large wp-image-5187" src="" alt="" width="648" height="375" /></a>

Initialize the OpenVPN configuration:

<a href=""><img class="alignnone size-full wp-image-5188" src="" alt="" width="597" height="133" /></a>

NOTE: Only run init-config once, during installation.
Open the vars.bat file in a text editor:

notepad vars.bat

Edit the following lines in vars.bat, replacing “US”, “CA,” etc. with your company’s information:

set KEY_CITY=SanFrancisco
set KEY_EMAIL=mail@host.domain

Save the file and exit notepad.
Run the following commands:



Building Certificates and Keys

The certificate authority (CA) certificate and key:


When prompted, enter your country, etc. These will have default values, which appear in brackets. For your “Common Name,” a good choice is to pick a name to identify your company’s Certificate Authority. For example, “OpenVPN-CA”:

Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [mail@host.domain]:

* This builds the ca key in C:\Program Files\OpenVPN\easy-rsa\keys

The server certificate and key:

build-key-server server

When prompted, enter the “Common Name” as “server”
When prompted to sign the certificate, enter “y”
When prompted to commit, enter “y”

Client certificates and keys:

For each client, choose a name to identify that computer, such as “mike-laptop” in this example.

build-key mike-laptop

When prompted, enter the “Common Name” as the name you have chosen (e.g. “mike-laptop”)
Repeat this step for each client computer that will connect to the VPN.
Generate Diffie Hellman parameters (This is necessary to set up the encryption)


Set up the ta.key file.
In command prompt as administrator, go to cd “C:\Program Files\OpenVPN\bin”

# openvpn --genkey --secret ta.key

copy the file to the C:\Program Files\OpenVPN\config directory and to your config directory on your local machine.

Configuration Files

Find the sample configuration files:
Start Menu > All Programs > OpenVPN > OpenVPN Sample Configuration Files

Server Config File

go to C:\Program Files\OpenVPN\sample-config

Open server.ovpn

Find the following lines:

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

Edit them as follows:

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"

Find the following line for the Diffie hellman parameters:


And edit as follows:

"C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"

Save the file as C:\Program Files\OpenVPN\easy-rsa\server.ovpn

Set up the ta.key file.

In the server configuration, add:
Set the ta.key path to C:\Program Files\OpenVPN\config\ta.key

tls-auth “C:\\Program Files\\OpenVPN\\config\\ta.key” ta.key 0

Client Installation

Download the installer to the client Windows 10 Machine and run the intsaller. Leave the defaults selected.

Client Config Files

This is similar to the server configuration.

Open client.ovpn ON THE SERVER MACHINE located at C:\Program Files\OpenVPN\sample-config
Find the following lines:

ca ca.crt
cert client.crt
key client.key

Edit them as follows:

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt"
key "C:\\Program Files\\OpenVPN\\config\\mike-laptop.key"

Notice that the name of the client certificate and key files depends upon the Common Name of each client.
You can also include the ca, cert and key content in the client file. You have to copy the file content inside the tag .

Edit the following line, replacing “my-server-1” with your server’s public Internet IP Address or Domain Name. If you need help, see Static Internet IP below.

remote my-server-1 1194

Save the file as C:\Program Files\OpenVPN\easy-rsa\mike-laptop.ovpn (in this example. Each client will need a different, but similar, config file depending upon that client’s Common Name.)
Copying the Server and Client Files to Their Appropriate Directories
Copy these files from C:\Program Files\OpenVPN\easy-rsa\keys to C:\Program Files\OpenVPN\config\ on the server:


Copy this file from C:\Program Files\OpenVPN\easy-rsa\ to C:\Program Files\OpenVPN\config\ on the server:

Copy these files from C:\Program Files\OpenVPN\easy-rsa\keys on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):


Copy these files from C:\Program Files\OpenVPN\easy-rsa\ on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):


Copy this file from C:\Program Files\OpenVPN\config\ on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):


Also, instead of setting up the paths in the files, you can add them directly like follows. 


Starting OpenVPN

On both client and server, run OpenVPN from:
Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI
Double click the icon which shows up in the system tray to initiate the connection. The resulting dialog should close upon a successful start.

Running OpenVPN as a Service

OpenVPN to be run from a non-administrator account.
OpenVPN to be started automatically on system startup. This is often preferred on the server machine, as well as any machines which will be constantly connected to the server.
Run the Windows Service administrative tool:
Press Windows Key + R
Type “services.msc” and press Enter.
Find the OpenVPN service, and set its Startup Type to “automatic.”
Optionally, start the service now.

Further Considerations / Troubleshooting

Firewall Configuration
If you have connection problems, make sure to set a rule on your server’s firewall allowing incoming traffic on UDP port 1194.

Port Forwarding
If your server is behind a firewall/router, you will need to forward the port chosen for OpenVPN (in this example UDP 1194) to the server. Consult your router’s documentation for details on this.

To set up port forwarding, you will likely need to set up the server with a static local IP address instead of the default dynamic (changing) IP. Make sure to choose a static IP address that is not in the range your router might assign as a dynamic IP, but is within the router’s subnet (usually , , or similar).

Security Tips

Transmit all needed files to the client computers using a secure means such as a USB drive (email is not always a secure means).
Choose a port other than UDP 1194, and replace the port number wherever this guide mentions UDP port 1194.

IP or DNS leak

OpenVPN Internet Proxy Windows

This has all internet traffic route to the server IP so your IP is not disclosed.

Generate a TA key and place it in the same folder as the other certificates/keys:

cd C:\Program Files\OpenVPN\bin
openvpn --genkey --secret ta.key

Copy the key to the C:\Program Files\OpenVPN\config directory
Append the following lines to your server.ovpn profile:

# Route all traffic through VPN
push "redirect-gateway def1"
# Push Google DNS to prevent leak
push "dhcp-option DNS"
tls-auth ta.key 0 # This file is secret

Set the serer.ovpn file to use the following network as the network sharing below will use this network for the adaptor.

# server

Append the following lines to your client.ovpn profile:

# Block DNS leak
tls-auth ta.key 1 # This file is secret

Service tweaks on the Windows server
Open the Services window
Find Routing and Remote Access and set it to: Startup type – Automatic
Start the service
Adapter tweaks
Open the network adapters window
Right-click your internet adapter (e.g. Ethernet) and then: Properties -> Sharing -> Allow other network users to connect through this computer’s Internet connection
(if applicable) From the drop-down list select your OpenVPN TAP adapter (e.g. Ethernet?)
Note: Only one adapter can be shared at a time, so if you don’t see the Sharing tab, make sure no other adapter is being shared.

Registry tweaks

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Data: 0x00000001 (1)

Optional: Configure a static route (if behind router)
You have to route all packets sent to the client’s virtual IP back to the VPN server.

Example using Cisco router: – virtual network subnet – virtual network subnet mask – VPN server internal IP (in the subnet of the router)

Hardening iformation;

Setting up new user certificates

Navigate to the C:\Program Files\OpenVPN\easy-rsa\ folder in the command prompt. NOTE: Make sure that the ca.crt and ca.key are located in the C:\Program Files\OpenVPN\easy-rsa\keys directory!

Press Windows Key + R
Type “cmd.exe” and press Enter.

Right click to run as administrator
Navigate to the correct folder:

cd "C:\Program Files\OpenVPN\easy-rsa\keys"

Run the following:


For each client, choose a name to identify that computer, such as “newuser-openvpn” in this example.

build-key newuser-openvpn

Open the C:\Program Files\OpenVPN\sample-config directory. Copy the client.ovpn to the name for the new user, ie, newuser-openvpn.ovpn.

Copy these files from C:\Program Files\OpenVPN\easy-rsa\keys and C:\Program Files\OpenVPN\easy-rsa\sample-config on the server to C:\Program Files\OpenVPN\config\ on each client (newuser-openvpn.ovpn, in this example):


Copy to the C:\Program Files\OpenVPN\config on the new user computer.


Other resources: