Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I am on an Amazon Linux 2 AMI running Apache 2 and I need a software solution for security.  I have been told mod_security isn't a good choice.  So does anyone have experience with the AWS Waf?  If so, what rules are you using?

Or, do you have another idea altogether?

On my previous instance I used fail2ban but I found the bots could outsmart fail2ban so hopefully someone will have a better choice.

Let me clarify my biggest  problems are postfix issues, stopping ddos, bots running up and down my site stealing bandwidth, clicking on every link and having numerous disk i/o's which I have to pay for.

By the way, I am not interested in using another AMI due to the complexity of my existing AMI.
0
ON-DEMAND: 10 Easy Ways to Lose a Password
LVL 1
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Dear Experts

When we enable encryption in windows 10 systems it encrypts when we store documents, what exactly happens here as we take the stored files from the encrypted  and transfer it via email or copy to USB or share it in network drive all those other side people who have access can open and read or modify based on permissions does it mean it is not file level encryption I mean whoever know the system password files are accessible if someone wants to crack the harddisk then the file formats stored is not as per the document extension like .docs, or .exls please help me to understand this.

2. what does it mean server side encryption like next cloud deployment says we can enable server side encryption how is it different from ssl enablement that is user accessing through https,
please help me understand above two , thank you very much in advance.
0
We have a few Ubuntu 16.04/18.04 servers and some CentOS 6 and 7 servers at our site that we'd like to lock down to only allow logins from users on our Active Directory domain controller via LDAP. The domain controllers are both Windows Server 2016. We have multiple techs that need access to the servers, but only a few that should have full sudo abilities. Can someone share some step by step details in implementing this on these servers and how to make sure only certain AD accounts are allowed sudo abilities?

Thanks!
0
I am in the process of standing up a Ubuntu Linux server from a .vhd file.
The existing partitions are too small to handle the backup file thus I need to add extra partition space to the system.
This is a hyper-V hosted system.
I've never done this before. Can someone give me some guidance on what I will need to do?
Initially I was building a new server with 2 Tb of disk space but we decided to use a existing secured version of a .ova file which I converted over to a .vhd file.
Can anyone help me understand what I need to do?
We have more space available, the vhd was set to more than what the original image was configured for.
How can I expand the relevant partitions to take account of this extra available space?
Which partitions should get the extra space?  Opt is where the backups are stored via the main application so that one definitely needs to be expanded.
Filesystem                        Size  Used Avail Use% Mounted on
udev                               16G     0   16G   0% /dev
tmpfs                             3.1G  8.7M  3.1G   1% /run
/dev/mapper/vg00-root              19G  1.4G   17G   8% /
tmpfs                              16G  4.0K   16G   1% /dev/shm
tmpfs                             5.0M     0  5.0M   0% /run/lock
tmpfs                              16G     0   16G   0% /sys/fs/cgroup
/dev/sda1                         464M   58M  382M  14% /boot
/dev/mapper/vg00-opt               76G   76G     0 100% /opt
tmpfs                            …
0
Dear Experts

We are using nextcloud which is on ubuntu 16.04 with php, mysql and apache until now we were using within the local network but now there is a requirement to enable this to external network that is from internet hence would like to procure ssl certificate and install the same,
1.  can you please suggest the good source to purchase the ssl certificates
2. at present users are using this solution  by installing the ssl certificates will it have any impact of not functioning or breaking down the system please suggest.
3. can you please help me how to install the ssl certificate in this server instance
0
how to import sessions from putty or mputty to securecrt.
https://www.vandyke.com/products/securecrt/

I recently installed securecrt not sure how to import all existing conections to different servers on different environments that are present in putty to winscp.

any tips on effective use of securecrt as i am new to it

Please advise
0
I'm looking for a commercial RADIUS solution that Linux Servers can authenticate against. Specifically:

1) Primary purpose is for Linux user authentication
2) Is there any RADIUS solution that can replicate to other RADIUS servers, just like Microsoft Active Directory Servers can replicate to each other? This can even be a one way replication.
3) Preferably this RADIUS solution runs on Linux and not windows.
4) Preferably is a supported RADIUS solution, i.e. paid for product that we can get support on as needed. Unless there is a simple to use free version that doesn't require extensive learning to use.

Thanks!
0
I need to create an ipset for ipv6 I have it for ipv4 already.  I want to use ipdeny.com and insert specific country blocks into the ipset which is connected to the iptables.
0
Individual log  files on my server getting zipped every 1 hour and individual log files getting deleted.

PRoblems i am facing with zipped log files are
1. not able to grep them as easily as individual files

2. not able to tail to see any recent issues



if i copy over to local windows laptop using winscp and unzil anf try to open individual file using notepadd++ says too huge file to open.


how to extract zip file in unix box itself and check log files by doing grep and tail etc

please advise
0
Dear Experts

please suggest what all ways desktop/laptop users of windows 10 and ubuntu desktop systems can be encrypted, OS level and if any third party tool , i read an article about bit locker drive encryption is it recommend please suggest similarly how it can be done for ubuntu desktops please suggest
0
Hey MSSPs! What's your total cost of ownership?
LVL 1
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

We have setup OpenVas in our infrastructure. We were able to run it in order to scan assessments reports on VM's within our infrastructure. However the results of the scans is very long and complete. We would like to filter that same report in order to only have results of the High severity reports.

Any idea on what would be the most effective approach to filter the Greenbone scans?
0
tail -n5000 xyz.log

above shows last 5000 lines right


if i want to see all the 15723 lines of xyz.log what command i have to give

tail -n5000 xyz.log|grep 'ERROR WS'
how to make above case sensitive search like
tail -n5000 xyz.log|grep 'error ws'
how to make above whole word search? so that i wont see below as result ERROR aaa WS etc


please advise
0
Hi

after i installed nextcloud 13.0.1 on centos 7 and most of the features works

i am facing a strange issue with calendar

i cannot create or delete or do anything with calendar on nextcloud management    please check the attached file

do you think i have to change something from GUI or CLI  or install or do something


kindly advice
ccccccccc.jpg
0
Hello Experts,

Getting following error while execute cmd from ssh :-

[root@200 ~]# separateBod
ENTER SERVER IP LAST 1 QUADRANT WHICH YOU WANT TO BOD:
119
Option "-t" is deprecated and might be removed in a later version of gnome-terminal.
Option "-t" is deprecated and might be removed in a later version of gnome-terminal.
Failed to parse arguments: Cannot open display:

separateBod Code:-
#!/bin/bash
printf "ENTER SERVER IP LAST 1 QUADRANT WHICH YOU WANT TO BOD"
 read IPNAME
 for i in $IPNAME
 do
  ssh user@192.168.1.$i BOD & pid=$!
 done

BOD Code:-
#!/bin/bash
gnome-terminal \
        --tab -t "Exchange" -e " sh -c 'sleep 1s; ./startapp Exchange' "\
        --tab -t "Dragon" -e " sh -c 'sleep 10s; ./startapp Dragon' "\

startapp code:-
ulimit -c unlimited
export LD_LIBRARY_PATH=./:${LD_LIBRARY_PATH}
./$1 $2 $3 $4 $5

After giving execution cmd from server (ssh) it should be displayed on other server vnc (user@192.168.1.119), it was working properly till last week suddenly i got this error, we have following versions of CentOS 64bit (6.7, 6.8, 6.9, 7.4), getting issue only with 7.4 64bit.

please suggest.
0
What is pam?  What is ldap?   I know those two are for authentication but still confused. Why system administrators usually configure authentication by pam_ldam.conf. What is the advantage with this.

how to configure pam_ldap in client side to connect solaris ldap server.

Thanks,
bvm
0
I have had to disable SELinux to get an application installed ,I was wondering if anyone has ever used 'AUDIT2ALLOW' to re-tag the objects in SELINUX and re-enable SELINUX  

I have never ever worked with SELINUX before and could use any advice you can give
0
log file how to copy whole content

zgrep -C20 '1234' 1234.log.gz

above gave lot of results in unix screen

how to copy whole page and paste into a text file on my C drive of the windows laptop through which i am connecting to unix box using putty?


also

i see all results like

0123456
9123488

etc

which i do not want

i want complete word search of 1234 only
how to achieve it
please advise
0
What awstat format i need for that type af log from ftp server
....
....
Feb 26 13:47:24 ftp sshd[1260]: Disconnected from 115.238.245.6 port 36575 [preauth]
Feb 26 13:47:24 ftp sshd[1260]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.238.245.6  user=root
...
....

i used all 1 ...4 then i used :
LogFormat= "%time3 %other %method %url %logname %host %code %other"
or
LogFormat= "%time3 %other %host %bytesd %url %other %other %method %other %logname %other %code %other %other"

all says  
found 401 dropped records
2000 corrupted records
...
0
how to check production logs

i logged to production server i went to server log path.
i did
ls -ltr

i see bunch of log files at different timestamps

lets say xyz.log is at 1:30 am which i am interested to see.

how to open and hjow to see it?

when i logged using winscp says log in denied to copy over to windows laptoip to check.
like i want to zgprep or grep all "NullPointerErrors" between 12:30 AM till 2:30AM how do i check?
Also how to check how many times it was restarted?
any good best practices on production logs?
please advise any god links, resources on it?
0
Cloud Class® Course: C++ 11 Fundamentals
LVL 12
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

i have sftp install in ubuntu 16.04 hwo to disabled user to has a ssh login. user has only sftp login not ssh login.
0
Hi, i'm trying to set up PAM Authentication on debian 9: On the first login at boot, i would like for PAM to ask both my password AND my yubikey neo. Once i'm logged in , i would like to only use my yubikey for sudo, screenlock and so on. I would like this to happen for a specific user only, while still being able to login via root with just my root password.
I successfully configured the PAM module for yubikey (auth required pam_yubico.so mode_challenge-response) but this way, i have to type my psw AND have the yubikey plugged in at EVERY sudo, login, screenlock.


I'm going crazy over this because i'm unable to find decent documentation about this on the web.

Can somebody please provide some help?

regards
0
Need help with regex for fail2ban to stop wp-login attempts.  Here is my jail.local.  I am on a Centos 6 server

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/httpd/access_log*
action = iptables[name=WP,port=http,protocol=tcp]
port = http,https
maxretry = 3
findtime = 10
bantime = 2592000
ports = 80,443

Open in new window


this is the log file and this is a known marauder trying to break in.
/var/log/httpd/access_log-20180218:195.22.127.169 - - [17/Feb/2018:08:05:22 -0500] "POST /wp-login.php HTTP/1.1" 503 2925 "http://thefrugallife.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
/var/log/httpd/access_log-20180218:195.22.127.169 - - [17/Feb/2018:08:05:22 -0500] "POST /wp-login.php HTTP/1.1" 503 2925 "http://thefrugallife.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
/var/log/httpd/access_log-20180218:195.22.127.169 - - [17/Feb/2018:08:05:22 -0500] "POST /wp-login.php HTTP/1.1" 503 2925 "http://thefrugallife.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
/var/log/httpd/access_log-20180218:195.22.127.169 - - [17/Feb/2018:08:05:22 -0500] "POST /wp-login.php HTTP/1.1" 503 2925 "http://thefrugallife.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; 

Open in new window

0
Hi to all of you,
I'm preparing new files Audit rules in the /etc/audit/audit.rules file.
The syntax I'm using is: auditctl -w path_to_file -p permissions -k key_name
example -w /etc/libaudit.conf -p wa -k wlib.conf

My question is: if I use the following syntax without specifing the permission option (-p)
auditctl -w path_to_file -k key_name what is the default permission value used?

Sounds a strange question but this is what I've been asked.
Bye  and thanks
Carlettus
0
Hi There,

I am getting the following issue with postgresql in aws ubuntu environment.

When I  run python3 manage.py makemigrations, I get the following error.  
It throws the following error. File "/usr/local/lib/python3.5/dist-packages/psycopg2/init.py", line 164, in connect conn = _connect(dsn, connection_factory=connection_factory, async=async) django.db.utils.OperationalError: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432?

Hence I checked whether postgresql is working fine.
I had tried sudo su - postgres It went inside the postgres cmd prompt so it became postgres@ip-10-254-3-58:~$

now when I try psql I get the same error as when I run python3 manage.py makemigrations.

postgres@ip-10-254-3-58:~$psql psql: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

I had tried uninstall and reinstall postgres,

During uninstall , i had tried the following command

$sudo apt-get --purge autoremove postgresql*

I got many errors

Then I had tried
sudo apt-get clean
sudo apt-get update

I got the following errors.  

Hit:1 https://deb.nodesource.com/node_8.x xenial InRelease
0% [1 InRelease gpgv 4,646 B] [Connecting to archive.ubuntu.com (91.189.88.161)] [Connecting to security.ubuntu.com (91.189.91.26)] [Connecting to …
0
Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security
<
Monthly
>