Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi,

I have a folder called

home/system/xyz

now xyz has many sub directories  like abc , def
now abc has directories like lms, pqr etc

xyz is currently owned by me. problem is others cannot see xyz and its all subdirectories for possible issues on the server settings.
now i want to give ownership to xyz directory to ADMIN user say  crm and password say p@ssword so that all the team mates who has ADMIN crm  access can view and modify any directories and files within xyz no matter how deep they are.
how to give access to this one?
0
[eBook] Windows Nano Server
LVL 1
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Experts - I’d like to create a Linux/Unix read-only-root role for Auditors, InfoSec and Tech Ops, so they can examine a system without risk of breaking anything.
-      Using sudo or Centrify, we can grant the privileges to run some commands as root, e.g.  ls, cat, cksum and tail –f
-      I don’t want to allow root privileges for e.g. find, view or more/less, as they can be used to modify a system

Creating the role is easy; Making it easy to use is harder
-      `sudo cat filename |less` would work fine – the `cat` is run as root, the `less` as the unprivileged user. I can create a little script utility called something like “Auditors_less” to remove the need to remember the syntax.
-      `dzdo cat filename > ~/my_copy_of_filename` would work for the same reason, and give them a local copy to work with. Call it “Auditors_cp” or just “Acp”
(`dzdo` is the Centrify equivalent to sudo)

Replacing the functionality of `find` is the part I can’t figure out. The output of `find` gives the full path to a file. `find` also allows you to select on ownership, permissions etc., but that part could be replaced by
`dzdo ls -l |grep {pattern}`

So a scriptlet that takes a starting directory as input and produces output in the form
/path/to/file      : ls –l output of file
would be great, as grep can filter the output, e.g. for globally writeable files/directories

I’ve found similar questions on formatting `ls -lR` output on stackoverflow.com, but no usable answers – general opinion seems to be…
0
1. Centos server 6.9 in AD = OK

2. Only access feathers for users of group_USER_AD, applying control via /etc/security/access.conf = OK
3. Blocked root access directly to no server. /etc/ssh/sshd_config (PermitRootLogin no) = OK

 4. To use local account, you will need to use "su -" and do not log in without server with local account = OK

----------------

I have an application that runs with a local account. How can I release the user's access to use the winscp tool and write the application's non /home? Attempts without success

1.) Add the network user's AD group within the application's local group.

2.) There are many network users AD. I can not add one by one in the local group.

How do I solve it?
0
Can i able to connect SuSE linux to Redhat satellite and patch?
0
Hi,
how to transfer
site booksmarks to shared bookmarks in winscp

please advise
0
Hi,

how to teach winscp remember password. Every time entering password is pain for me. please advise
0
I'm having a small issue with a recently provisioned Debian 9.1 VM (from an online hosting company).

When deploying the VM I am provided with Key-Based Authentication for the machine. Those work fine (with the new "debian" super user, root not being anymore active by default) but I'd like to be able to use user / pass too (if nothing else for console access).

How do I set my password ? I tried
passwd debian

Open in new window

but I am prompted for the "old" password which I don't know...

Also - even if it is not best practice - can I activate the root user ?
0
Hello ,

I have a problem with interfaces on a multihomed topology. My interfaces can not ping each other and can not ping theirselves too
sysctl as given below.

But it is able to ping the interface ip when i directly write ping 37.123.98.142 , if the both interface are not able to ping this interface's ip how does it ping it or from where ?

I have to let them have access each other how shoud i do it ?

Note: loopback interface activated
Note2: em interfaces are all down

[root@spd network-scripts]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.p1p1.rp_filter = 2
net.ipv4.conf.p1p2.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2
net.ipv4.conf.p1p1.accept_local = 1
net.ipv4.conf.p1p2.accept_local = 1
net.ipv4.conf.all.accept_local = 1
net.ipv4.conf.default.accept_local = 1
net.ipv4.conf.lo.accept_local = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.p1p2.arp_filter = 0
net.ipv4.conf.p1p1.arp_filter = 0
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.p1p1.arp_announce = 2
net.ipv4.conf.p1p2.arp_announce = 2

Open in new window


PING 37.123.98.142 (37.123.98.142) from 37.123.98.142 p1p1: 56(84) bytes of data.

^C
--- 37.123.98.142 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2055ms

[root@spd network-scripts]# ping -I p1p1 37.123.98.138
PING 37.123.98.138 (37.123.98.138) from 37.123.98.142 p1p1: 56(84) bytes of data.

^C
--- 37.123.98.138 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3064ms

[root@spd network-scripts]# ping -I p1p2 37.123.98.138
PING 37.123.98.138 (37.123.98.138) from 37.123.98.138 p1p2: 56(84) bytes of data.

^C
--- 37.123.98.138 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1038ms

[root@spd network-scripts]# ping -I p1p2 37.123.98.142
PING 37.123.98.142 (37.123.98.142) from 37.123.98.138 p1p2: 56(84) bytes of data.

^C
--- 37.123.98.142 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2060ms

Open in new window


[root@spd network-scripts]# ping 37.123.98.142
PING 37.123.98.142 (37.123.98.142) 56(84) bytes of data.
64 bytes from 37.123.98.142: icmp_seq=1 ttl=64 time=0.019 ms
64 bytes from 37.123.98.142: icmp_seq=2 ttl=64 time=0.022 ms
64 bytes from 37.123.98.142: icmp_seq=3 ttl=64 time=0.017 ms
64 bytes from 37.123.98.142: icmp_seq=4 ttl=64 time=0.015 ms

Open in new window




Open in new window

0
what is meaning of root.
why i have to go to root. what i can do from root what i cannot do from root. what i can do using my user.
how unix allows logging in as different user say John when i logged in as say xyz

any online link or free video tutorials explaining all these concepts? an how to practice please advise
0
Hello ,


any body know what is the meaning of this numbers in iptables config file :

*raw
:PREROUTING ACCEPT [1318098:74794423]
:OUTPUT ACCEPT [2065:1143634]

Open in new window

0
Looking for the Wi-Fi vendor that's right for you?
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Hello ,

When we add this rules for forwarded traffic it is dropping all packets as they are invalid. There is no notrack rule on the server, why does it see the forwarded traffic as it is invalid ?


#-A FORWARD -p tcp -m conntrack --ctstate INVALID -j DROP
#-A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

Open in new window

0
Hello ,

We are facing with some kind of an attack as given below  also i have attached the pcap file ,

important thing is that  ;
  1. IP addresses spoofed with our country's ISP ip addresses
  2. TTL has been spoofed also and the TTL values are in the range of the ip address owners - you should find and edit the same ddos on github with name VSE
  3. Data is a copy of real packet used on this protocol for counter strike
  4. Destination port is also counter's port
  5. checksums are correctly generated

how should i block this kind of attack without blocking the real users ?



Protokol :17  Source IP :85.104.15.177  Source Port :58061  Destination IP :213.238.166.2  Destination Port :27015  TTL :108  Paket Boyutu :51  Checksum :9777  Data :FFFFFFFF71636F6E6E6563743078304135423333304500  
Protokol :17  Source IP :95.13.27.190  Source Port :55271  Destination IP :213.238.166.2  Destination Port :27015  TTL :111  Paket Boyutu :51  Checksum :64648  Data :FFFFFFFF71636F6E6E6563743078303044414236313000  
Protokol :17  Source IP :88.238.142.125  Source Port :55150  Destination IP :213.238.166.2  Destination Port :27015  TTL :105  Paket Boyutu :51  Checksum :37970  Data :FFFFFFFF71636F6E6E6563743078304138383935423800  
Protokol :17  Source IP :85.103.139.224  Source Port :52054  Destination IP :213.238.166.2  Destination Port :27015  TTL :108  Paket Boyutu :51  Checksum :49529  Data 

Open in new window

0
Hello ,

Is there any possible way to drop bogus packets as seem below .

for this packets ; packet payload is smaller then the length of the packet

 Screen-Shot-2017-08-23-at-22.22.46.png
0
Hi,

I have user called xyz under that folder there is folder call test under that there is folder called abc, def, hij etc

i want to search to search in all above folders and subfolders for a particular keyword say " nullpointerexception " how t do that .
please advise
0
hi,

now setup the first MySQL 5.7. 19 and now created a user to access it from a remote machine.

how can I grant the full right on everything to this user by doing this:

GRANT usage  on *.* TO xyz@localhost;

what I got is :

ERROR 1133 (42000): Can't find any matching row in the user table


GRANT ALL PRIVILEGES on *.* TO xyz@localhost;

and I got :

ERROR 1133 (42000): Can't find any matching row in the user table


the same message,

how can I solve it?
0
hi,

winscp how to sudo as admin?
I currently logged in as my user say xyz but i am not able to delete particulr folder/directory. I have to login or pseudo as admin user say rrr to that. how to psedo in the winscp to rrr user?pleaseadcise
0
Hi,

winscp how to compare 2 different unix users say xyz and abc by opening xyz on left hands side and abc on right hand side. As of now on the left hands side i was able to open my windows laptop folder structure like C drive etc and on right hands side i am able to open one unix user like abc or xyz etc. please advise
0
i'll need a Shell script that scans thru creation dates of all patches (ideally only the security ones but
if this is not possible, then all patches) installed in an RHEL 7 server, get the latest one, compute
the difference from today's date & give the difference in number of days & if the difference is
more than 90 days, echo out a message, "It has been more than 90 days since last patch)

Purpose is to check the last patch date & remind Linux admins.  Believe RHEL releases patches
at least every 3 monthly?
0
hi

on the unix box various users like xyz, abc etc.

Looks like disk space is running out of server and i need to cleanup.

How to know how much user xyz occupying size and how much abc user is occupying size. please advise
0
Concerto Cloud for Software Providers & ISVs
LVL 4
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

I  have a few question for selection of drop policy applied place.

1. Which one first apply the drop rule ?
2. iptables and nftables are user space appliances but i do not know deeper , are they work in kernel space and pipe the requests from user space or are they work completely after kernel space ?
3. Is there any possibility to drop a packet before any kernel space module ,i tryed with netfilter and drop an ip xx.xx.xx.xx and i realize that tcpdump still reading the traffic but iptables not. So the traffic is passing to kernel space still on netfilter.
0
i am in particular folder say abc.

I did ls -ltr where there are bunch of files.

i want to search all the files starting with file name xyz alone ignoring other starting with pqr etc(ignore pqr000.log.20170806.gz etc).
My search should result like

xyz123.log.20170806.gz
xyz456.log.20170806.gz
xyz789.log.20170806.gz etc



What is the command i have to use for that.

is it grep or find or something else.

when i gave grep xyz.* it did not gave any result.

how searching inside a file content is different from search outside on unix file names.

any good link on these commands? please advise
0
I haven't worked on SUSE long time. Can some one explain me the process of patching in SUSE and I want to update the bash package.

need some steps as well. I would appreciate.

I want to cover this

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
0
Hi,

In unix using vi how do i copy paste from one file say abc.ccfg to xyz.ccfg.

in windows i simply say on abc.ccfg select all then control c then go to xyz.ccfg say control v .

Thats all i have to do.

VI editor is something i hate.

not at all use friendly.

even moving cursor is big thing there.

any good shortcuts and tips, links on using vi.
0
when i cannot stop weblogic server my friend gave below commands



ps -ef | grep ggg3rrr

what above command gives as result?
kill -9 43856
what is -9 and what is 43856 in above kill command.

please advise
0
Hi,

I have xyz.ccfg under my weblogic server.

I logged in to unix weblogic server box.
How do i search on above file name 'xyz.ccfg' to find its exact location like

abc/home/user1/......

i am not sure exactly where it is?


please advise
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.