[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

What's the best way to monitor for UDP syslog traffic coming in from a redhat 4 and redhat 5 syslog clients if it's not arriving at the syslog server. The syslog server is running on a Redhat 6 server. netstat -taulpe | grep syslog is showing that UDP is listening on all IP's on the server but I'd like to see if there is any other way apart from running  tcpdump -i <nic> port 514. Would watch lsof -a -i:514 show it?
0
Discover the Answer to Productive IT
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

I'll need to monitor several "privilege escalation related" Solaris 10 & RHEL6 files using
ACLs (Access Ctrl Lists) :

a) /etc/group, /etc/sudoers, /etc/cron.daily (or .weekly or any crons owned by root):
    ACL to send to syslog (so that we can pipe to SIEM) when permissions, ownership
    or contents of the above files are changed

b)visudo, sudo, usermod, useradd    command binary files :
   when these are being executed/run, ACL to send to syslog (who & when it's being
   executed)

Appreciate an exact  setacl (or the actual commands/settings in RHEL6 & Solaris 10
x86  samples
0
Need to harden a Solaris 10 that is connecting to Internet  from DMZ.

Anyone has a Solaris 10 hardening script that once run will harden for
a) Level 2 Profile
b) "Scored"

The attached which I got from GitHub doesn't seem quite fit to what's needed
& with all the "printf ...", it's more of listing out than actually doing hardening.


From CIS benchmark:

Scoring Information
================
A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score. The following scoring statuses are used in this benchmark:
Scored  <==
Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score.
Not Scored
Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score.



Profile
=====

 Level 1
Items in this profile intend to:
o be practical and prudent;
o provide a clear security benefit; and
o not inhibit the utility of the technology beyond acceptable means.
 Level 2  <==
This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:
o are intended for environments or use cases where security is paramount
o acts as defense in depth measure
o may negatively inhibit the utility or performance of the …
0
xhost executing successfully for the user who has the direct login access to the OS.

when I swtich to the other user (su) and which doesn't have the direct login access to OS, could not run the xhost command.

Kindly advice, how to achieve the same.
0
http://www-01.ibm.com/support/docview.wss?uid=swg22005400

Security Bulletin: IBM MQ and IBM MQ Appliance MQOPEN call might succeed when it should have failed. (CVE-2017-1341 )


what does  IBM MQ and IBM MQ Appliance MQOPEN call means?
does it mean client side or server side?
0
0
CVE-2017-1283  - How to fix this?
0
If my rsyslog.conf is configured to write *.info *.warn *.kern and some others to /var/log/messages is there any way to identify the local6 *.info messages apart from the *kern and *.warn and others in  /var/log/messages? I've noticed sometimes that the messages contain kern and warn but not just sure what *.info are and if there's an easy way to identify them
I'd rather not have to configure /etc/rsyslog.conf to have another log file for just *.info if it can be avoided. If there's no other way then I might just have to do it but I'm curious what the local 6 information messages actually are.
0
I have several linux systems. Normally I login on them with my account, and after I login i execute sudo -s, so I can get admin privileges.
Sometimes I need to edit some files or copy some files out of the linux systems and in the past I ofter used the winscp program.
Unfortunately when I login with winscp with my account I don't have admin privileges, and thus I am not able to open and edit needed files, I am not able to copy files out of the system. Can you tell me how to login with winscp with admin privileges
0
I am sysadmin..I want to know

I want to reach the server, to check the connectivity thru specific port.
This is just to varify whether the required firewall rule defined properly or not.
0
Acronis Data Cloud 7.8 Enhances Cyber Protection
LVL 1
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Consider the below scenario

userPC---- firewall --- Destination-server
                         10.1.1.1


I have installed some software on the server, the service  of that software is using port # 301.

1) Scenario...
      Firewall defined
      server#  service UP
        userPC# telnet 10.1.1.1 301  --> user get reply

2)Scenario...
      Firewall defined
      server# service DOWN

is there any command/3rdparty-tools available to just varify, pockets from userPC able to reach on the server through port#301

==
This I asked just to segregate if there any issue, problem from firewall side (or) destination server side.
0
awk query
 unzip -c  xyz.log.20180905.gz| awk '$0>= "2013-Sep-09 18:33" && $0 <="2013-Sep-09 23:15"'| grep '|[1-9][0-9][0-9][0-9][0-9]|0000'|wc -l
Zip file too big (greater than 4294959102 bytes)
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
how to learn awk any good video tutorials on it?
please advise
0
I need to upgrade fail2ban 0.8.14 to 0.10.3.  I am on a Linux 2 server which prevents me from loading any repositories or using Yum to install it.

So, I need to know the steps to get my fail2ban upgraded.  

Thanks,
0
Fail2ban stopped working.  I have scoured the log files and no errors.  It was working and it seems since my last Yum update for security it quit working.  I can do fail2ban-client status and it shows 7 jails.  I can look in the iptables and it shows the jails.  However, when I run fail2ban-regex it shows many hits but none are getting blocked by the iptables.  The iptables are on.

This is 0.8.14 and I am on a Linux 2 Amazon Ami with PHP 7 and Python 2.7.14.

When it was working  it had over 221 ips banned just in one jail.

Please help me get this going.  The bots overrun my system if it isn't in place.
0
We have implemented a new ERP system and are using seven Datalogic portable data terminals logging in to a Linux VM using telnet connections over WiFi. The problem I am facing is we only have seven licenses for our handheld units and at times a unit will lose connection and the user has to log back into their telnet session, however their old shell on the VM is orphaned and we cannot log in due to the license restrictions. I have set the units up so I can identify each unit by userid so I can kill the duplicate sessions but it happens enough that managing it this way is not practical as a long term solution.

I know just enough Linux to be dangerous but not enough to accomplish what I would like to do which is when a user HH1 or HH2 or HH3 logs in I would like to kill any existing shells for the user so each handheld is a one to one between the physical unit and the shell on the VM.

Any ideas on how to do this. We use TelNetCE on the units and just telnet and the users have a simple green screen, character based menu driven system.

Thanks
0
Hi I am looking to do Pester test around my powershell code...but not sure about it ...can some help.

Bascially I need to pull Azurekeyvaultkey information using powershell and then do a pester test to do it, I managed to do poweshell bit but not sure how to do pester part....please I need help urgently.
0
In ubuntu 16:
it's added a wrong file in /etc/sudores.d/ folder.
I can't do sudo form any user. I can't do any thing.
How can I remove this file from folder sudores.d.
can I remove file if I login in as recover mode?

HELP
0
Hi,

I'm running CentOS Linux release 7.4.1708 (Core), issue is i'm able to login using local users but not using ldap users, please help me on this.

I've tried restarting services using authconfig-tui command, but still i'm getting authentication failure error for ldap user.

please see the attached doc (ldap issue.docx), and below output commands and let me know if any other details are required.


[root@server01 log]# cat /etc/openldap/ldap.conf
#
SASL_NOCANON    on
URI ldap://<ldap servrer ip>:389/
BASE dc=prod,dc=hclpnp,dc=com
#
[root@server01 log]# getent passwd testuser
testuser:*:123456:7001:testuser:/home/testuser:/bin/bash
[root@server01 log]#


[hubba@servder01 ~]$ su - testuser
Password:
su: Authentication failure



[root@server01 log]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files              …
0
Hi,

Now our MySQL cluster test platform do not have internet connection and we need to setup local repository for it.

I check out a lot of googled page and it seems no one exactly match what I am going to install, let see what I go from latest MySQL cluster 7.6.6 binary:

rpm files list.
so for management node, which rpm I should install and what is the command for it? just yum --noplugin localinstall <rpm name> ?

For data node, which rpm I should install?

For SQL  node, which rpm I should install ?
0
OWASP: Avoiding Hacker Tricks
LVL 12
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

I have installed fail2ban on an Amazon Linux 2 instance running Apache 2.4.  I can't start it up because I am using postfix and the default mta is sendmail.  I don't have sendmail installed and I don't want it.

I use google apps for my smtp server.

How can I change over to postfix or use google apps for my fail2ban mail option?

Thanks,
0
I am on an Amazon Linux 2 AMI running Apache 2 and I need a software solution for security.  I have been told mod_security isn't a good choice.  So does anyone have experience with the AWS Waf?  If so, what rules are you using?

Or, do you have another idea altogether?

On my previous instance I used fail2ban but I found the bots could outsmart fail2ban so hopefully someone will have a better choice.

Let me clarify my biggest  problems are postfix issues, stopping ddos, bots running up and down my site stealing bandwidth, clicking on every link and having numerous disk i/o's which I have to pay for.

By the way, I am not interested in using another AMI due to the complexity of my existing AMI.
0
Dear Experts

When we enable encryption in windows 10 systems it encrypts when we store documents, what exactly happens here as we take the stored files from the encrypted  and transfer it via email or copy to USB or share it in network drive all those other side people who have access can open and read or modify based on permissions does it mean it is not file level encryption I mean whoever know the system password files are accessible if someone wants to crack the harddisk then the file formats stored is not as per the document extension like .docs, or .exls please help me to understand this.

2. what does it mean server side encryption like next cloud deployment says we can enable server side encryption how is it different from ssl enablement that is user accessing through https,
please help me understand above two , thank you very much in advance.
0
We have a few Ubuntu 16.04/18.04 servers and some CentOS 6 and 7 servers at our site that we'd like to lock down to only allow logins from users on our Active Directory domain controller via LDAP. The domain controllers are both Windows Server 2016. We have multiple techs that need access to the servers, but only a few that should have full sudo abilities. Can someone share some step by step details in implementing this on these servers and how to make sure only certain AD accounts are allowed sudo abilities?

Thanks!
0
I am in the process of standing up a Ubuntu Linux server from a .vhd file.
The existing partitions are too small to handle the backup file thus I need to add extra partition space to the system.
This is a hyper-V hosted system.
I've never done this before. Can someone give me some guidance on what I will need to do?
Initially I was building a new server with 2 Tb of disk space but we decided to use a existing secured version of a .ova file which I converted over to a .vhd file.
Can anyone help me understand what I need to do?
We have more space available, the vhd was set to more than what the original image was configured for.
How can I expand the relevant partitions to take account of this extra available space?
Which partitions should get the extra space?  Opt is where the backups are stored via the main application so that one definitely needs to be expanded.
Filesystem                        Size  Used Avail Use% Mounted on
udev                               16G     0   16G   0% /dev
tmpfs                             3.1G  8.7M  3.1G   1% /run
/dev/mapper/vg00-root              19G  1.4G   17G   8% /
tmpfs                              16G  4.0K   16G   1% /dev/shm
tmpfs                             5.0M     0  5.0M   0% /run/lock
tmpfs                              16G     0   16G   0% /sys/fs/cgroup
/dev/sda1                         464M   58M  382M  14% /boot
/dev/mapper/vg00-opt               76G   76G     0 100% /opt
tmpfs                            …
0
Dear Experts

We are using nextcloud which is on ubuntu 16.04 with php, mysql and apache until now we were using within the local network but now there is a requirement to enable this to external network that is from internet hence would like to procure ssl certificate and install the same,
1.  can you please suggest the good source to purchase the ssl certificates
2. at present users are using this solution  by installing the ssl certificates will it have any impact of not functioning or breaking down the system please suggest.
3. can you please help me how to install the ssl certificate in this server instance
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.