Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I need to create an ipset for ipv6 I have it for ipv4 already.  I want to use ipdeny.com and insert specific country blocks into the ipset which is connected to the iptables.
0
Protect Your Employees from Wi-Fi Threats
LVL 1
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Individual log  files on my server getting zipped every 1 hour and individual log files getting deleted.

PRoblems i am facing with zipped log files are
1. not able to grep them as easily as individual files

2. not able to tail to see any recent issues



if i copy over to local windows laptop using winscp and unzil anf try to open individual file using notepadd++ says too huge file to open.


how to extract zip file in unix box itself and check log files by doing grep and tail etc

please advise
0
Dear Experts

please suggest what all ways desktop/laptop users of windows 10 and ubuntu desktop systems can be encrypted, OS level and if any third party tool , i read an article about bit locker drive encryption is it recommend please suggest similarly how it can be done for ubuntu desktops please suggest
0
We have setup OpenVas in our infrastructure. We were able to run it in order to scan assessments reports on VM's within our infrastructure. However the results of the scans is very long and complete. We would like to filter that same report in order to only have results of the High severity reports.

Any idea on what would be the most effective approach to filter the Greenbone scans?
0
tail -n5000 xyz.log

above shows last 5000 lines right


if i want to see all the 15723 lines of xyz.log what command i have to give

tail -n5000 xyz.log|grep 'ERROR WS'
how to make above case sensitive search like
tail -n5000 xyz.log|grep 'error ws'
how to make above whole word search? so that i wont see below as result ERROR aaa WS etc


please advise
0
Hi

after i installed nextcloud 13.0.1 on centos 7 and most of the features works

i am facing a strange issue with calendar

i cannot create or delete or do anything with calendar on nextcloud management    please check the attached file

do you think i have to change something from GUI or CLI  or install or do something


kindly advice
ccccccccc.jpg
0
Hello Experts,

Getting following error while execute cmd from ssh :-

[root@200 ~]# separateBod
ENTER SERVER IP LAST 1 QUADRANT WHICH YOU WANT TO BOD:
119
Option "-t" is deprecated and might be removed in a later version of gnome-terminal.
Option "-t" is deprecated and might be removed in a later version of gnome-terminal.
Failed to parse arguments: Cannot open display:

separateBod Code:-
#!/bin/bash
printf "ENTER SERVER IP LAST 1 QUADRANT WHICH YOU WANT TO BOD"
 read IPNAME
 for i in $IPNAME
 do
  ssh user@192.168.1.$i BOD & pid=$!
 done

BOD Code:-
#!/bin/bash
gnome-terminal \
        --tab -t "Exchange" -e " sh -c 'sleep 1s; ./startapp Exchange' "\
        --tab -t "Dragon" -e " sh -c 'sleep 10s; ./startapp Dragon' "\

startapp code:-
ulimit -c unlimited
export LD_LIBRARY_PATH=./:${LD_LIBRARY_PATH}
./$1 $2 $3 $4 $5

After giving execution cmd from server (ssh) it should be displayed on other server vnc (user@192.168.1.119), it was working properly till last week suddenly i got this error, we have following versions of CentOS 64bit (6.7, 6.8, 6.9, 7.4), getting issue only with 7.4 64bit.

please suggest.
0
What is pam?  What is ldap?   I know those two are for authentication but still confused. Why system administrators usually configure authentication by pam_ldam.conf. What is the advantage with this.

how to configure pam_ldap in client side to connect solaris ldap server.

Thanks,
bvm
0
I have had to disable SELinux to get an application installed ,I was wondering if anyone has ever used 'AUDIT2ALLOW' to re-tag the objects in SELINUX and re-enable SELINUX  

I have never ever worked with SELINUX before and could use any advice you can give
0
log file how to copy whole content

zgrep -C20 '1234' 1234.log.gz

above gave lot of results in unix screen

how to copy whole page and paste into a text file on my C drive of the windows laptop through which i am connecting to unix box using putty?


also

i see all results like

0123456
9123488

etc

which i do not want

i want complete word search of 1234 only
how to achieve it
please advise
0
Cloud Class® Course: Microsoft Azure 2017
LVL 12
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

What awstat format i need for that type af log from ftp server
....
....
Feb 26 13:47:24 ftp sshd[1260]: Disconnected from 115.238.245.6 port 36575 [preauth]
Feb 26 13:47:24 ftp sshd[1260]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.238.245.6  user=root
...
....

i used all 1 ...4 then i used :
LogFormat= "%time3 %other %method %url %logname %host %code %other"
or
LogFormat= "%time3 %other %host %bytesd %url %other %other %method %other %logname %other %code %other %other"

all says  
found 401 dropped records
2000 corrupted records
...
0
how to check production logs

i logged to production server i went to server log path.
i did
ls -ltr

i see bunch of log files at different timestamps

lets say xyz.log is at 1:30 am which i am interested to see.

how to open and hjow to see it?

when i logged using winscp says log in denied to copy over to windows laptoip to check.
like i want to zgprep or grep all "NullPointerErrors" between 12:30 AM till 2:30AM how do i check?
Also how to check how many times it was restarted?
any good best practices on production logs?
please advise any god links, resources on it?
0
i have sftp install in ubuntu 16.04 hwo to disabled user to has a ssh login. user has only sftp login not ssh login.
0
Hi, i'm trying to set up PAM Authentication on debian 9: On the first login at boot, i would like for PAM to ask both my password AND my yubikey neo. Once i'm logged in , i would like to only use my yubikey for sudo, screenlock and so on. I would like this to happen for a specific user only, while still being able to login via root with just my root password.
I successfully configured the PAM module for yubikey (auth required pam_yubico.so mode_challenge-response) but this way, i have to type my psw AND have the yubikey plugged in at EVERY sudo, login, screenlock.


I'm going crazy over this because i'm unable to find decent documentation about this on the web.

Can somebody please provide some help?

regards
0
Need help with regex for fail2ban to stop wp-login attempts.  Here is my jail.local.  I am on a Centos 6 server

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/httpd/access_log*
action = iptables[name=WP,port=http,protocol=tcp]
port = http,https
maxretry = 3
findtime = 10
bantime = 2592000
ports = 80,443

Open in new window


this is the log file and this is a known marauder trying to break in.
/var/log/httpd/access_log-20180218:195.22.127.169 - - [17/Feb/2018:08:05:22 -0500] "POST /wp-login.php HTTP/1.1" 503 2925 "http://thefrugallife.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
/var/log/httpd/access_log-20180218:195.22.127.169 - - [17/Feb/2018:08:05:22 -0500] "POST /wp-login.php HTTP/1.1" 503 2925 "http://thefrugallife.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
/var/log/httpd/access_log-20180218:195.22.127.169 - - [17/Feb/2018:08:05:22 -0500] "POST /wp-login.php HTTP/1.1" 503 2925 "http://thefrugallife.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
/var/log/httpd/access_log-20180218:195.22.127.169 - - [17/Feb/2018:08:05:22 -0500] "POST /wp-login.php HTTP/1.1" 503 2925 "http://thefrugallife.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; 

Open in new window

0
Hi to all of you,
I'm preparing new files Audit rules in the /etc/audit/audit.rules file.
The syntax I'm using is: auditctl -w path_to_file -p permissions -k key_name
example -w /etc/libaudit.conf -p wa -k wlib.conf

My question is: if I use the following syntax without specifing the permission option (-p)
auditctl -w path_to_file -k key_name what is the default permission value used?

Sounds a strange question but this is what I've been asked.
Bye  and thanks
Carlettus
0
Hi There,

I am getting the following issue with postgresql in aws ubuntu environment.

When I  run python3 manage.py makemigrations, I get the following error.  
It throws the following error. File "/usr/local/lib/python3.5/dist-packages/psycopg2/init.py", line 164, in connect conn = _connect(dsn, connection_factory=connection_factory, async=async) django.db.utils.OperationalError: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432?

Hence I checked whether postgresql is working fine.
I had tried sudo su - postgres It went inside the postgres cmd prompt so it became postgres@ip-10-254-3-58:~$

now when I try psql I get the same error as when I run python3 manage.py makemigrations.

postgres@ip-10-254-3-58:~$psql psql: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

I had tried uninstall and reinstall postgres,

During uninstall , i had tried the following command

$sudo apt-get --purge autoremove postgresql*

I got many errors

Then I had tried
sudo apt-get clean
sudo apt-get update

I got the following errors.  

Hit:1 https://deb.nodesource.com/node_8.x xenial InRelease
0% [1 InRelease gpgv 4,646 B] [Connecting to archive.ubuntu.com (91.189.88.161)] [Connecting to security.ubuntu.com (91.189.91.26)] [Connecting to …
0
Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
0
I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] 

Open in new window

0
Free Tool: Site Down Detector
LVL 12
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I was mailbox flooded through my contact form last night so I need to block the country that caused the attack until I can upgrade my site to take the current recaptcha from Google.  Here is the script I need to work.  I want to be ready if it happens again tonight.

for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ua,kp}.zone) do

Open in new window

and it won't execute.  instead I get a greater than symbol ">."

This is an example:
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ua,kp}.zone) do
>

Open in new window


This script used to work but I had to retype it and now I get that > symbol.

Please help.

Randal
0
I was reading some material on netcat usage.  There are a few references to using netcat for a relay using FIFO  (mknod backpipe p).  Also mentioned was using the next_hop argument.  I have never used that syntax and can't really find much information on it.  So the command is:
nc -l -p 12345 0<pipe | nc next_hop 54321 1>pipe

Open in new window

I don't know what the next_hop is referring to.  

I've always done it like this where I specify where the client will connect (10.1.1.1 port 54321):
nc -l -p 12345 0<pipe | nc 10.1.1.1 54321 1>pipe

Open in new window

Any explanation on how the next_hop works would be appreciated.
0
We are looking to deploy SNORT on a server in IDS mode.  I am looking for a webgui to go along with this for our admins to manage easily.  Can anyone recommend something that will allow us to update plugins, rules, view alerts, etc.. ?  So far all of my research just pulls up old articles.
I am also willing to do a Gig Project if that is easier for someone to set it up.
0
I am running Ubuntu 16.04 TLS server. I am unable to change the root password or add users to the sudoer file
0
$ zgrep --version
grep through gzip files
usage: zgrep [grep_options] pattern [files]


when i typed above command i do not see any version number? please advise
0
Jan 29 05:40:41 hklvadapp005 sshd[26279]: Received disconnect from 10.20.225.137: 11: disconnected by user
Jan 29 05:40:41 hklvadapp005 sshd[26275]: pam_unix(sshd:session): session closed for user distadm1
Jan 29 13:26:46 hklvadapp005 sshd[28345]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64855 ssh2
Jan 29 13:26:48 hklvadapp005 sshd[28345]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 13:27:01 hklvadapp005 sshd[28383]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64867 ssh2
Jan 29 13:27:02 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 14:47:37 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 15:09:01 hklvadapp005 sshd[16181]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 52237 ssh2
Jan 29 15:09:02 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 15:14:35 hklvadapp005 sshd[17920]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 10, deny 9
Jan 29 15:32:10 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 16:32:19 hklvadapp005 sshd[2323]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jan 29 16:32:25 hklvadapp005 sshd[2433]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 12, deny 9
Jan 29 16:32:32 hklvadapp005 sshd[2433]: 

Open in new window

0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security
<
Monthly
>