Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi There,

I am getting the following issue with postgresql in aws ubuntu environment.

When I  run python3 manage.py makemigrations, I get the following error.  
It throws the following error. File "/usr/local/lib/python3.5/dist-packages/psycopg2/init.py", line 164, in connect conn = _connect(dsn, connection_factory=connection_factory, async=async) django.db.utils.OperationalError: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432?

Hence I checked whether postgresql is working fine.
I had tried sudo su - postgres It went inside the postgres cmd prompt so it became postgres@ip-10-254-3-58:~$

now when I try psql I get the same error as when I run python3 manage.py makemigrations.

postgres@ip-10-254-3-58:~$psql psql: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

I had tried uninstall and reinstall postgres,

During uninstall , i had tried the following command

$sudo apt-get --purge autoremove postgresql*

I got many errors

Then I had tried
sudo apt-get clean
sudo apt-get update

I got the following errors.  

Hit:1 https://deb.nodesource.com/node_8.x xenial InRelease
0% [1 InRelease gpgv 4,646 B] [Connecting to archive.ubuntu.com (91.189.88.161)] [Connecting to security.ubuntu.com (91.189.91.26)] [Connecting to …
0
Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
0
I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] 

Open in new window

0
I was mailbox flooded through my contact form last night so I need to block the country that caused the attack until I can upgrade my site to take the current recaptcha from Google.  Here is the script I need to work.  I want to be ready if it happens again tonight.

for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ua,kp}.zone) do

Open in new window

and it won't execute.  instead I get a greater than symbol ">."

This is an example:
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ua,kp}.zone) do
>

Open in new window


This script used to work but I had to retype it and now I get that > symbol.

Please help.

Randal
0
I was reading some material on netcat usage.  There are a few references to using netcat for a relay using FIFO  (mknod backpipe p).  Also mentioned was using the next_hop argument.  I have never used that syntax and can't really find much information on it.  So the command is:
nc -l -p 12345 0<pipe | nc next_hop 54321 1>pipe

Open in new window

I don't know what the next_hop is referring to.  

I've always done it like this where I specify where the client will connect (10.1.1.1 port 54321):
nc -l -p 12345 0<pipe | nc 10.1.1.1 54321 1>pipe

Open in new window

Any explanation on how the next_hop works would be appreciated.
0
We are looking to deploy SNORT on a server in IDS mode.  I am looking for a webgui to go along with this for our admins to manage easily.  Can anyone recommend something that will allow us to update plugins, rules, view alerts, etc.. ?  So far all of my research just pulls up old articles.
I am also willing to do a Gig Project if that is easier for someone to set it up.
0
I am running Ubuntu 16.04 TLS server. I am unable to change the root password or add users to the sudoer file
0
$ zgrep --version
grep through gzip files
usage: zgrep [grep_options] pattern [files]


when i typed above command i do not see any version number? please advise
0
Jan 29 05:40:41 hklvadapp005 sshd[26279]: Received disconnect from 10.20.225.137: 11: disconnected by user
Jan 29 05:40:41 hklvadapp005 sshd[26275]: pam_unix(sshd:session): session closed for user distadm1
Jan 29 13:26:46 hklvadapp005 sshd[28345]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64855 ssh2
Jan 29 13:26:48 hklvadapp005 sshd[28345]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 13:27:01 hklvadapp005 sshd[28383]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64867 ssh2
Jan 29 13:27:02 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 14:47:37 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 15:09:01 hklvadapp005 sshd[16181]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 52237 ssh2
Jan 29 15:09:02 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 15:14:35 hklvadapp005 sshd[17920]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 10, deny 9
Jan 29 15:32:10 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 16:32:19 hklvadapp005 sshd[2323]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jan 29 16:32:25 hklvadapp005 sshd[2433]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 12, deny 9
Jan 29 16:32:32 hklvadapp005 sshd[2433]: 

Open in new window

0
We recently performed a yum update on the RHEL7 box, and much to our dismay, the ability to open the port now fails.

There are two scripts we have to run in order to open the port:
This one runs:
sudo iptables -A INPUT -p tcp --dport 1234 -j ACCEPT

This one fails:
sudo iptables -A IN_public_allow -p tcp -m tcp --dport 1234 -m conntrack --ctstate NEW -j ACCEPT

Gives the following error:
iptables: No chain/target/match by that name.

This always worked for years, now that latest update won't allow this to run

Any help would be greatly appreciated.

Thanks
0
I have a ubuntu server on wan. i can connect to it via ssh from windows on another ip rang.
my clint not ping it and i can't ping my client from server.
how to use X app from server i install xinit and x app on server .
firewall is disabled on ubuntu server.
0
Hey I am changing my SSH key.

How do I remove my old SSH key from my servers trusted keys.
0
I am working a plan to create a best practice schedule for patching my environments. I know everyone has a different opinion on this but I am looking for a Positive way to move forward on this topic. I have 3 environments Test, dev test and Prod. Just looking for a push start if anyone has went through this some example schedules would be appreciated. Thanks
0
Hi,
I'm comparing these two lines in the audit.rules files.

-a always,exit -F arch=b32 -S clock_settime -F a0=0 -k time-change

Open in new window

-a always,exit -F arch=b32 -S clock_settime -k time-change

Open in new window


Could you please tell me the what -F a0=0 stands for?
Thank you
Carlettus
0
i install ssh in ubuntu. i start services and it's  runnig. idisabled firewall. i add keygen in authorized_keys.
ssh <ip_host> says  Permission denied (publickey).
0
Hi There,

I had connected to Ubuntu machine in windows through putty's ssh client assume the IP address is

55.170.23.156

I want to clone bit bucket inside this putty

assume the bit bucket url

is http://bitbucket.librariesdsw.net:8080/

assume bit bucket user name is bharath and password is welcome

how to clone this bitbucket inside this putty

please help,  thanks in advance

Kind regards,

Bharath K
0
BACKGROUND:
A ways back, I'd set up nameservers on my VPS (let's call them 'ns1.mydomain.com' and 'ns2.mydomain.com').  I host a couple of dozens websites on that VPS.

For all of my domains, on the domain registrar's site, I'd set the Nameservers for that domain to Custom Nameservers:  'ns1.mydomain.com' and 'ns2.mydomain.com'.

Recently, I had to ask my VPS provider to create a new server for me (let's call it 'newVPS'), leaving my previous VPS (let's call it 'oldVPS') active so I could migrate or re-create accounts and contents from the oldVPS to the newVPS.

Both the oldVPS and newVPS use WHM/CPanel admin interfaces.  
The oldVPS is setup as (cut and pasted from the WHM panel banner): 'CENTOS 6.9 i686 virtuozzo – oldvps  WHM 56.0 (build 52)'
The newVPS is setup as (cut and pasted from the WHM panel banner): 'CENTOS 7.4 virtuozzo [newvps]  v68.0.21'

My understanding (which is limited in these areas) is that the nameservers I setup on my VPS have to be associated with one of the domains I own/host on that VPS.

The nameservers which I had previously setup on oldVPS were associated with 'mydomain.com' one of the domains/accounts hosted on oldVPS.  

For simplicity, I'm thinking of creating new nameservers on newVPS and associate them with 'myotherdomain.com', another domain/account to be hosted on newVPS.

QUESTION:
How do I create my new nameservers on newVPS, say 'ns1.myotherdomain.com' and 'ns2.myotherdomain.com', presumably from newVPS's WHM (I'm …
0
Hello Experts,

We have an application which is login on CentOS 6.8 64 bit (GUI Interface) & after login generate tcp port 50000 for make connection with user.
Behind that port there are many connection connected with different-different IP (192.168.207.11, 207.12, 207.13) & user name (user1, user2, user3):

Example Output:-
[root@CC ~]# lsof -i :50000
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
TCPServer 3647 rajat  245u  IPv4 156532      0t0  TCP 192.168.207.125:50000->192.168.207.15:49277 (ESTABLISHED)
TCPServer 3647 rajat  261u  IPv4  23354      0t0  TCP *:50000 (LISTEN)
TCPServer 3647 rajat  387u  IPv4  24955      0t0  TCP 192.168.207.125:50000->192.168.207.13:49271 (ESTABLISHED)

From this cmd i only check which IP is connected behind port 50000, but i want to check user name also. Please suggest.
0
Does anyone know how I can stop LFD from sending Failure emails for trusted processes? Do I need to 'whitelist' certain processes in CSF?
Mine is sending an email every minute or so, resulting in tens of thousands of useless emails (& using server time of course)

THE EMAIL MESSAGE:
Subject:  
lfd on server.myservername.com: Suspicious process running under user postfix
Body:  
Time:    Fri Dec  8 07:56:26 2017 -0800
PID:     23757 (Parent PID:12511)
Account: postfix
Uptime:  104 seconds

Executable:
/usr/libexec/postfix/smtpd

Command Line (often faked in exploits):
smtpd -n 25 -t inet -u -o stress=

Network connections by the process (if any):
tcp: 0.0.0.0:25 -> 0.0.0.0:0

Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/var/spool/postfix/pid/inet.25
anon_inode:[eventpoll]
/etc/aliases.db
/etc/aliases.db
/var/spool/postfix/plesk/aliases.db
/var/spool/postfix/plesk/aliases.db
/var/spool/postfix/plesk/virtual.db
/var/spool/postfix/plesk/virtual.db
/var/spool/postfix/plesk/vmailbox.db
/var/spool/postfix/plesk/vmailbox.db
/var/spool/postfix/plesk/blacklists.db
/var/spool/postfix/plesk/blacklists.db

Memory maps by the process (if any):
7f3a55962000-7f3a55971000 r-xp 00000000 103:01 11846418                  /usr/lib64/libbz2.so.1.0.6
7f3a55971000-7f3a55b70000 ---p 0000f000 103:01 11846418                  /usr/lib64/libbz2.so.1.0.6
7f3a55b70000-7f3a55b71000 r--p 0000e000 103:
etc etc etc
0
hi,

we have about 3 users say user1, user2, user3 on the weblogic server. The application logs and server logs getting filled up every 3 weeks or so causing server to choke. How to write a script to clean automatically those application log and server log folder contents automatically say every week on friday midngiht at 11 PM

please advise
0
Hi experts
i need the command line for ubunt to copy file from my ubuntu desktop to windows pc
thanks
0
Hello,

I would like to know how to implement ssl-cert-check from ssl-cert-check

I do have a windows box at work. Can i create it through Cygwin ?

Or what Linux flavor can i use ? Thoughts ?

Thanks for your help.
0
bash-4.4$ mv -i dir2 dir3                                                                                                                          
bash-4.4$ ls -ltr                                                                                                                                  
total 12                                                                                                                                          
-rw-r--r-- 1 14392 14392  978 Nov 22 16:46 README.txt                                                                                              
-rw-r--r-- 1 14392 14392    7 Nov 22 16:47 456.txt                                                                                                
drwxr-xr-x 2 14392 14392 4096 Nov 22 16:49 dir3                                                                                                    


i tried as above but i did not get warning  like below

mv: overwrite `dir2'?


i tested with files also but no warning coming

bash-4.4$ touch a.txt                                                                                                                              
bash-4.4$ mv a.txt b.txt                                                                                                                          
bash-4.4$ ls -ltr                                                                                                                                  
total 12           …
0
I am getting this error message, when I was trying to run rpmbuild --rebuild lin_tape-3.0.23-1.src.rpm on Red Hat Linux 7.4 (Kernel version: 3.10.0-693.1.1.el7.x86_64). Can some one let me know what is problem and what should be the proper procedure to fix it. Here is the output mentioned below,

#rpmbuild --rebuild lin_tape-3.0.23-1.src.rpm
Installing lin_tape-3.0.23-1.src.rpm
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.sCvFVM
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd /root/rpmbuild/BUILD
+ rm -rf lin_tape-3.0.23
+ /usr/bin/gzip -dc /root/rpmbuild/SOURCES/lin_tape-3.0.23.tgz
+ /usr/bin/tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd lin_tape-3.0.23
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.KGligF
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd lin_tape-3.0.23
++ echo x86_64-redhat-linux-gnu
++ cut -f 1 -d -
+ p=x86_64
+ '[' x86_64 == i386 ']'
+ '[' x86_64 == i586 ']'
+ '[' x86_64 == i686 ']'
+ '[' x86_64 == ppc64 ']'
+ '[' x86_64 == powerpc ']'
+ '[' x86_64 == powerpc64 ']'
+ '[' x86_64 == s390 ']'
+ '[' x86_64 == s390x ']'
+ '[' x86_64 == ia64 ']'
+ '[' x86_64 == x86_64 ']'
+ proc=AMD
+ make KERNEL=3.10.0-693.1.1.el7.x86_64 PROC=x86_64 SFMP=0 driver
make: Nothing to be done for `driver'.
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.hQeoFx
+ umask 022
+ cd /root/rpmbuild/BUILD
+ '[' /root/rpmbuild/BUILDROOT/lin_tape-3.0.23-1.x86_64 '!=' / ']'
+ rm -rf …
0
hi

How to Make The Text Cursor Automatically when i'm on console text ?
I use directly on boot the tty console and desactivate graphical mode.

Thanks for your reply,

someone talk me about : /etc/inittab, or /etc/fstab
But i don't think it's good idea to modify 2 by 5
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security
<
Monthly
>