Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I am a JDE software engineer that supports the JD Edwards EnterpriseOne Software. We currently have 2 Unix Linux Red Hat enterprise servers on our system.

But in about a week the business will be adding another Unix Linux JDE Server into the mix.

I am not a Unix admin or expert but I do know how to connect and get around on Unix to support the JDE software. But this is the first time I will have to configure everything from scracth.

The Unix admin will have the Unix OS installed for me. But after that I have to install and configure everything else to get JDE to work on the new Unix server. So I'm trying to make sure I have all the steps (high-level) required to install and configure it. I have most of the basic core steps to install JDE on Unix, but I also know there are some "Unix" related tasks I will have to do, such as setting up the .PROFILE which I'm not familair with, creating the user that will do the JDE install, etc.

Any techs out there who has JDE AND Unix expertise that could help me? Even if you don't have JDE expertise if you are a Unix expert you can still help me with the "Unix" related tasks.

Once I get a response from anyone, I can go into  more detail on what I need. Thanks in advance!

John
0
hello experts,
I just downloaded Black Track linux and wanted to add the host to my network. When I opened the host file, I see ip6 config:

::1      ip6-localhost ip6-loopback
fe00::0      ip6-localnet
ff00::0      ip6-mcastprefix
ff02::1      ip6-allnodes
ff02::2      ip6-allrouters
ff02::3      ip6-allhosts

the question: if I just wanted to add a host (most likely ipv4), do I just add it as I normally do?

192.168.0.0000      nameOfMyHost

thank you experts..

regards,
0
Ubunto Server V11

I am trying to replace an older cisco vpn concentrator that has become unreliable with an openVPN server. I have installed it and am in the process of configuring it. The ubuntu server is behind our firewall and I have an internal ip address assigned to it. Because it is already on our LAN, do I need a bridge interface to make openVPN work properly? I am following these tutorials.

https://help.ubuntu.com/10.10/serverguide/C/openvpn.html
and for the active directory piece I am referring to this article
http://craig.backfire.ca/pages/computers/openvpn-ad-auth
0
Say have fail2ban installed.
When restart firewall it forgets what its banned.
Any way to stop this?
Also what is rule to block an ip from access and in which table do I add it?
0
I am just trying to set up tomcat and I am stuck on trying to access it from port 80.

I am getting the following error:

[client ::1] client denied by server configuration: proxy:ajp://127.0.0.1:8009/favicon.ico

I have enabled the modules proxy, proxy_ajp and proxy_http.

Here is my /etc/apache2/mods-enabled/proxy.conf:
<IfModule mod_proxy.c>
        #turning ProxyRequests on and allowing proxying from all may allow
        #spammers to use your proxy to send email.

        ProxyRequests Off

        <Proxy *>
                AddDefaultCharset off
                Order deny,allow
                Deny from none # was all
                #Allow from .example.com
        </Proxy>

        # Enable/disable the handling of HTTP/1.1 "Via:" headers.
        # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
        # Set to one of: Off | On | Full | Block

        ProxyVia On
</IfModule>

Open in new window

0
Hello All,

Question:  When I apply a IP address to the whitelist on Spamd do I need to reboot the system for the changes to take affect?

Any help is appreciated.

-Alfred
0
hello,

how can i change root password linux without knowing it but being logged in as root?
what I did:

system# passwd root
Changing password for root.
Enter login(LDAP) password: "currentpassword"
New Password: "rootroot DELTE CTRL+C I don't know what I did"
Bad password: too short
Reenter New Password: CTRL+C ENTER
LDAP password information changed for root

Now the problem is I don't know the root password but I can connect as root on another server and then ssh to this.
A little help please!
Thank you!
0
From what I've read I think I know already that the answer to this is "nope, not really", but I'll ask anyways. I've got a bunch of Linux servers that have been running for years, and I have no plans of rebuilding them from scratch, and I'd like to add an IDS to them. The tripwire documentation says that there's no way to ensure that the system hasn't already been compromised and therefore adding it will only help with future breaches. Fair enough.

But, if you wanted to anyways, would it be sufficient to scan the system using for example unhide, rkhunter, chkrootkit, and tiger first and then add an IDS? Or, would it be possible to create a virtual machine with the same package selection, add an IDS, build a configuration and database, and then copy those over to the production server?

Thanks.
0
We have a CentOS server setup recently & it's running Apache.  If I ssh and log into the console, I can edit any /var/www/html docs that I need to if I use sudo to do the edits.

However, I would like to use Dreamweaver on my local system to do my edits, then ftp them over directly.  I'm able to successfully connect via Dreamweaver, and can do the edits, but since I don't have a way to "sudo" via Dreamweaver (unless there is a way???), I can't actually edit anything.

What do I need to change on the server to allow me to be able to make my edits remotely via Dreamweaver (over secure ftp)?

I do this routinely on a hosted web site that I have that runs on some flavor of linux, but I have no idea how the company sets this up on their end to allow such direct edits to the web files.
0
we were using an adaptation of this script on pre-centos6 version, but running it on v6 has made no difference.

shall I be looking to fix this script or am I better off generating a new one seeing that it was produced by Easy Firewall Generator?

#!/bin/sh
#
# Generated iptables firewall script for the Linux 2.4 kernel
# Script generated by Easy Firewall Generator for IPTables 1.15
# copyright 2002 Timothy Scott Morizot
# 
# Redhat chkconfig comments - firewall applied early,
#                             removed late
# chkconfig: 2345 08 92
# description: This script applies or removes iptables firewall rules
# 
# This generator is primarily designed for RedHat installations,
# although it should be adaptable for others.
#
# It can be executed with the typical start and stop arguments.
# If used with stop, it will stop after flushing the firewall.
# The save and restore arguments will save or restore the rules
# from the /etc/sysconfig/iptables file.  The save and restore
# arguments are included to preserve compatibility with
# Redhat's or Fedora's init.d script if you prefer to use it.

# Redhat/Fedora installation instructions
#
# 1. Have the system link the iptables init.d startup script into run states
#    2, 3, and 5.
#    chkconfig --level 235 iptables on
#
# 2. Save this script and execute it to load the ruleset from this file.
#    You may need to run the dos2unix command on it to remove carraige returns.
#
# 3. To have it applied at startup, copy this 

Open in new window

0
Hey guys.  I am needing to block all Public IP's on my Debian/Asterisk machine external interface and allow only my provider access.  I have tried the following commands and i can not get it working.  Can anyone help?  The reason i have a public interface is because we need an internal interface for our phones to register thru.  

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

When i enter this then nothing gets thru the interface.  can someone explain what i'm doing wrong?
0
Hi,
If one of the guy who was maintaining my server is leaving from me forever, what are the information i need to take from him and how can i secure my server from that guy who knows everything about my server. As I am new to Linux and I am the only one who can access that server. Please help me.

Thanks in advance.
0
I setup the windows 2008 server with cygwin and openssh installed on it. The problem is when I login as a domain user I can't seem to move forward and login. I checked /etc/passwd file and found my domain user there. Am I missing anything else?

C:>ssh nxtrend@serverrole
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to serverrole [10.111.21.3] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/.ssh/identity type -1
debug1: identity file /cygdrive/c/.ssh/id_rsa type 1
debug1: identity file /cygdrive/c/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'serverrole' is known and matches the RSA host key.
debug1: Found key in /cygdrive/c/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: …
0
Have a weird situation.  Have some servers that are deployed that have sensitive (I.P.) data on them, as well as vpn keyfiles.  I do not have physical access to them, but I do have root login over ssh.  Is there a way to shred or wipe the mounted filesystems while the box is running?  Would shred blow up partway through and cause the filesystem to be recoverable?
They are running various versions of Ubuntu server 10.04 and up.

Please, no lectures on proper security protocols, etc.  Hindsight is 20/20 and new servers are properly secured.  However, we need a way to handle this situation, in the event of a compromise, until we can get these old servers replaced.
0
Hi,

I have an encoder that boots from a little CF card and the card has become corrupt, fortunately i copied it using clonezilla copying the contents to another CF card. when i boot up using the new card it doesnt like it and i am thinking the operating system on the cf card somehow ties in with serial number of bios.

Is there anyway of delving in to the image file and searching for the serial number so i can get back to the manufacturer?
0
Hi, experts.
I am having problem mounting my nfs mount on my sles11.
NFSSERVER IS RUNNING:
rcnfsserver status
Checking for kernel based NFS server: idmapd..running
 mountd..running
 statd..running
 nfsd..running
when I try to mount server:/xen  /client_files
mount.nfs: mount to NFS server 'server:/xen' failed: System Error: Connection refused
when I run rcnfsserver status on the server again
Checking for kernel based NFS server: idmapd..running
 mountd..unused
 statd..running
 nfsd..running
There are no
/etc/hosts.allow and /etc/hosts.deny
Can somebody help me.
Sorry my english.

0
Hi Guys

I have setup a basic squid 3 proxy server and I am struggling to get users to login to there MSN messenger accounts.

I have tried the various ACL's available but still no luck.

Please let me know what information you need from me to get started.
0
Hello,

I have a RHEL 5.4 server that has an autofs mount to a nfs share to store the audit logs. On this server when the logs do roll over it drops the nfs mount and then starts buffering the logs locally. The buffer fills and then the server locks up and is not accessible via ssh or local login.

Rebooting the machine requires the following actions to be completed before auditd can start again:
mount logserver:/loglocation /loglocation
service autofs restart
service autofs reload

Then we check to make sure that the loglocation is populated with the folder name of the server
cd /loglocation:
ls

Then we have to change the permissions of the audit.log file to allow for the machine to write to them again:
chmod u+w /loglocation/servername/audit/audit.log

That allows us to start the audit service:
service auditd start


All actions are done as root or sudo, this will allow the logs to work properly until the next roll over. We have not been able to find a solution that keeps the nfs mount active after a roll over.

Thank you for your time,
TLB
0
Hi,

I have a few projects in SVN to whichI want to add additional security. For example, some may have access to other projects but these projects above.

How can I set additional security on the projects?

Thanks
0
Hi,

I'm installing an app on linux. Not very good at it.
I managed to successfully install the program on the desktop and it worked, but then realized I had installed it in the wrong place.

I needed to install it in /opt
which is in the system files. it seemed to install ok, but when I go to launch the app
I get an error

dministrator@SVN:/opt/csvn$ bin/csvn console
Running CSVN Console...
wrapper  | ERROR: Could not write pid file /opt/csvn/bin/../data/run/csvn.pid: Permission denied

I assume this is a system level permissions issue. I messed with the folder perms, but no luck.

any advice appreciated
0
Hi,

1) I believe Python is a program language; some program use Phython to execute

2) My question: Is there any free (trial ) download of Python?

3) Thanks

tjie
0
Hi,

1) I have a linux Ubuntu 10.04.3 workstation in the production environment

2) I heard that Samba has been installed automatically during installation (or connecting to the repository)

3) Is it true?

4) If it is true, would you somebody show me "per command line" and " per GUI" to check that samba has been installed in the above linux workstation please

5) Thank you

tjie
0
Hi, I am attempting to upload a file into a specific folder using WinSCP..  I need to change a directory to give a specific user upload rights onto the Linux box.

How do I do this from the command line?  Thanks

0
Hello,

I am using scp on 'Server A'(UNIX) to copy a set of files to 'Server B'(LINUX).
This procedure takes about 5 hours (very large files), and I need to do it daily.
'Server B' (the receiving server) is hosting an important web application, and I want to know:
Does an extensive 'scp' operation such as this impede the performance of the receiving server? (NOTE: The scp operation is scheduled on 'Server A')

Basically, I do not want my web application to noticeably slow down during this procedure.

Any advice would be appreciated.
0
HI Experts,
I know how to write php script from the command line in ubuntu.I do nano test.php.

I have downloaded Bluefish editor successfully and wrote a test program.I tried to save it in /opt/lampp/htdocs.But it is not being saved on it.When I tried to run it on localhost ,it gives error.and when I try to run it from the bluefish editor,the url looks like this which is ofcorse not correct.
file:///opt/lampp/htdocs/test2.php   INstead of http://localhost/test2.php.

PLease help,
Thanks.
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.