[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have a CentOS server setup recently & it's running Apache.  If I ssh and log into the console, I can edit any /var/www/html docs that I need to if I use sudo to do the edits.

However, I would like to use Dreamweaver on my local system to do my edits, then ftp them over directly.  I'm able to successfully connect via Dreamweaver, and can do the edits, but since I don't have a way to "sudo" via Dreamweaver (unless there is a way???), I can't actually edit anything.

What do I need to change on the server to allow me to be able to make my edits remotely via Dreamweaver (over secure ftp)?

I do this routinely on a hosted web site that I have that runs on some flavor of linux, but I have no idea how the company sets this up on their end to allow such direct edits to the web files.
we were using an adaptation of this script on pre-centos6 version, but running it on v6 has made no difference.

shall I be looking to fix this script or am I better off generating a new one seeing that it was produced by Easy Firewall Generator?

# Generated iptables firewall script for the Linux 2.4 kernel
# Script generated by Easy Firewall Generator for IPTables 1.15
# copyright 2002 Timothy Scott Morizot
# Redhat chkconfig comments - firewall applied early,
#                             removed late
# chkconfig: 2345 08 92
# description: This script applies or removes iptables firewall rules
# This generator is primarily designed for RedHat installations,
# although it should be adaptable for others.
# It can be executed with the typical start and stop arguments.
# If used with stop, it will stop after flushing the firewall.
# The save and restore arguments will save or restore the rules
# from the /etc/sysconfig/iptables file.  The save and restore
# arguments are included to preserve compatibility with
# Redhat's or Fedora's init.d script if you prefer to use it.

# Redhat/Fedora installation instructions
# 1. Have the system link the iptables init.d startup script into run states
#    2, 3, and 5.
#    chkconfig --level 235 iptables on
# 2. Save this script and execute it to load the ruleset from this file.
#    You may need to run the dos2unix command on it to remove carraige returns.
# 3. To have it applied at startup, copy this 

Open in new window

Hey guys.  I am needing to block all Public IP's on my Debian/Asterisk machine external interface and allow only my provider access.  I have tried the following commands and i can not get it working.  Can anyone help?  The reason i have a public interface is because we need an internal interface for our phones to register thru.  

iptables -A INPUT -s Provider's IP address -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

When i enter this then nothing gets thru the interface.  can someone explain what i'm doing wrong?
If one of the guy who was maintaining my server is leaving from me forever, what are the information i need to take from him and how can i secure my server from that guy who knows everything about my server. As I am new to Linux and I am the only one who can access that server. Please help me.

Thanks in advance.
I setup the windows 2008 server with cygwin and openssh installed on it. The problem is when I login as a domain user I can't seem to move forward and login. I checked /etc/passwd file and found my domain user there. Am I missing anything else?

C:>ssh nxtrend@serverrole
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to serverrole [] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/.ssh/identity type -1
debug1: identity file /cygdrive/c/.ssh/id_rsa type 1
debug1: identity file /cygdrive/c/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'serverrole' is known and matches the RSA host key.
debug1: Found key in /cygdrive/c/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: …
Have a weird situation.  Have some servers that are deployed that have sensitive (I.P.) data on them, as well as vpn keyfiles.  I do not have physical access to them, but I do have root login over ssh.  Is there a way to shred or wipe the mounted filesystems while the box is running?  Would shred blow up partway through and cause the filesystem to be recoverable?
They are running various versions of Ubuntu server 10.04 and up.

Please, no lectures on proper security protocols, etc.  Hindsight is 20/20 and new servers are properly secured.  However, we need a way to handle this situation, in the event of a compromise, until we can get these old servers replaced.

I have an encoder that boots from a little CF card and the card has become corrupt, fortunately i copied it using clonezilla copying the contents to another CF card. when i boot up using the new card it doesnt like it and i am thinking the operating system on the cf card somehow ties in with serial number of bios.

Is there anyway of delving in to the image file and searching for the serial number so i can get back to the manufacturer?
Hi, experts.
I am having problem mounting my nfs mount on my sles11.
rcnfsserver status
Checking for kernel based NFS server: idmapd..running
when I try to mount server:/xen  /client_files
mount.nfs: mount to NFS server 'server:/xen' failed: System Error: Connection refused
when I run rcnfsserver status on the server again
Checking for kernel based NFS server: idmapd..running
There are no
/etc/hosts.allow and /etc/hosts.deny
Can somebody help me.
Sorry my english.

Hi Guys

I have setup a basic squid 3 proxy server and I am struggling to get users to login to there MSN messenger accounts.

I have tried the various ACL's available but still no luck.

Please let me know what information you need from me to get started.

I have a RHEL 5.4 server that has an autofs mount to a nfs share to store the audit logs. On this server when the logs do roll over it drops the nfs mount and then starts buffering the logs locally. The buffer fills and then the server locks up and is not accessible via ssh or local login.

Rebooting the machine requires the following actions to be completed before auditd can start again:
mount logserver:/loglocation /loglocation
service autofs restart
service autofs reload

Then we check to make sure that the loglocation is populated with the folder name of the server
cd /loglocation:

Then we have to change the permissions of the audit.log file to allow for the machine to write to them again:
chmod u+w /loglocation/servername/audit/audit.log

That allows us to start the audit service:
service auditd start

All actions are done as root or sudo, this will allow the logs to work properly until the next roll over. We have not been able to find a solution that keeps the nfs mount active after a roll over.

Thank you for your time,

I have a few projects in SVN to whichI want to add additional security. For example, some may have access to other projects but these projects above.

How can I set additional security on the projects?


I'm installing an app on linux. Not very good at it.
I managed to successfully install the program on the desktop and it worked, but then realized I had installed it in the wrong place.

I needed to install it in /opt
which is in the system files. it seemed to install ok, but when I go to launch the app
I get an error

dministrator@SVN:/opt/csvn$ bin/csvn console
Running CSVN Console...
wrapper  | ERROR: Could not write pid file /opt/csvn/bin/../data/run/csvn.pid: Permission denied

I assume this is a system level permissions issue. I messed with the folder perms, but no luck.

any advice appreciated

1) I believe Python is a program language; some program use Phython to execute

2) My question: Is there any free (trial ) download of Python?

3) Thanks


1) I have a linux Ubuntu 10.04.3 workstation in the production environment

2) I heard that Samba has been installed automatically during installation (or connecting to the repository)

3) Is it true?

4) If it is true, would you somebody show me "per command line" and " per GUI" to check that samba has been installed in the above linux workstation please

5) Thank you

Hi, I am attempting to upload a file into a specific folder using WinSCP..  I need to change a directory to give a specific user upload rights onto the Linux box.

How do I do this from the command line?  Thanks


I am using scp on 'Server A'(UNIX) to copy a set of files to 'Server B'(LINUX).
This procedure takes about 5 hours (very large files), and I need to do it daily.
'Server B' (the receiving server) is hosting an important web application, and I want to know:
Does an extensive 'scp' operation such as this impede the performance of the receiving server? (NOTE: The scp operation is scheduled on 'Server A')

Basically, I do not want my web application to noticeably slow down during this procedure.

Any advice would be appreciated.
HI Experts,
I know how to write php script from the command line in ubuntu.I do nano test.php.

I have downloaded Bluefish editor successfully and wrote a test program.I tried to save it in /opt/lampp/htdocs.But it is not being saved on it.When I tried to run it on localhost ,it gives error.and when I try to run it from the bluefish editor,the url looks like this which is ofcorse not correct.
file:///opt/lampp/htdocs/test2.php   INstead of http://localhost/test2.php.

PLease help,
I've been using vi -x forever to encrypt files.  I was reminded the encryption with this is not so hot.  It's just soo convenient.  What would be a more secure method of encrypting when using vi and just as easy?  Thanks.

1) I have a linux Ubuntu 10.04.3 workstation
2) It gets the IP address from DHCP server
3) I am installing a Lotus Notes' program; but this is nothing to do with the lotus notes
4) I am confused with one of the linux command as specified in step # 3
5) To install the above program, i follow this reference:

6) The summary is as the followings:
Step 1: First install the dependencies:
sudo aptitude install libgnomeprint2.2-0 libgnomeprintui2.2-0

Note: I follow this command; and it is executed successfully (I do not have error message)

Step2: After that install the DEBs with –force-architecture switch. No need to force everything.
sudo dpkg -i --force-architecture ibm-lotus-notes-8.5.2.i586.deb

Note: As I put the "ibm-lotus-notes-8.5.2.i586.deb in the Desktop; I modify a little bit the above command; It is executed like this:
sudo dpkg -i --force-architecture Desktop/ibm-lotus-notes-8.5.2.i586.deb
The Result: It is good; it is also executed successfully (I do not have error message)

Step3: That’s it, start the client running.

- This is the command that I get confused!!!
-What command is it?
- Is it Change Directory ("CD") or what?
- Is it a statement " /opt/ibm/lotus/notes/framework/../notes " or what?

- If I am at [root@localhost init.d]#, and i type in: ./network restart (I know that I ask the network…
how to install putty on ubuntu/Windows and connection thru ssh
Hi all
Im on RHEL Linux 2.6.18

how do you install Tomcat over top of Apache ?

isnt there some sort of connector or something ?
what all do I need for https ?

how do you tell if all thats working ? even though I have tomcat7, apache httpd many modules and things all installed, I still cannot get everything to work right .. I must be missing something since Im all by my lonesome on this. any insight is much appreciated.

If I do the JK connector when I try a ./configure I then get I first need apsx ??!?! whats that ? Im lost please help

1) I have a linux Ubuntu 10.04.3 workstation
2) I am now at terminal --> jwhite@Ubuntu-10:~$
3) I type in: cd AAA/BBB/CCC/DDD/PPP/RRR
-The outcome: I NOW be at jwhite@Ubuntu-10:~/AAA/BBB/CCC/DDD/PPP/RRR$
4) My goal: I want to be at jwhite@Ubuntu-10:~/AAA/BBB/CCC/DDD/PPP$

5) My question: What command or Tools should I use? (Note: I try to type in " cd ", but it brings me to jwhite@Ubuntu-10:~S)

6) Thank you

I'm looking for some suggestions on what a good software solution for logging all activities on my actual server. (Not the website, altho there may be some cross over).  Essentially I want to be able to more easily track what any one person is doing specifically on the server and become aware when someone accesses it.  (in real time preferably).  Is there any good software solution that will notify me of when someone is in the shell.   I'm not sure if I'm asking the question 100% correctly but I just want to improve the overall logging / security of my web server.
Hey Guys!

I need to keep ownership of new files or directories created by any user.

I have:
drwxr-xr-x 2 apache apache 1 Sep 19 11:17 /var/www/htdocs/website/

So, I need that when any user creates a new file or directory that inherit owner and group.

The group I resolved by setting sgid, so the group is inherit but the OWNER I dont know.

I do not like to create a shellscript and run it every 5 minutes thru crontad. It's a poor solution...

Some hint?

I use APF firewall and am able to add my forwarding rules to /etc/apf/preroute.rules and /etc/postroute.rules

My rules are set as follows:


$IPT -t nat -A PREROUTING -p tcp --dport 666 -i eth0:0 -j DNAT --to-destination x.x.x.x:port



If I change -i eth0:0 to -i eth0 this works. If I keep this as eth0:0, it fails. I want it to work for the virtual interface eth0:0 - is this because I need to add routing tables for the virtual interfaces? Or a more complex iptables expression?

Thanks for any help!


Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security