Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I've added the following settings in /etc/sysctl.conf  as well as
issued 'sysctl -w ...'  to make it effective as part of hardening.

My apps colleague rebooted the RHEL 7 VMs & now
the docker gave the error '503 Service Unavailable'.

How should I reverse them back: just by removing
those lines from sysctl.conf & reboot (sysctl.conf was
quite empty initially)
OR
re-issue "sysctl -w ..." with the  alternate value (ie if
it's 0, set it to 1 & if it's 1, set it to 0)?  But this doesn't
seem right as we don't know what's the default
value initially.  So how do we know what's the
initial default value before the change??


sysctl -w fs.suid_dumpable=0
sysctl -w kernel.randomize_va_space=2
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w …
0
Introduction to R
LVL 19
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

on my RHEL 7, /tmp  partition is shown as xfs :
$ mount |grep /tmp
/dev/mapper/rhel-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/rhel-var_tmp on /var/tmp type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

So when doing CIS hardening, the benchmark doc suggests to remount as  tmpfs:
so should I remount as xfs  instead?

ie
>mount -o remount,nosuid,noexec,nodev tmpfs -t tmpfs
should above be
> mount -o remount,nosuid,noexec,nodev xfs -t xfs /tmp

and

in /etc/fstab
> /dev/mapper/rhel-tmp    /tmp                    tmpfs     defaults,nodev,nosuid,noexec        0 0
should above be
> /dev/mapper/rhel-tmp    /tmp                    xfs     defaults,nodev,nosuid,noexec        0 0

and

cat  /etc/systemd/system/local-fs.target.wants/tmp.mount
[Mount]
What=tmpfs  <== shd it be xfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid
0
To allow internet access to the internet I configured a gateway server on my small network of around 30 VMs. The gateway works well but I just want to make sure that this gateway server is as secure as possible since this gateway server is the only server in my network that has direct access to the internet. What security measures should I configure on this gateway server? Should I install a firewall? If so, how do I configure this firewall?
0
Hi,
What to adjust, due to the error below?

[smb01@28-218-217-172-on-nets samba]$ cp smb_c.conf /home/share
cp: cannot create regular file ‘/home/share/smb_c.conf’: Permission denied
[smb01@28-218-217-172-on-nets samba]$ 

Open in new window

0
i have an ubuntu 16.04. server is join to samba active directory. i can see all users via wbinfo -u.
User can't login to server. i can see on /var/log/auth :
 Failed to mount per-user tmpfs directory
pam_systemd(su:session): Failed to create session: Invalid argument

it's look like users can't create tmpfs directory under /run/user
i can create directory for each user on my /etc/fstab but this is not a solution.
i install libpam-tmpdir (via sudo install ...) but it's not working.
any idea how to solve this issue
0
unable to access web site. port 80 still blocked

[root@logserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
I am thinking about pointing Ansible to my local repository for updates. How do I accomplish the task? And more importantly, is pointing Ansible to local repository the right way to design Ansible patching architect?
0
Here is my log rotation configuration file.

#
# Configuration file for logrotate of clear applicaion log files.
#
/tmp/user/logs/app*.log
{
    daily
    rotate 5
    missingok
    notifempty
    compress
    copytruncate
    create
    dateext
    sharedscripts
    olddir /tmp/app/archive

    postrotate
         example.sh
    endscript
}


logrotate -dv /tmp/user/test.conf


I have bunch of log files inside /tmp/user/logs.

these are dates for those log files

May 30
May 22
May 13
May 9
May 7


when i ran dry test, i don't see its working.  it does not even compress.
0
[root@localhost ~]#
[root@localhost ~]# yum update kernel-2.6.32-754.9.1
Loaded plugins: fastestmirror
Setting up Update Process
Loading mirror speeds from cached hostfile
 * base: mirror.its.dal.ca
 * extras: mirror.its.dal.ca
 * updates: centos.mirror.iweb.ca
No Match for argument: kernel-2.6.32-754.9.1
No package kernel-2.6.32-754.9.1 available.
No Packages marked for Update
[root@localhost ~]# yum list all | grep kernel
dracut-kernel.noarch                       004-411.el6                   @anaconda-CentOS-201806291108.x86_64/6.10
kernel.x86_64                              2.6.32-754.el6                @anaconda-CentOS-201806291108.x86_64/6.10
kernel-firmware.noarch                     2.6.32-754.el6                @anaconda-CentOS-201806291108.x86_64/6.10
abrt-addon-kerneloops.x86_64               2.0.8-44.el6.centos           base
kernel.x86_64                              2.6.32-754.14.2.el6           updates
kernel-abi-whitelists.noarch               2.6.32-754.14.2.el6           updates
kernel-debug.x86_64                        2.6.32-754.14.2.el6           updates
kernel-debug-devel.i686                    2.6.32-754.14.2.el6           updates
kernel-debug-devel.x86_64                  2.6.32-754.14.2.el6           updates
kernel-devel.x86_64                        2.6.32-754.14.2.el6           updates
kernel-doc.noarch                          2.6.32-754.14.2.el6           updates
kernel-firmware.noarch                     …
0
Hi Expert

I have issues using SSH to log into the Linux server (Distribution 7.5 RHEL). I am able to log into the server physically.

I have did some researched it was due to "PAM" , not sure is it related to the following article, How to Restrict root Access to SSH Service Via PAM

As an example, we will configure how to use PAM to disable root user access to a system via SSH and login programs. Here, we want to disable root user access to a system, by restricting access to login and sshd services.

We can use the /lib/security/pam_listfile.so module which offers great flexibility in limiting the privileges of specific accounts. Open and edit the file for the target service in the /etc/pam.d/ directory.

Reference link show in the following;

https://www.tecmint.com/configure-pam-in-centos-ubuntu-linux/
0
Microsoft Azure 2017
LVL 19
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Hi team ,

My CentOS7.6 server is rebooted suddenly , we check the logs and not observed any abnormality .
Kindly help us to find the user or why server rebooted suddenly and help to find out same.

Kindly update me if any logs require.

Thanks
Pradeep
0
I need to grant a user SUDO rights to change OTHER people's passwords.  I know SUDOERS can be more specific, but I've not been able to decipher the syntax.

Can someone help out?  What would my line the sudoers file be to allow passwd to be run and ONLY passwd as root?

I'll accept other ideas but keep in mind, user MUST be able to do this from the console (putty shell) on a CentOS system.

Thanks!
0
i did migrate a Linux box to another datacenter and I had to re-ip the server. The hostname remains the same.  After migration i came to know there was another server which was communicating with the migrated server with ssh keys authentication.  I have ssh-agent running on serverB which should take care the passphrase. ServerA has been migrated and I did re-ip.  

I did remove serverA entry from known_hosts and did handshake again.

now ServerA has the authorized_keys which is exactly the rsa_id.pub key from ServerB.  

not sure what is the issue here and why I am getting prompt for passphrase ?  Please help


serverB:~/.ssh> ssh ServerA

Enter passphrase for key '/home/appid/.ssh/id_rsa':  


serverB:~/.ssh> ps aux | grep ssh-agent | grep -v grep
appid 9509  0.0  0.0  18540   556 ?        Ss   Mar10   0:00 /usr/bin/ssh-agent
0
I am trying to add 2 factor authentication on a linux host. It is sending a radius request to
a MS radius server which is somehow connected to MS authenticator app which I have
on my iPhone. I have it working to where if I ssh to the linux host with my AD UID and PW
a message goes to my Authenticator app on the I phone which I confirm. And then I'm in.

BUT - some of my colleagues have Authenticator setup so that they get a PIN rather than
just a confirmation number. Is there a way for SSH to work with this variant of 2factor
authentication with MS Authenticator app?
0
What's the best way to monitor for UDP syslog traffic coming in from a redhat 4 and redhat 5 syslog clients if it's not arriving at the syslog server. The syslog server is running on a Redhat 6 server. netstat -taulpe | grep syslog is showing that UDP is listening on all IP's on the server but I'd like to see if there is any other way apart from running  tcpdump -i <nic> port 514. Would watch lsof -a -i:514 show it?
0
http://www-01.ibm.com/support/docview.wss?uid=swg22005400

Security Bulletin: IBM MQ and IBM MQ Appliance MQOPEN call might succeed when it should have failed. (CVE-2017-1341 )


what does  IBM MQ and IBM MQ Appliance MQOPEN call means?
does it mean client side or server side?
0
0
We have implemented a new ERP system and are using seven Datalogic portable data terminals logging in to a Linux VM using telnet connections over WiFi. The problem I am facing is we only have seven licenses for our handheld units and at times a unit will lose connection and the user has to log back into their telnet session, however their old shell on the VM is orphaned and we cannot log in due to the license restrictions. I have set the units up so I can identify each unit by userid so I can kill the duplicate sessions but it happens enough that managing it this way is not practical as a long term solution.

I know just enough Linux to be dangerous but not enough to accomplish what I would like to do which is when a user HH1 or HH2 or HH3 logs in I would like to kill any existing shells for the user so each handheld is a one to one between the physical unit and the shell on the VM.

Any ideas on how to do this. We use TelNetCE on the units and just telnet and the users have a simple green screen, character based menu driven system.

Thanks
0
Hi,

I'm running CentOS Linux release 7.4.1708 (Core), issue is i'm able to login using local users but not using ldap users, please help me on this.

I've tried restarting services using authconfig-tui command, but still i'm getting authentication failure error for ldap user.

please see the attached doc (ldap issue.docx), and below output commands and let me know if any other details are required.


[root@server01 log]# cat /etc/openldap/ldap.conf
#
SASL_NOCANON    on
URI ldap://<ldap servrer ip>:389/
BASE dc=prod,dc=hclpnp,dc=com
#
[root@server01 log]# getent passwd testuser
testuser:*:123456:7001:testuser:/home/testuser:/bin/bash
[root@server01 log]#


[hubba@servder01 ~]$ su - testuser
Password:
su: Authentication failure



[root@server01 log]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files              …
0
CompTIA Security+
LVL 19
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

I am in the process of standing up a Ubuntu Linux server from a .vhd file.
The existing partitions are too small to handle the backup file thus I need to add extra partition space to the system.
This is a hyper-V hosted system.
I've never done this before. Can someone give me some guidance on what I will need to do?
Initially I was building a new server with 2 Tb of disk space but we decided to use a existing secured version of a .ova file which I converted over to a .vhd file.
Can anyone help me understand what I need to do?
We have more space available, the vhd was set to more than what the original image was configured for.
How can I expand the relevant partitions to take account of this extra available space?
Which partitions should get the extra space?  Opt is where the backups are stored via the main application so that one definitely needs to be expanded.
Filesystem                        Size  Used Avail Use% Mounted on
udev                               16G     0   16G   0% /dev
tmpfs                             3.1G  8.7M  3.1G   1% /run
/dev/mapper/vg00-root              19G  1.4G   17G   8% /
tmpfs                              16G  4.0K   16G   1% /dev/shm
tmpfs                             5.0M     0  5.0M   0% /run/lock
tmpfs                              16G     0   16G   0% /sys/fs/cgroup
/dev/sda1                         464M   58M  382M  14% /boot
/dev/mapper/vg00-opt               76G   76G     0 100% /opt
tmpfs                            …
0
I'm looking for a commercial RADIUS solution that Linux Servers can authenticate against. Specifically:

1) Primary purpose is for Linux user authentication
2) Is there any RADIUS solution that can replicate to other RADIUS servers, just like Microsoft Active Directory Servers can replicate to each other? This can even be a one way replication.
3) Preferably this RADIUS solution runs on Linux and not windows.
4) Preferably is a supported RADIUS solution, i.e. paid for product that we can get support on as needed. Unless there is a simple to use free version that doesn't require extensive learning to use.

Thanks!
0
We have setup OpenVas in our infrastructure. We were able to run it in order to scan assessments reports on VM's within our infrastructure. However the results of the scans is very long and complete. We would like to filter that same report in order to only have results of the High severity reports.

Any idea on what would be the most effective approach to filter the Greenbone scans?
0
What is pam?  What is ldap?   I know those two are for authentication but still confused. Why system administrators usually configure authentication by pam_ldam.conf. What is the advantage with this.

how to configure pam_ldap in client side to connect solaris ldap server.

Thanks,
bvm
0
Hi, i'm trying to set up PAM Authentication on debian 9: On the first login at boot, i would like for PAM to ask both my password AND my yubikey neo. Once i'm logged in , i would like to only use my yubikey for sudo, screenlock and so on. I would like this to happen for a specific user only, while still being able to login via root with just my root password.
I successfully configured the PAM module for yubikey (auth required pam_yubico.so mode_challenge-response) but this way, i have to type my psw AND have the yubikey plugged in at EVERY sudo, login, screenlock.


I'm going crazy over this because i'm unable to find decent documentation about this on the web.

Can somebody please provide some help?

regards
0
I am getting this error message, when I was trying to run rpmbuild --rebuild lin_tape-3.0.23-1.src.rpm on Red Hat Linux 7.4 (Kernel version: 3.10.0-693.1.1.el7.x86_64). Can some one let me know what is problem and what should be the proper procedure to fix it. Here is the output mentioned below,

#rpmbuild --rebuild lin_tape-3.0.23-1.src.rpm
Installing lin_tape-3.0.23-1.src.rpm
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.sCvFVM
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd /root/rpmbuild/BUILD
+ rm -rf lin_tape-3.0.23
+ /usr/bin/gzip -dc /root/rpmbuild/SOURCES/lin_tape-3.0.23.tgz
+ /usr/bin/tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd lin_tape-3.0.23
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.KGligF
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd lin_tape-3.0.23
++ echo x86_64-redhat-linux-gnu
++ cut -f 1 -d -
+ p=x86_64
+ '[' x86_64 == i386 ']'
+ '[' x86_64 == i586 ']'
+ '[' x86_64 == i686 ']'
+ '[' x86_64 == ppc64 ']'
+ '[' x86_64 == powerpc ']'
+ '[' x86_64 == powerpc64 ']'
+ '[' x86_64 == s390 ']'
+ '[' x86_64 == s390x ']'
+ '[' x86_64 == ia64 ']'
+ '[' x86_64 == x86_64 ']'
+ proc=AMD
+ make KERNEL=3.10.0-693.1.1.el7.x86_64 PROC=x86_64 SFMP=0 driver
make: Nothing to be done for `driver'.
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.hQeoFx
+ umask 022
+ cd /root/rpmbuild/BUILD
+ '[' /root/rpmbuild/BUILDROOT/lin_tape-3.0.23-1.x86_64 '!=' / ']'
+ rm -rf …
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security
<
Monthly
>