Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I need to grant a user SUDO rights to change OTHER people's passwords.  I know SUDOERS can be more specific, but I've not been able to decipher the syntax.

Can someone help out?  What would my line the sudoers file be to allow passwd to be run and ONLY passwd as root?

I'll accept other ideas but keep in mind, user MUST be able to do this from the console (putty shell) on a CentOS system.

CompTIA Cloud+
LVL 13
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

i did migrate a Linux box to another datacenter and I had to re-ip the server. The hostname remains the same.  After migration i came to know there was another server which was communicating with the migrated server with ssh keys authentication.  I have ssh-agent running on serverB which should take care the passphrase. ServerA has been migrated and I did re-ip.  

I did remove serverA entry from known_hosts and did handshake again.

now ServerA has the authorized_keys which is exactly the key from ServerB.  

not sure what is the issue here and why I am getting prompt for passphrase ?  Please help

serverB:~/.ssh> ssh ServerA

Enter passphrase for key '/home/appid/.ssh/id_rsa':  

serverB:~/.ssh> ps aux | grep ssh-agent | grep -v grep
appid 9509  0.0  0.0  18540   556 ?        Ss   Mar10   0:00 /usr/bin/ssh-agent
I am trying to add 2 factor authentication on a linux host. It is sending a radius request to
a MS radius server which is somehow connected to MS authenticator app which I have
on my iPhone. I have it working to where if I ssh to the linux host with my AD UID and PW
a message goes to my Authenticator app on the I phone which I confirm. And then I'm in.

BUT - some of my colleagues have Authenticator setup so that they get a PIN rather than
just a confirmation number. Is there a way for SSH to work with this variant of 2factor
authentication with MS Authenticator app?
What's the best way to monitor for UDP syslog traffic coming in from a redhat 4 and redhat 5 syslog clients if it's not arriving at the syslog server. The syslog server is running on a Redhat 6 server. netstat -taulpe | grep syslog is showing that UDP is listening on all IP's on the server but I'd like to see if there is any other way apart from running  tcpdump -i <nic> port 514. Would watch lsof -a -i:514 show it?

Security Bulletin: IBM MQ and IBM MQ Appliance MQOPEN call might succeed when it should have failed. (CVE-2017-1341 )

what does  IBM MQ and IBM MQ Appliance MQOPEN call means?
does it mean client side or server side?
We have implemented a new ERP system and are using seven Datalogic portable data terminals logging in to a Linux VM using telnet connections over WiFi. The problem I am facing is we only have seven licenses for our handheld units and at times a unit will lose connection and the user has to log back into their telnet session, however their old shell on the VM is orphaned and we cannot log in due to the license restrictions. I have set the units up so I can identify each unit by userid so I can kill the duplicate sessions but it happens enough that managing it this way is not practical as a long term solution.

I know just enough Linux to be dangerous but not enough to accomplish what I would like to do which is when a user HH1 or HH2 or HH3 logs in I would like to kill any existing shells for the user so each handheld is a one to one between the physical unit and the shell on the VM.

Any ideas on how to do this. We use TelNetCE on the units and just telnet and the users have a simple green screen, character based menu driven system.


I'm running CentOS Linux release 7.4.1708 (Core), issue is i'm able to login using local users but not using ldap users, please help me on this.

I've tried restarting services using authconfig-tui command, but still i'm getting authentication failure error for ldap user.

please see the attached doc (ldap issue.docx), and below output commands and let me know if any other details are required.

[root@server01 log]# cat /etc/openldap/ldap.conf
URI ldap://<ldap servrer ip>:389/
BASE dc=prod,dc=hclpnp,dc=com
[root@server01 log]# getent passwd testuser
[root@server01 log]#

[hubba@servder01 ~]$ su - testuser
su: Authentication failure

[root@server01 log]# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Valid entries include:
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files              …
I am in the process of standing up a Ubuntu Linux server from a .vhd file.
The existing partitions are too small to handle the backup file thus I need to add extra partition space to the system.
This is a hyper-V hosted system.
I've never done this before. Can someone give me some guidance on what I will need to do?
Initially I was building a new server with 2 Tb of disk space but we decided to use a existing secured version of a .ova file which I converted over to a .vhd file.
Can anyone help me understand what I need to do?
We have more space available, the vhd was set to more than what the original image was configured for.
How can I expand the relevant partitions to take account of this extra available space?
Which partitions should get the extra space?  Opt is where the backups are stored via the main application so that one definitely needs to be expanded.
Filesystem                        Size  Used Avail Use% Mounted on
udev                               16G     0   16G   0% /dev
tmpfs                             3.1G  8.7M  3.1G   1% /run
/dev/mapper/vg00-root              19G  1.4G   17G   8% /
tmpfs                              16G  4.0K   16G   1% /dev/shm
tmpfs                             5.0M     0  5.0M   0% /run/lock
tmpfs                              16G     0   16G   0% /sys/fs/cgroup
/dev/sda1                         464M   58M  382M  14% /boot
/dev/mapper/vg00-opt               76G   76G     0 100% /opt
tmpfs                            …
I'm looking for a commercial RADIUS solution that Linux Servers can authenticate against. Specifically:

1) Primary purpose is for Linux user authentication
2) Is there any RADIUS solution that can replicate to other RADIUS servers, just like Microsoft Active Directory Servers can replicate to each other? This can even be a one way replication.
3) Preferably this RADIUS solution runs on Linux and not windows.
4) Preferably is a supported RADIUS solution, i.e. paid for product that we can get support on as needed. Unless there is a simple to use free version that doesn't require extensive learning to use.

Become a CompTIA Certified Healthcare IT Tech
LVL 13
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

We have setup OpenVas in our infrastructure. We were able to run it in order to scan assessments reports on VM's within our infrastructure. However the results of the scans is very long and complete. We would like to filter that same report in order to only have results of the High severity reports.

Any idea on what would be the most effective approach to filter the Greenbone scans?
What is pam?  What is ldap?   I know those two are for authentication but still confused. Why system administrators usually configure authentication by pam_ldam.conf. What is the advantage with this.

how to configure pam_ldap in client side to connect solaris ldap server.

What awstat format i need for that type af log from ftp server
Feb 26 13:47:24 ftp sshd[1260]: Disconnected from port 36575 [preauth]
Feb 26 13:47:24 ftp sshd[1260]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=root

i used all 1 ...4 then i used :
LogFormat= "%time3 %other %method %url %logname %host %code %other"
LogFormat= "%time3 %other %host %bytesd %url %other %other %method %other %logname %other %code %other %other"

all says  
found 401 dropped records
2000 corrupted records
Hi, i'm trying to set up PAM Authentication on debian 9: On the first login at boot, i would like for PAM to ask both my password AND my yubikey neo. Once i'm logged in , i would like to only use my yubikey for sudo, screenlock and so on. I would like this to happen for a specific user only, while still being able to login via root with just my root password.
I successfully configured the PAM module for yubikey (auth required mode_challenge-response) but this way, i have to type my psw AND have the yubikey plugged in at EVERY sudo, login, screenlock.

I'm going crazy over this because i'm unable to find decent documentation about this on the web.

Can somebody please provide some help?

I have a ubuntu server on wan. i can connect to it via ssh from windows on another ip rang.
my clint not ping it and i can't ping my client from server.
how to use X app from server i install xinit and x app on server .
firewall is disabled on ubuntu server.
I am getting this error message, when I was trying to run rpmbuild --rebuild lin_tape-3.0.23-1.src.rpm on Red Hat Linux 7.4 (Kernel version: 3.10.0-693.1.1.el7.x86_64). Can some one let me know what is problem and what should be the proper procedure to fix it. Here is the output mentioned below,

#rpmbuild --rebuild lin_tape-3.0.23-1.src.rpm
Installing lin_tape-3.0.23-1.src.rpm
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.sCvFVM
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd /root/rpmbuild/BUILD
+ rm -rf lin_tape-3.0.23
+ /usr/bin/gzip -dc /root/rpmbuild/SOURCES/lin_tape-3.0.23.tgz
+ /usr/bin/tar -xf -
+ '[' 0 -ne 0 ']'
+ cd lin_tape-3.0.23
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.KGligF
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd lin_tape-3.0.23
++ echo x86_64-redhat-linux-gnu
++ cut -f 1 -d -
+ p=x86_64
+ '[' x86_64 == i386 ']'
+ '[' x86_64 == i586 ']'
+ '[' x86_64 == i686 ']'
+ '[' x86_64 == ppc64 ']'
+ '[' x86_64 == powerpc ']'
+ '[' x86_64 == powerpc64 ']'
+ '[' x86_64 == s390 ']'
+ '[' x86_64 == s390x ']'
+ '[' x86_64 == ia64 ']'
+ '[' x86_64 == x86_64 ']'
+ proc=AMD
+ make KERNEL=3.10.0-693.1.1.el7.x86_64 PROC=x86_64 SFMP=0 driver
make: Nothing to be done for `driver'.
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.hQeoFx
+ umask 022
+ cd /root/rpmbuild/BUILD
+ '[' /root/rpmbuild/BUILDROOT/lin_tape-3.0.23-1.x86_64 '!=' / ']'
+ rm -rf …

How to Make The Text Cursor Automatically when i'm on console text ?
I use directly on boot the tty console and desactivate graphical mode.

Thanks for your reply,

someone talk me about : /etc/inittab, or /etc/fstab
But i don't think it's good idea to modify 2 by 5
I’m having trouble setting up LUKS on a Red Hat Test Server. I decided not to have a DEV prompt for a passphrase at boot but to use manual decryption instead. This is supposed to require execution of the cryptsetup commands and mounting. I attempt to set it up on a blank second disk I recently installed. Here’s the session…


sudo cryptsetup luksOpen /dev/sdb crypt-sdb
# enter /dev/sdb password

sudo cryptsetup luksClose /dev/sdb crypt-sdb


This then caused RHEL to freeze and force a cold reboot. I then used yum to run updates. I try again…


sudo cryptsetup luksOpen /dev/sdb crypt-sdb
# enter /dev/sdb password
#[<username>@localhost dev]$ sudo cryptsetup luksClose /dev/sdb crypt-sdb
Device sdb not found

# [<username>@localhost dev]$ sudo mount /dev/sdb
mount: can't find /dev/sdb in /etc/fstab


So I attempt to enter /dev/sdb in /etc/fstab but unsuccessful since it’s read-only. I try this.


[<username>@localhost etc]$ sudo cryptsetup luksFormat /dev/sdb
[sudo] password for <username>:

This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Cannot format device /dev/sdb which is still in use.
[<username>@localhost etc]$ sudo umount /dev/sdb
umount: /dev/sdb: not mounted
[<username>@localhost …
1. Centos server 6.9 in AD = OK

2. Only access feathers for users of group_USER_AD, applying control via /etc/security/access.conf = OK
3. Blocked root access directly to no server. /etc/ssh/sshd_config (PermitRootLogin no) = OK

 4. To use local account, you will need to use "su -" and do not log in without server with local account = OK


I have an application that runs with a local account. How can I release the user's access to use the winscp tool and write the application's non /home? Attempts without success

1.) Add the network user's AD group within the application's local group.

2.) There are many network users AD. I can not add one by one in the local group.

How do I solve it?
CompTIA Security+
LVL 13
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Hello ,

I have a problem with interfaces on a multihomed topology. My interfaces can not ping each other and can not ping theirselves too
sysctl as given below.

But it is able to ping the interface ip when i directly write ping , if the both interface are not able to ping this interface's ip how does it ping it or from where ?

I have to let them have access each other how shoud i do it ?

Note: loopback interface activated
Note2: em interfaces are all down

[root@spd network-scripts]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.p1p1.rp_filter = 2
net.ipv4.conf.p1p2.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2
net.ipv4.conf.p1p1.accept_local = 1
net.ipv4.conf.p1p2.accept_local = 1
net.ipv4.conf.all.accept_local = 1
net.ipv4.conf.default.accept_local = 1
net.ipv4.conf.lo.accept_local = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.p1p2.arp_filter = 0
net.ipv4.conf.p1p1.arp_filter = 0
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.p1p1.arp_announce = 2
net.ipv4.conf.p1p2.arp_announce = 2

Open in new window

PING ( from p1p1: 56(84) bytes of data.

--- ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2055ms

[root@spd network-scripts]# ping -I p1p1
PING ( from p1p1: 56(84) bytes of data.

--- ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3064ms

[root@spd network-scripts]# ping -I p1p2
PING ( from p1p2: 56(84) bytes of data.

--- ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1038ms

[root@spd network-scripts]# ping -I p1p2
PING ( from p1p2: 56(84) bytes of data.

--- ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2060ms

Open in new window

[root@spd network-scripts]# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.019 ms
64 bytes from icmp_seq=2 ttl=64 time=0.022 ms
64 bytes from icmp_seq=3 ttl=64 time=0.017 ms
64 bytes from icmp_seq=4 ttl=64 time=0.015 ms

Open in new window

Open in new window

Hello ,

Is there any possible way to drop bogus packets as seem below .

for this packets ; packet payload is smaller then the length of the packet


I am working on a tenable nessus audit file for ibm aix.

What i am trying to achieve is 2 compliance check on the /etc/hosts.equiv file:

1. To find all UID less that 100 and UID not equals to the default system user ids (0,1,2,3,4,5)

2. To find all GID less that 100 and GID not equals to the default system group ids (0,1,2,3,4,5)

type: CMD_EXEC
description: "UID less than 100 and not system default UID"
cmd: ""
expect: ""

type: CMD_EXEC
description: "GID less than 100 and not system default GID"
cmd: ""
expect: ""

I am really new to working with tenable and also new to aix.

Really apperciate if anyone can help me out with what i should put for the cmd and expect statement on how to make the compliance check work.

Thanks really apperciate it!

Hello Folks,
I have a few users to create for centos, and I would like to set them with restrictions such "system tools, create shortcuts, folders...similar to a kiosk " is there any way to do that or is there a special profile that needs to be created?

thanks for looking
I need to connect a Virtual Machine hosted somewhere running CentOS 6 to a client which is allowing connection through VPN only. However I have almost no knowledge about VPNs. The client has given me following info for connection:

VPN Remote Endpoint: <IP Address given by the client>
VPN Hardware: NGX R75.45 (SPLAT)

IKE (Phase 1)
Authentication Method: Pre shared key (TBA)
DIffie-Hellman group: DH-2
Encryption Algorithm: AES-128
Hashing Algorithm: SHA-1
Renegotiate IKE: 14400 seconds

IPSEC (phase 2)
Encryption Algorithm: AES-128
Hashing Algorithm: SHA-1
Renegotiate IKE: 3600 seconds
PFS Enabled: Yes

I am not sure where to put all these info in CentOS to make it to connect to the client's network.

I will be much thankful for any help.
Dear All,

We have created a chrooted jail environment for our SFTP access. Using chrooted environment, we restrict users either to their home directory or to a specific directory. Now my question is if there's anyway we can an additional username to access the same home directory for other username? Or any other words, is there anyway I can assign different usernames to the same home-directory and have it chrooted jail?

Below is our current config if that helps:

group add sftponly

vi /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

systemctl restart sshd.service

useradd USERNAME –g sftponly –s /bin/false
passwd  USERNAME

chown root /home/USERNAME
chmod 755 /home/USERNAME
chmod 755 /home/USERNAME/SFTPWRITE

setsebool –P ssh_chroot_rw_homedirs on

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.