Linux Security

4K

Solutions

4

Articles & Videos

4K

Contributors

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have linux application account and  would like to restrict the user to login directly. I want this account to be under sudoers. users can login and sudo into this account. How do i do that in linux?
0
Use Case: Protecting a Hybrid Cloud Infrastructure
LVL 4
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

John Experts,

I am running John on Kali.
I have ntlmv2 hashes in a file called hash.txt under /tmp
I just want to just the default word list

I know all my passwords are min 10 characters and max 14 characters
I know there will only be one digit within 0-9

Given the above, what do I edit within john.conf to reflect this?
0
How to disable disable any 96-bit hmac algorithms in centos
0
Hi,

I am working on a tenable nessus audit file for ibm aix.

What i am trying to achieve is 2 compliance check on the /etc/hosts.equiv file:

1. To find all UID less that 100 and UID not equals to the default system user ids (0,1,2,3,4,5)

2. To find all GID less that 100 and GID not equals to the default system group ids (0,1,2,3,4,5)

<custom_item>
type: CMD_EXEC
description: "UID less than 100 and not system default UID"
cmd: ""
expect: ""
</custom_item>

<custom_item>
type: CMD_EXEC
description: "GID less than 100 and not system default GID"
cmd: ""
expect: ""
</custom_item>

I am really new to working with tenable and also new to aix.

Really apperciate if anyone can help me out with what i should put for the cmd and expect statement on how to make the compliance check work.

Thanks really apperciate it!

Link: https://www.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.security/passwords_etc_passwd_file.htm
0
We need to have a standalone IPS solution put in.  We currently run two pfSense firewalls in an HA setup.  I was looking around on eBay and saw a Tipping Point 210E (two of them).  Are they still good with updates to definitions?  Any other less cost recommendations?
pfSense HA works a little odd too, so I'm not sure if this will even work.
Firewall 1 WAN IP x.x.x.1
Firewall 2 WAN IP x.x.x.2
Firewall Shared WAN IP x.x.x.3

Same setup with internal LAN IPs.  Each firewall has its own physical connection to the modem via ethernet for the WAN side and LAN side.
0
Short question that requires a lengthy answer....   For security reasons -- Should we host our website on a linux box or Windows?    Ultimately it will have to share data with our MS SQL server.   Also looking for someone reasonably priced but excellent web developer.... (do those go hand-in-hand?)

Mich
0
Hello Folks,
I have a few users to create for centos, and I would like to set them with restrictions such "system tools, create shortcuts, folders...similar to a kiosk " is there any way to do that or is there a special profile that needs to be created?

thanks for looking
0
I need to connect a Virtual Machine hosted somewhere running CentOS 6 to a client which is allowing connection through VPN only. However I have almost no knowledge about VPNs. The client has given me following info for connection:

VPN Remote Endpoint: <IP Address given by the client>
VPN Hardware: NGX R75.45 (SPLAT)

IKE (Phase 1)
==================
Authentication Method: Pre shared key (TBA)
DIffie-Hellman group: DH-2
Encryption Algorithm: AES-128
Hashing Algorithm: SHA-1
Renegotiate IKE: 14400 seconds

IPSEC (phase 2)
======================
Encryption Algorithm: AES-128
Hashing Algorithm: SHA-1
Renegotiate IKE: 3600 seconds
PFS Enabled: Yes

I am not sure where to put all these info in CentOS to make it to connect to the client's network.

I will be much thankful for any help.
0
Dear All,

We have created a chrooted jail environment for our SFTP access. Using chrooted environment, we restrict users either to their home directory or to a specific directory. Now my question is if there's anyway we can an additional username to access the same home directory for other username? Or any other words, is there anyway I can assign different usernames to the same home-directory and have it chrooted jail?

Below is our current config if that helps:

group add sftponly


vi /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

systemctl restart sshd.service

useradd USERNAME –g sftponly –s /bin/false
passwd  USERNAME


mkdir /home/USERNAME/SFTPWRITE
chown root /home/USERNAME
chmod 755 /home/USERNAME
chown USERNAME /home/USERNAME/SFTPWRITE
chmod 755 /home/USERNAME/SFTPWRITE

setsebool –P ssh_chroot_rw_homedirs on
0
On RH 6 systems running rsyslog 5.8.10 we noticed that if we setup a
client system to use TCP to log to a remote server:
*.*       @@192.168.1.2

Open in new window

If the remote log server is not reachable for some reason no logging takes place, not even local logging to the local system log files.
When the log server is available and rsyslog is restarted  both local logging and remote logging work.   I would like to come up with a config that would ensure that local logging still occurs when  the TCP remote server is down?  I think I need to look at action queues, but was hoping someone could provide an example on how to get this to work.
0
Windows Server 2016: All you need to know
LVL 1
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

I have nas disk mounted as nfs mount point i linux. how to create a dd image of this. the mount point is like that
s
tor01-nas.llg:/export/shared/ps_oem   nfs     2G  9.9K  2G    1% /oem1
0
Having a hard time trying to add to the domain a machine using Arch Linux, somehow I managed to sort of make the machine to join the domain but when it comes to the authentication part the computer won't recognize the credentials. Has anyone had luck doing this? if so can someone please help with the proper commands to make this work? Been dealing with this issue for a week now and I'm getting really frustrated. Bottom line if there's an easier way to make this machine to join the domain and authenticate properly that would be fantastic.

Many thanks in advance to anyone with the answer out there!
0
I have just installed my first IPA-Server (using CentOS) and it is already set as the LDAP server hosting the centralized credentials control from many users login on to many Ubuntu servers.

My problem is that I have tried to set a new group created in the IPA Server in order to assign SUDO permissions for the users login on to the Ubuntu servers using the LDAP accounts but it is still not working.

Does any expert has experience configuring IPA-SERVER.
0
Hi all...

Need to integrate with Ubuntu and other Linux systems. Basically, I would like to pass AD credentials on the network to a Linux system integration. I hope my question makes sense and looking forward to any ideas out there.

Thanks
0
I have a user that needs to be able to copy new files into a specific directory, but only have read access to this directory's existing and new files.  What is a good way to set this up?
0
I have many subscription form hackers putting in false emails and I want to stop them with fail2ban.

This isn't catching any from the log file.  I ran

 fail2ban-regex /path to log file /path to filter.d/http-post-dos.conf

All I get are continuous lines of
Matched time template Day/MONTH/Year:Hour:Minute:Second

# Fail2Ban configuration file
#
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all vali$
# You should set up in the jail.conf file, the maxretry and findtime carefully $

failregex = ^<HOST> -.*"POST.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Open in new window


Here is an excerpt of my log file

1.1.1.1 - - [23/Jan/2016:07:04:06 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:14 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:18 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:23 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:27 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:32 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:36 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:41 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:45 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:50 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"

Open in new window


You can see how fast they are hitting my form.

I am on a Centos 6.5 server.

Thanks,
0
Hi,

I'm getting this in my mail messages log in /var/log/mail/messages:


Sep 24 07:50:30 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns1.internet-spb.ru/A/IN': 194.85.61.76#53
Sep 24 07:50:30 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns1.internet-spb.ru/AAAA/IN': 194.85.61.76#53
Sep 24 07:50:30 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns2.internet-spb.ru/A/IN': 194.85.61.76#53
Sep 24 07:50:30 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns2.internet-spb.ru/AAAA/IN': 194.85.61.76#53
Sep 24 07:50:31 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns1.internet-spb.ru/AAAA/IN': 109.70.26.37#53
Sep 24 07:50:31 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns1.internet-spb.ru/A/IN': 109.70.26.37#53
Sep 24 07:50:31 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns2.internet-spb.ru/A/IN': 109.70.26.37#53
Sep 24 07:50:31 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns2.internet-spb.ru/AAAA/IN': 109.70.26.37#53
Sep 24 07:52:57 ip-184-168-116-73 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Sep 24 07:52:57 ip-184-168-116-73 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__2cNLkM4Ieu_9JcBamIYwRn5tTvr8kcPpcGlK6Vo3a6NVytbn9eUpDry4cgWVFrsx is now logged in
Sep 24 07:52:57 ip-184-168-116-73 pure-ftpd: …
0
Hi,

Every time I add user's ssh key on server they access server with username within the ssh key. But what strange me is they can use command  "sudo su" and change to root without any password prompt. I would like to know any where I can disable that.

Thanks
Bunheng
0
I wanted to Restrict a user to a particular directory in windriver linux....in FTP/SFTP/SSH connection
0
NFR key for Veeam Backup for Microsoft Office 365
LVL 1
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

I want to run apache with a non root user on port 443. I cannot do this and was looking at port forwarding in iptables as an option to work around it. I'd like to forward intranet and internet traffic coming in on port 443 to 8080 since I'll have apache running on this port instead.

Would this work for intranet and internet traffic coming in to the machine on port 443?
# enable forwarding in the kernel and save it
sysctl -w net.ipv4.ip_forward=1
sysctl -p /etc/sysctl.conf

#accept all input connections on port 443
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# redirect traffic coming in on port 443 to port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080

#allow the traffic back from port 8080 to port 443
iptables -t nat -I OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8080

Are any of these required?
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# check nat with iptables and save the rules if happy
iptables -L -t nat
service iptables save
0
I'm having problem with configuring SNORT as IDS on my virtual box.

This is my configuration:

# Setup the network addresses you are protecting
ipvar $HOME_NET 192.168.1.0/24 #this is my internal friendly network

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

I followed the instruction from here:
http://sublimerobots.com/2014/12/installing-snort-part-2/

and this is the output error after running this command: "sudo snort -T -c /etc/snort/snort.conf"
-------------------------
Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(45) Missing argument to HOME_NET
Fatal Error, Quitting..

I would really appreciate if anyone can help me solve this problem!.
0
Hello
Some people try to frighten me that it's too dangerous to run a production HTTP server from a Ubuntu 14.04 LTS desktop environment.
And also that GUI is too demanding on a system for it to handle HTTP traffic on top of everything else.
A few words about my situation. I run a micro business. More like a freelance type of thing, though in LLC form. I expect maybe up to 10 visitors per day if I'm lucky. So 95% of the time the server will be in its idle state. Hardware resources-wise what I have is this:
Intel Core i5 3230M 2.6 up to 3.2 GHz CPU, 6 GB of DDR3 RAM and up to 50 Mb/s upstream (for uploading files) Internet speed.
Of course, I have a static IP as well.
I know that there're ways to harden Linux. There're plenty of tutorials and books on the subject. My question is... If let's say I follow all the steps to harden the server and take necessary precautions, will it be safe enough in your opinion for me to run a web server in GUI environment or you still won't recommend it. If so, then why.
0
I have a user in NIS environment and would like to move to openLDAP environment.

does NIS and openLDAP uses the same hash?

what is the best way to move the users so they can use the same password they have used in NIS
0
i have installed centos 6.4 64 bit os in my office on all machine's, it's working fine.i want to enable the remote desktop for all the machine's.all the machines have local user account there is no ldap or any other directory service,if i enable remote desktop in the machine user will disable that, so how can i restrict the user from changing the remote desktop preferences
0
unable to start LDAP

ldap01:/openldap/openldap-2.4.40 # /openldap/openldap-install/libexec/slapd -d 16383
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /openldap/openldap-install/etc/openldap/ldap.conf
ldap_init: using /openldap/openldap-install/etc/openldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
551f8a1c @(#) $OpenLDAP: slapd 2.4.40 (Apr  4 2015 02:36:12) $
        root@ldap01:/openldap/openldap-2.4.40/servers/slapd
ldap_pvt_gethostbyname_a: host=ldap01, r=0
551f8a1c daemon_init: <null>
551f8a1c daemon_init: listen on ldap:///
551f8a1c daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
551f8a1c daemon: listener initialized ldap:///
551f8a1c daemon_init: 2 listeners opened
551f8a1c slapd init: initiated server.
551f8a1c bdb_back_initialize: initialize BDB backend
551f8a1c bdb_back_initialize: Berkeley DB 4.8.30: (April  9, 2010)
551f8a1c hdb_back_initialize: initialize HDB backend
551f8a1c hdb_back_initialize: Berkeley DB 4.8.30: (April  9, 2010)
551f8a1c mdb_back_initialize: initialize MDB backend
551f8a1c mdb_back_initialize: LMDB 0.9.14: (September 15, 2014)
551f8a1c reading config file /openldap/openldap-install/etc/openldap/slapd.conf
551f8a1c line 6 (include        /openldap/openldap-install/etc/openldap/schema/collective.schema)
551f8a1c reading config file …
0

Linux Security

4K

Solutions

4

Articles & Videos

4K

Contributors

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security
<
Monthly
>