Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I need to create an ipset for ipv6 I have it for ipv4 already.  I want to use ipdeny.com and insert specific country blocks into the ipset which is connected to the iptables.
0
Protect Your Employees from Wi-Fi Threats
LVL 1
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Dear Experts

please suggest what all ways desktop/laptop users of windows 10 and ubuntu desktop systems can be encrypted, OS level and if any third party tool , i read an article about bit locker drive encryption is it recommend please suggest similarly how it can be done for ubuntu desktops please suggest
0
tail -n5000 xyz.log

above shows last 5000 lines right


if i want to see all the 15723 lines of xyz.log what command i have to give

tail -n5000 xyz.log|grep 'ERROR WS'
how to make above case sensitive search like
tail -n5000 xyz.log|grep 'error ws'
how to make above whole word search? so that i wont see below as result ERROR aaa WS etc


please advise
0
Hi

after i installed nextcloud 13.0.1 on centos 7 and most of the features works

i am facing a strange issue with calendar

i cannot create or delete or do anything with calendar on nextcloud management    please check the attached file

do you think i have to change something from GUI or CLI  or install or do something


kindly advice
ccccccccc.jpg
0
Hello Experts,

Getting following error while execute cmd from ssh :-

[root@200 ~]# separateBod
ENTER SERVER IP LAST 1 QUADRANT WHICH YOU WANT TO BOD:
119
Option "-t" is deprecated and might be removed in a later version of gnome-terminal.
Option "-t" is deprecated and might be removed in a later version of gnome-terminal.
Failed to parse arguments: Cannot open display:

separateBod Code:-
#!/bin/bash
printf "ENTER SERVER IP LAST 1 QUADRANT WHICH YOU WANT TO BOD"
 read IPNAME
 for i in $IPNAME
 do
  ssh user@192.168.1.$i BOD & pid=$!
 done

BOD Code:-
#!/bin/bash
gnome-terminal \
        --tab -t "Exchange" -e " sh -c 'sleep 1s; ./startapp Exchange' "\
        --tab -t "Dragon" -e " sh -c 'sleep 10s; ./startapp Dragon' "\

startapp code:-
ulimit -c unlimited
export LD_LIBRARY_PATH=./:${LD_LIBRARY_PATH}
./$1 $2 $3 $4 $5

After giving execution cmd from server (ssh) it should be displayed on other server vnc (user@192.168.1.119), it was working properly till last week suddenly i got this error, we have following versions of CentOS 64bit (6.7, 6.8, 6.9, 7.4), getting issue only with 7.4 64bit.

please suggest.
0
log file how to copy whole content

zgrep -C20 '1234' 1234.log.gz

above gave lot of results in unix screen

how to copy whole page and paste into a text file on my C drive of the windows laptop through which i am connecting to unix box using putty?


also

i see all results like

0123456
9123488

etc

which i do not want

i want complete word search of 1234 only
how to achieve it
please advise
0
how to check production logs

i logged to production server i went to server log path.
i did
ls -ltr

i see bunch of log files at different timestamps

lets say xyz.log is at 1:30 am which i am interested to see.

how to open and hjow to see it?

when i logged using winscp says log in denied to copy over to windows laptoip to check.
like i want to zgprep or grep all "NullPointerErrors" between 12:30 AM till 2:30AM how do i check?
Also how to check how many times it was restarted?
any good best practices on production logs?
please advise any god links, resources on it?
0
i have sftp install in ubuntu 16.04 hwo to disabled user to has a ssh login. user has only sftp login not ssh login.
0
Hi to all of you,
I'm preparing new files Audit rules in the /etc/audit/audit.rules file.
The syntax I'm using is: auditctl -w path_to_file -p permissions -k key_name
example -w /etc/libaudit.conf -p wa -k wlib.conf

My question is: if I use the following syntax without specifing the permission option (-p)
auditctl -w path_to_file -k key_name what is the default permission value used?

Sounds a strange question but this is what I've been asked.
Bye  and thanks
Carlettus
0
Hi There,

I am getting the following issue with postgresql in aws ubuntu environment.

When I  run python3 manage.py makemigrations, I get the following error.  
It throws the following error. File "/usr/local/lib/python3.5/dist-packages/psycopg2/init.py", line 164, in connect conn = _connect(dsn, connection_factory=connection_factory, async=async) django.db.utils.OperationalError: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432?

Hence I checked whether postgresql is working fine.
I had tried sudo su - postgres It went inside the postgres cmd prompt so it became postgres@ip-10-254-3-58:~$

now when I try psql I get the same error as when I run python3 manage.py makemigrations.

postgres@ip-10-254-3-58:~$psql psql: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

I had tried uninstall and reinstall postgres,

During uninstall , i had tried the following command

$sudo apt-get --purge autoremove postgresql*

I got many errors

Then I had tried
sudo apt-get clean
sudo apt-get update

I got the following errors.  

Hit:1 https://deb.nodesource.com/node_8.x xenial InRelease
0% [1 InRelease gpgv 4,646 B] [Connecting to archive.ubuntu.com (91.189.88.161)] [Connecting to security.ubuntu.com (91.189.91.26)] [Connecting to …
0
Worried about phishing attacks?
LVL 1
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
0
I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] 

Open in new window

0
I was mailbox flooded through my contact form last night so I need to block the country that caused the attack until I can upgrade my site to take the current recaptcha from Google.  Here is the script I need to work.  I want to be ready if it happens again tonight.

for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ua,kp}.zone) do

Open in new window

and it won't execute.  instead I get a greater than symbol ">."

This is an example:
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ua,kp}.zone) do
>

Open in new window


This script used to work but I had to retype it and now I get that > symbol.

Please help.

Randal
0
I was reading some material on netcat usage.  There are a few references to using netcat for a relay using FIFO  (mknod backpipe p).  Also mentioned was using the next_hop argument.  I have never used that syntax and can't really find much information on it.  So the command is:
nc -l -p 12345 0<pipe | nc next_hop 54321 1>pipe

Open in new window

I don't know what the next_hop is referring to.  

I've always done it like this where I specify where the client will connect (10.1.1.1 port 54321):
nc -l -p 12345 0<pipe | nc 10.1.1.1 54321 1>pipe

Open in new window

Any explanation on how the next_hop works would be appreciated.
0
We are looking to deploy SNORT on a server in IDS mode.  I am looking for a webgui to go along with this for our admins to manage easily.  Can anyone recommend something that will allow us to update plugins, rules, view alerts, etc.. ?  So far all of my research just pulls up old articles.
I am also willing to do a Gig Project if that is easier for someone to set it up.
0
I am running Ubuntu 16.04 TLS server. I am unable to change the root password or add users to the sudoer file
0
Jan 29 05:40:41 hklvadapp005 sshd[26279]: Received disconnect from 10.20.225.137: 11: disconnected by user
Jan 29 05:40:41 hklvadapp005 sshd[26275]: pam_unix(sshd:session): session closed for user distadm1
Jan 29 13:26:46 hklvadapp005 sshd[28345]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64855 ssh2
Jan 29 13:26:48 hklvadapp005 sshd[28345]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 13:27:01 hklvadapp005 sshd[28383]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64867 ssh2
Jan 29 13:27:02 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 14:47:37 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 15:09:01 hklvadapp005 sshd[16181]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 52237 ssh2
Jan 29 15:09:02 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 15:14:35 hklvadapp005 sshd[17920]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 10, deny 9
Jan 29 15:32:10 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 16:32:19 hklvadapp005 sshd[2323]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jan 29 16:32:25 hklvadapp005 sshd[2433]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 12, deny 9
Jan 29 16:32:32 hklvadapp005 sshd[2433]: 

Open in new window

0
We recently performed a yum update on the RHEL7 box, and much to our dismay, the ability to open the port now fails.

There are two scripts we have to run in order to open the port:
This one runs:
sudo iptables -A INPUT -p tcp --dport 1234 -j ACCEPT

This one fails:
sudo iptables -A IN_public_allow -p tcp -m tcp --dport 1234 -m conntrack --ctstate NEW -j ACCEPT

Gives the following error:
iptables: No chain/target/match by that name.

This always worked for years, now that latest update won't allow this to run

Any help would be greatly appreciated.

Thanks
0
Hey I am changing my SSH key.

How do I remove my old SSH key from my servers trusted keys.
0
Free Tool: ZipGrep
LVL 12
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

I am working a plan to create a best practice schedule for patching my environments. I know everyone has a different opinion on this but I am looking for a Positive way to move forward on this topic. I have 3 environments Test, dev test and Prod. Just looking for a push start if anyone has went through this some example schedules would be appreciated. Thanks
0
Hi,
I'm comparing these two lines in the audit.rules files.

-a always,exit -F arch=b32 -S clock_settime -F a0=0 -k time-change

Open in new window

-a always,exit -F arch=b32 -S clock_settime -k time-change

Open in new window


Could you please tell me the what -F a0=0 stands for?
Thank you
Carlettus
0
i install ssh in ubuntu. i start services and it's  runnig. idisabled firewall. i add keygen in authorized_keys.
ssh <ip_host> says  Permission denied (publickey).
0
Hi There,

I had connected to Ubuntu machine in windows through putty's ssh client assume the IP address is

55.170.23.156

I want to clone bit bucket inside this putty

assume the bit bucket url

is http://bitbucket.librariesdsw.net:8080/

assume bit bucket user name is bharath and password is welcome

how to clone this bitbucket inside this putty

please help,  thanks in advance

Kind regards,

Bharath K
0
BACKGROUND:
A ways back, I'd set up nameservers on my VPS (let's call them 'ns1.mydomain.com' and 'ns2.mydomain.com').  I host a couple of dozens websites on that VPS.

For all of my domains, on the domain registrar's site, I'd set the Nameservers for that domain to Custom Nameservers:  'ns1.mydomain.com' and 'ns2.mydomain.com'.

Recently, I had to ask my VPS provider to create a new server for me (let's call it 'newVPS'), leaving my previous VPS (let's call it 'oldVPS') active so I could migrate or re-create accounts and contents from the oldVPS to the newVPS.

Both the oldVPS and newVPS use WHM/CPanel admin interfaces.  
The oldVPS is setup as (cut and pasted from the WHM panel banner): 'CENTOS 6.9 i686 virtuozzo – oldvps  WHM 56.0 (build 52)'
The newVPS is setup as (cut and pasted from the WHM panel banner): 'CENTOS 7.4 virtuozzo [newvps]  v68.0.21'

My understanding (which is limited in these areas) is that the nameservers I setup on my VPS have to be associated with one of the domains I own/host on that VPS.

The nameservers which I had previously setup on oldVPS were associated with 'mydomain.com' one of the domains/accounts hosted on oldVPS.  

For simplicity, I'm thinking of creating new nameservers on newVPS and associate them with 'myotherdomain.com', another domain/account to be hosted on newVPS.

QUESTION:
How do I create my new nameservers on newVPS, say 'ns1.myotherdomain.com' and 'ns2.myotherdomain.com', presumably from newVPS's WHM (I'm …
0
Hello Experts,

We have an application which is login on CentOS 6.8 64 bit (GUI Interface) & after login generate tcp port 50000 for make connection with user.
Behind that port there are many connection connected with different-different IP (192.168.207.11, 207.12, 207.13) & user name (user1, user2, user3):

Example Output:-
[root@CC ~]# lsof -i :50000
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
TCPServer 3647 rajat  245u  IPv4 156532      0t0  TCP 192.168.207.125:50000->192.168.207.15:49277 (ESTABLISHED)
TCPServer 3647 rajat  261u  IPv4  23354      0t0  TCP *:50000 (LISTEN)
TCPServer 3647 rajat  387u  IPv4  24955      0t0  TCP 192.168.207.125:50000->192.168.207.13:49271 (ESTABLISHED)

From this cmd i only check which IP is connected behind port 50000, but i want to check user name also. Please suggest.
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security
<
Monthly
>