Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

no internat no gui after installing oracle linux
lnxusr43unx
0
Is CentOS 7's hardenings the same as CentOS 8?

Currently CIS only release benchmark & script
for CentOS 7 but we prefer to use CentOS 8 so
that it'll last longer before end-of-life
0
I have Ubuntu 18.04 LTS (64-bit) laptop. Did I setup my root account properly?  When I login to my 'root' account, I cannot view contents of my home directory?  I cannot access /root directory?
su root
0
I've added the following settings in /etc/sysctl.conf  as well as
issued 'sysctl -w ...'  to make it effective as part of hardening.

My apps colleague rebooted the RHEL 7 VMs & now
the docker gave the error '503 Service Unavailable'.

How should I reverse them back: just by removing
those lines from sysctl.conf & reboot (sysctl.conf was
quite empty initially)
OR
re-issue "sysctl -w ..." with the  alternate value (ie if
it's 0, set it to 1 & if it's 1, set it to 0)?  But this doesn't
seem right as we don't know what's the default
value initially.  So how do we know what's the
initial default value before the change??


sysctl -w fs.suid_dumpable=0
sysctl -w kernel.randomize_va_space=2
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w …
0
on my RHEL 7, /tmp  partition is shown as xfs :
$ mount |grep /tmp
/dev/mapper/rhel-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/rhel-var_tmp on /var/tmp type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

So when doing CIS hardening, the benchmark doc suggests to remount as  tmpfs:
so should I remount as xfs  instead?

ie
>mount -o remount,nosuid,noexec,nodev tmpfs -t tmpfs
should above be
> mount -o remount,nosuid,noexec,nodev xfs -t xfs /tmp

and

in /etc/fstab
> /dev/mapper/rhel-tmp    /tmp                    tmpfs     defaults,nodev,nosuid,noexec        0 0
should above be
> /dev/mapper/rhel-tmp    /tmp                    xfs     defaults,nodev,nosuid,noexec        0 0

and

cat  /etc/systemd/system/local-fs.target.wants/tmp.mount
[Mount]
What=tmpfs  <== shd it be xfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid
0
To allow internet access to the internet I configured a gateway server on my small network of around 30 VMs. The gateway works well but I just want to make sure that this gateway server is as secure as possible since this gateway server is the only server in my network that has direct access to the internet. What security measures should I configure on this gateway server? Should I install a firewall? If so, how do I configure this firewall?
0
I am seeing a strange issue with sssd on Ubuntu 16.04.  I am using sssd to authenticate to AD.  The logins work great and is almost instantaneous as long as you have recently logged in (within the last minute or two).  If you wait longer between logins, then it will login you into, but you do not get a prompt for up to 30 seconds.

Note that these systems are in Azure and our AD is also in Azure.

I am using offline caching and setting the site.  I am stumped as to how to correct this issue.

Below are my conf files (sanitized for security).

-----------------------------------------------------------------------------------------
/etc/sssd/sssd.conf

[sssd]
services = pam, nss
config_file_version = 2
domains = XXXX.COM
sbusTimeout = 30
#debug_level = 7

[domain/XXXX.COM]
id_provider = ad
krb5_realm = XXXX.COM
access_provider = ad
#debug_level = 7
default_shell = /bin/bash
ldap_id_mapping = True
ad_site = XXXXXXX
min_id = 50000
cache_credentials = true

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/XXXX/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com

# Uncomment if DNS SRV resolution is not workin#g
# ad_server = _srv_

# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM

# …
0
Hi,

need help...
i am having two servers,  web reverse proxy and tomcat application server.

1. tomcat Application server is 120.121.25.16 default port number changed in server.xml file, port number is 28056. I checked the tomcat application server, it works after port change and verified application.

2. RH7.7 reverse proxy server 10.38.11.26
i installed httpd.
/etc/httpd/conf/httpd.conf edited and changed the default port 80 to 29081 in listener.
restartng the httpd, it is failing

After port change the httpd service not coming up...

Error below...
Oct 18 23:04:34 webpxy1httpd[19252]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.250.245.6. Set the 'ServerNa
Oct 18 23:04:34 webpxy1 httpd[19252]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:8011
Oct 18 23:04:34 webpxy1 httpd[19252]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:8011
Oct 18 23:04:34 webpxy1 httpd[19252]: no listening sockets available, shutting down
Oct 18 23:04:34 webpxy1 httpd[19252]: no listening sockets available, shutting down
Oct 18 23:04:34 webpxy1 httpd[19252]: AH00015: Unable to open logs
Oct 18 23:04:34 webpxy1 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Oct 18 23:04:34 webpxy1 kill[19253]: kill: cannot find process ""
Oct 18 23:04:34 webpxy1 systemd[1]: httpd.service: control process exited, code=exited status=1
Oct 18 23:04:34 …
0
How to best prep a new machine for running LXD containers?
0
Hi,
1. How to resolve issue below?

[code][root@28-218-217-172-on-nets home]# chown -R smb01 ~/home/share
chown: cannot access ‘/root/home/share’: No such file or directory
[root@28-218-217-172-on-nets home]#

Open in new window

[/code]
I want to grant write permission to user smb01.

2. Is "ls -l" enough to list out all rights of user smb01 on folder /home/share? Is there any other command?
0
Hello EE,

I need to document all installed FOSS ( Free and open Source ) software installed on RHEL systems for legal team . Is there a way to show the licensing info for all packages and OS info easily with a script or via cmd line ?
0
Hi

I've built a MediaWiki server using Debian (Linux)

How would I block internet access from the server?  What's the best way to secure it?
0
i have active directory on ubuntu. i try to change password from ubuntu.
it failed: passwd: Authentication token manipulation error
passwd: password unchanged
i try to reboot still the same i try
sudo mount -o remount,rw /  same problem
my shadow file under /etc has 0640 as permission
rewrite of pam-auth-update not help so much.
0
I am wanting to stop scrapers and crawlers with fail2ban but I am having trouble with getting the regex to match.  Here is my access_log

47.89.184.126 - - [13/Jun/2019:11:53:30 -0400] "GET /12all/lt/t_go.php?i=currentmesg&e=subscriberid&l=-http--www.theherbsplacenews.com/2009/11/usda-allows-ecoli-meat-to-be-sold.html HTTP/1.1" 404 43077 "http://www.theherbsplacenews.com/2009/12/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/52.0.2743.116 Chrome/52.0.2743.116 Safari/537.36"
47.89.184.126 - - [13/Jun/2019:11:53:39 -0400] "GET /12all/lt/t_go.php?i=currentmesg&e=subscriberid&l=-http--www.theherbsplacenews.com/2009/12/depression-and-mental-health.html HTTP/1.1" 404 43072 "http://www.theherbsplacenews.com/2009/12/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/52.0.2743.116 Chrome/52.0.2743.116 Safari/537.36"
47.89.184.126 - - [13/Jun/2019:11:54:10 -0400] "GET /12all/lt/t_go.php?i=currentmesg&e=subscriberid&l=-http--www.theherbsplacenews.com/2009/12/cocaine-heroin-spices-more-in-our-water.html HTTP/1.1" 404 43083 "http://www.theherbsplacenews.com/2009/12/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/52.0.2743.116 Chrome/52.0.2743.116 Safari/537.36"
47.89.184.126 - - [13/Jun/2019:11:54:13 -0400] "GET /12all/lt/t_go.php?i=currentmesg&e=subscriberid&l=-http--www.theherbsplacenews.com/2009/11/gingko-protects-cells-from-radiation.html HTTP/1.1" 404 

Open in new window

0
putty agent setup.

I have created public key/private keys using ssh-keygen command in my linux box.

i got the following files.

id_rsa
id_rsa.pub

I did setup my putty configuration to allow agent forwarding.  I did launch pagent.exe file and tried to import my id_rsa.pub key and it is expecting a key with the ppk format.

- do we add public key or private key
- how do i convert the ssh keys to ppk format.
0
Attached is a list of *strut* files that are present in our UNIX servers.
Was told by our app staff that we are on a very old (& likely vulnerable) Struts.

Which lines mean we have Struts in our server & the files that we can remove
to fix our vulnerability?   Was told by app staff he doesn't need the Struts but
will need to identify which specific Struts files to remove
Tv06_Struts.txt
0
Can anyone provide a step by step instruction on how to compile & 'make'
a fully useable ClamAV on Solaris 10 (x86)?

A minor update engine was released for Linux with source code but package
is only available for Linux, no Solaris
0
https://github.com/sveeke/harden_linux

Referring to above URL, I only see the harden_CentOS7  script but
not the two Debian & Alpine Linux: did I miss something or can
anyone point me to the right URLs to get the scripts?
0
Hallo Experts
     
For our Security Operations Center (SOC), we are searching for a tool that can collect “Threat Artifacts”. When I worked with McAfee in the past, they used GetSusp to collect information about undetected malware on their computer.
     
We are searching for a similar tool that we can use in the network to collect information remotely. What would you recommend us? It would be nice, if the tool would work on Windows & Linux, albeit this is not a must.
   
Thanks a lot
1
Refer to attached  TrendMicro's  Interscan proxy VM (a custom Linux)
that shows spurious memory shortage.

Have allocated 32GB to the VM & with only 2 users accessing, already
getting these memory messages : plan to roll out to 500 users.


What can be done to address this?  Increase swap space or RAM?
Or there's something to tune?  Hopefully don't have to switch to
another type of proxy.

As this is a bundled free product, quite difficult to get support.

Btw, what's the default root password when it's first set up?
TMproxyoutofMem.png
0
we prefer not to do apps whitelisting on our rhel n solaris due to fears of service disruption.

what alternative mitigations can we implement?
0
Good Afternoon Experts.

I have a client who is basically a Kibbutz (Think of a settlement but in a real social way of life)
Basically, They have a centos 6.10 server that was deployed by the previous sysadmin who is no longer available and said sysadmin enabled smb v1 on that server and activated shared for people to be able to view various pictures and such from various events. all was well until Microsoft decided to disable SMB V1 out of the box and to require a certain procedure to allow it, now since I can't remotely control all the computers (It's not a domain environment, not actually a business at all) I need to allow SMB v2, my question is, can I, and if I can, How do I enable Support for SMB 1 and SMB 2 on the same shares at the same time?!
0
not sure how to explain this...

i'm not trying to do a directory traversal attack, i could do that in multiple lines with a script

i want to go back a directory "cd .."
then forward in the parent directory "cd .. cd johndoe"

.
..
/home/johnsmith
/home/johndoe
/home
/bin
/var
/etc

i want to do it in one line please


thanks

-dave.j
0
Have anyone used Colortokens https://colortokens.com/
what do the do exactly and what do they do for data center and endpoint security?
0
I am trying to add 2 factor authentication on a linux host. It is sending a radius request to
a MS radius server which is somehow connected to MS authenticator app which I have
on my iPhone. I have it working to where if I ssh to the linux host with my AD UID and PW
a message goes to my Authenticator app on the I phone which I confirm. And then I'm in.

BUT - some of my colleagues have Authenticator setup so that they get a PIN rather than
just a confirmation number. Is there a way for SSH to work with this variant of 2factor
authentication with MS Authenticator app?
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security
<
Monthly
>