Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

Dear Experts

When we enable encryption in windows 10 systems it encrypts when we store documents, what exactly happens here as we take the stored files from the encrypted  and transfer it via email or copy to USB or share it in network drive all those other side people who have access can open and read or modify based on permissions does it mean it is not file level encryption I mean whoever know the system password files are accessible if someone wants to crack the harddisk then the file formats stored is not as per the document extension like .docs, or .exls please help me to understand this.

2. what does it mean server side encryption like next cloud deployment says we can enable server side encryption how is it different from ssl enablement that is user accessing through https,
please help me understand above two , thank you very much in advance.
0
How do you know if your security is working?
LVL 1
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

We have a few Ubuntu 16.04/18.04 servers and some CentOS 6 and 7 servers at our site that we'd like to lock down to only allow logins from users on our Active Directory domain controller via LDAP. The domain controllers are both Windows Server 2016. We have multiple techs that need access to the servers, but only a few that should have full sudo abilities. Can someone share some step by step details in implementing this on these servers and how to make sure only certain AD accounts are allowed sudo abilities?

Thanks!
0
Dear Experts

We are using nextcloud which is on ubuntu 16.04 with php, mysql and apache until now we were using within the local network but now there is a requirement to enable this to external network that is from internet hence would like to procure ssl certificate and install the same,
1.  can you please suggest the good source to purchase the ssl certificates
2. at present users are using this solution  by installing the ssl certificates will it have any impact of not functioning or breaking down the system please suggest.
3. can you please help me how to install the ssl certificate in this server instance
0
I need to create an ipset for ipv6 I have it for ipv4 already.  I want to use ipdeny.com and insert specific country blocks into the ipset which is connected to the iptables.
0
Individual log  files on my server getting zipped every 1 hour and individual log files getting deleted.

PRoblems i am facing with zipped log files are
1. not able to grep them as easily as individual files

2. not able to tail to see any recent issues



if i copy over to local windows laptop using winscp and unzil anf try to open individual file using notepadd++ says too huge file to open.


how to extract zip file in unix box itself and check log files by doing grep and tail etc

please advise
0
Dear Experts

please suggest what all ways desktop/laptop users of windows 10 and ubuntu desktop systems can be encrypted, OS level and if any third party tool , i read an article about bit locker drive encryption is it recommend please suggest similarly how it can be done for ubuntu desktops please suggest
0
tail -n5000 xyz.log

above shows last 5000 lines right


if i want to see all the 15723 lines of xyz.log what command i have to give

tail -n5000 xyz.log|grep 'ERROR WS'
how to make above case sensitive search like
tail -n5000 xyz.log|grep 'error ws'
how to make above whole word search? so that i wont see below as result ERROR aaa WS etc


please advise
0
Hi

after i installed nextcloud 13.0.1 on centos 7 and most of the features works

i am facing a strange issue with calendar

i cannot create or delete or do anything with calendar on nextcloud management    please check the attached file

do you think i have to change something from GUI or CLI  or install or do something


kindly advice
ccccccccc.jpg
0
Hello Experts,

Getting following error while execute cmd from ssh :-

[root@200 ~]# separateBod
ENTER SERVER IP LAST 1 QUADRANT WHICH YOU WANT TO BOD:
119
Option "-t" is deprecated and might be removed in a later version of gnome-terminal.
Option "-t" is deprecated and might be removed in a later version of gnome-terminal.
Failed to parse arguments: Cannot open display:

separateBod Code:-
#!/bin/bash
printf "ENTER SERVER IP LAST 1 QUADRANT WHICH YOU WANT TO BOD"
 read IPNAME
 for i in $IPNAME
 do
  ssh user@192.168.1.$i BOD & pid=$!
 done

BOD Code:-
#!/bin/bash
gnome-terminal \
        --tab -t "Exchange" -e " sh -c 'sleep 1s; ./startapp Exchange' "\
        --tab -t "Dragon" -e " sh -c 'sleep 10s; ./startapp Dragon' "\

startapp code:-
ulimit -c unlimited
export LD_LIBRARY_PATH=./:${LD_LIBRARY_PATH}
./$1 $2 $3 $4 $5

After giving execution cmd from server (ssh) it should be displayed on other server vnc (user@192.168.1.119), it was working properly till last week suddenly i got this error, we have following versions of CentOS 64bit (6.7, 6.8, 6.9, 7.4), getting issue only with 7.4 64bit.

please suggest.
0
I have had to disable SELinux to get an application installed ,I was wondering if anyone has ever used 'AUDIT2ALLOW' to re-tag the objects in SELINUX and re-enable SELINUX  

I have never ever worked with SELINUX before and could use any advice you can give
0
What were the top attacks of Q1 2018?
LVL 1
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

log file how to copy whole content

zgrep -C20 '1234' 1234.log.gz

above gave lot of results in unix screen

how to copy whole page and paste into a text file on my C drive of the windows laptop through which i am connecting to unix box using putty?


also

i see all results like

0123456
9123488

etc

which i do not want

i want complete word search of 1234 only
how to achieve it
please advise
0
how to check production logs

i logged to production server i went to server log path.
i did
ls -ltr

i see bunch of log files at different timestamps

lets say xyz.log is at 1:30 am which i am interested to see.

how to open and hjow to see it?

when i logged using winscp says log in denied to copy over to windows laptoip to check.
like i want to zgprep or grep all "NullPointerErrors" between 12:30 AM till 2:30AM how do i check?
Also how to check how many times it was restarted?
any good best practices on production logs?
please advise any god links, resources on it?
0
i have sftp install in ubuntu 16.04 hwo to disabled user to has a ssh login. user has only sftp login not ssh login.
0
Hi to all of you,
I'm preparing new files Audit rules in the /etc/audit/audit.rules file.
The syntax I'm using is: auditctl -w path_to_file -p permissions -k key_name
example -w /etc/libaudit.conf -p wa -k wlib.conf

My question is: if I use the following syntax without specifing the permission option (-p)
auditctl -w path_to_file -k key_name what is the default permission value used?

Sounds a strange question but this is what I've been asked.
Bye  and thanks
Carlettus
0
Hi There,

I am getting the following issue with postgresql in aws ubuntu environment.

When I  run python3 manage.py makemigrations, I get the following error.  
It throws the following error. File "/usr/local/lib/python3.5/dist-packages/psycopg2/init.py", line 164, in connect conn = _connect(dsn, connection_factory=connection_factory, async=async) django.db.utils.OperationalError: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432?

Hence I checked whether postgresql is working fine.
I had tried sudo su - postgres It went inside the postgres cmd prompt so it became postgres@ip-10-254-3-58:~$

now when I try psql I get the same error as when I run python3 manage.py makemigrations.

postgres@ip-10-254-3-58:~$psql psql: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

I had tried uninstall and reinstall postgres,

During uninstall , i had tried the following command

$sudo apt-get --purge autoremove postgresql*

I got many errors

Then I had tried
sudo apt-get clean
sudo apt-get update

I got the following errors.  

Hit:1 https://deb.nodesource.com/node_8.x xenial InRelease
0% [1 InRelease gpgv 4,646 B] [Connecting to archive.ubuntu.com (91.189.88.161)] [Connecting to security.ubuntu.com (91.189.91.26)] [Connecting to …
0
Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
0
I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] 

Open in new window

0
I was mailbox flooded through my contact form last night so I need to block the country that caused the attack until I can upgrade my site to take the current recaptcha from Google.  Here is the script I need to work.  I want to be ready if it happens again tonight.

for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ua,kp}.zone) do

Open in new window

and it won't execute.  instead I get a greater than symbol ">."

This is an example:
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ua,kp}.zone) do
>

Open in new window


This script used to work but I had to retype it and now I get that > symbol.

Please help.

Randal
0
I was reading some material on netcat usage.  There are a few references to using netcat for a relay using FIFO  (mknod backpipe p).  Also mentioned was using the next_hop argument.  I have never used that syntax and can't really find much information on it.  So the command is:
nc -l -p 12345 0<pipe | nc next_hop 54321 1>pipe

Open in new window

I don't know what the next_hop is referring to.  

I've always done it like this where I specify where the client will connect (10.1.1.1 port 54321):
nc -l -p 12345 0<pipe | nc 10.1.1.1 54321 1>pipe

Open in new window

Any explanation on how the next_hop works would be appreciated.
0
Top Threats of Q1 & How to Defend Against Them
LVL 1
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

We are looking to deploy SNORT on a server in IDS mode.  I am looking for a webgui to go along with this for our admins to manage easily.  Can anyone recommend something that will allow us to update plugins, rules, view alerts, etc.. ?  So far all of my research just pulls up old articles.
I am also willing to do a Gig Project if that is easier for someone to set it up.
0
I am running Ubuntu 16.04 TLS server. I am unable to change the root password or add users to the sudoer file
0
$ zgrep --version
grep through gzip files
usage: zgrep [grep_options] pattern [files]


when i typed above command i do not see any version number? please advise
0
Jan 29 05:40:41 hklvadapp005 sshd[26279]: Received disconnect from 10.20.225.137: 11: disconnected by user
Jan 29 05:40:41 hklvadapp005 sshd[26275]: pam_unix(sshd:session): session closed for user distadm1
Jan 29 13:26:46 hklvadapp005 sshd[28345]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64855 ssh2
Jan 29 13:26:48 hklvadapp005 sshd[28345]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 13:27:01 hklvadapp005 sshd[28383]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64867 ssh2
Jan 29 13:27:02 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 14:47:37 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 15:09:01 hklvadapp005 sshd[16181]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 52237 ssh2
Jan 29 15:09:02 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 15:14:35 hklvadapp005 sshd[17920]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 10, deny 9
Jan 29 15:32:10 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 16:32:19 hklvadapp005 sshd[2323]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jan 29 16:32:25 hklvadapp005 sshd[2433]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 12, deny 9
Jan 29 16:32:32 hklvadapp005 sshd[2433]: 

Open in new window

0
We recently performed a yum update on the RHEL7 box, and much to our dismay, the ability to open the port now fails.

There are two scripts we have to run in order to open the port:
This one runs:
sudo iptables -A INPUT -p tcp --dport 1234 -j ACCEPT

This one fails:
sudo iptables -A IN_public_allow -p tcp -m tcp --dport 1234 -m conntrack --ctstate NEW -j ACCEPT

Gives the following error:
iptables: No chain/target/match by that name.

This always worked for years, now that latest update won't allow this to run

Any help would be greatly appreciated.

Thanks
0
Hey I am changing my SSH key.

How do I remove my old SSH key from my servers trusted keys.
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Top Experts In
Linux Security
<
Monthly
>