Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -2 articles for you...
102
security advisoryopen sourcesecurity solutionCrowdSec Bouncer for WordPress: Effective Protection Against Attacks
The CrowdSec team is expanding the capabilities of their open-source and free security solution by finalizing the release of its brand new application bouncer on the WordPress marketplace . This new bouncer is compatible for versions 1.0.x and beyond. Given that the vast majority of websites in the world are hosted on WordPress, this addition will improve CrowdSec's defense arsenal in its mission to defend the greatest number. . First steps This bouncer has been designed to protect WordPress-hosted websites from all kinds of attacks. To be able to use this blocker, the first step is to install CrowdSec v.1.0.x. Release v1.0.4 · crowdsecurity/crowdsec · GitHub The installation and configuration of the plugin can be done in a few clicks from the WordPress marketplace. Please note that first and foremost CrowdSec must be installed on a server that is accessible via the WordPress site. Remember: CrowdSec detects, bouncers deter. A step that is fortunately greatly facilitated by the solution's intuitive wizard. Within ten minutes your WordPress site will be protected from attacks by the user community, now spanning more than 70 countries and 400 cities. The “Flex mode” - a bulwark against false positives Thanks to the "Flex mode", it is impossible to accidentally block access to your site to people who don't deserve it. This mode makes it possible to never ban an IP but only to offer a Captcha, in the worst-case scenario. CrowdSec blends into your design When a user is suspected to be malevolent, CrowdSec will either send him/her a Captcha to resolve or simply a page notifying that access is denied. Please note that it is possible to customize all the colors of these pages in a few clicks so that they integrate best with your design. On the other hand, all texts are also fully customizable. This will allow you, for example, to present translated pages in your users’ language. The standard "Captcha wall" looks like this: Youwill be able to customize it as you feel like. Below is an example after having played a little with colors and texts: The right balance between performance and security By default, the "live mode" is enabled. The first time a stranger connects to your website, this mode means that the IP will be checked directly by the CrowdSec API. The rest of your user's browsing will be even more transparent thanks to the fully customizable cache system. But you can also activate the "Stream mode". This mode allows you to constantly feed the bouncer with the malicious IP list via a background task (CRON), making it to be even faster when checking the IP of your visitors. Besides, if your site has a lot of unique visitors at the same time, this will not influence the traffic to the API of your CrowdSec instance. If you've ever been confronted with high traffic, you are probably familiar with Redis or Memcached technologies. You have the capability to activate these caching technologies in the CrowdSec bouncer settings to guarantee invisible IP control on your site. CDN-friendly without forgetting other load balancers If you use a CDN, a reverse proxy or a load balancer, it is now possible to indicate in the bouncer settings the IP ranges of these devices in order to be able to check the IP of your users. For other IPs, the bouncer will not trust the X-Forwarded-For header. Coming up next Soon, the plugin will have a dashboard allowing you to visualize the activity of your bouncer in live. It will also be possible to connect directly to CrowdSec's global reputation database, without having to install an agent on your machine if you don't wish to. Widely tested, 100% open source This plugin has been tested on the vast majority of WordPress versions installed in the world (90%+), according to WordPress real-time statistics. It has also been tested on a very wide range of PHP versions (7.2, 7.3, 7.4 and 8), the language in which WordPress is coded. This plugin is released under MIT, themost permissive and free license in the world. Its source code is fully available on GitHub . Fortify your WordPress site with the latest CrowdSec bouncer to guard against a range of threats and ensure your online presence remains secure.. CrowdSec Bouncer, Open Source Security, Website Protection, Attack Prevention, WordPress Security. . Brittany Day
Apr 26, 2021
•
102
denial of serviceprocess managementattack preventionUnderstanding Fork Bombing Attacks: Mechanisms And Prevention
Thanks to Anand Jahagirdar for this feature! As the variety of attacks and threats grow, you need to be prepared. In this HOWTO, get a feeling for the Fork Bombing Attack, what it is, how it works, where it comes from, how to deal with it and more. . Fork Bombing: Eckie S. Fork bombing means invoking fork system call infinite times by one or more processes. It is also defined as Spawning nearly infinite processes by one or more user processes. E.g. Simple C Loop *: - while (1) fork (); It spawns infinite processes which in turn lead to fork bombing. Fork bombing attack is usually done by a non root user. For example, a non root user, as an attacker, sends infinite requests to the server for denial of service. Another example of fork bombing attack is a simple loop *: - main () {fork() main () ;} In this case main function calls itself recursively. This loop can make the system crawl. (* warning: - execute both the loop at your own risk). It . Fork bombing targets system resources by rapidly generating processes, causing severe performance issues and potentially crashing systems, disrupting user access. Fork Bombing, Denial of Service, Process Management. . Anthony Pell
Jun 08, 2010
•
102
network securitysecurity measuresattack preventionDDoS Protection Strategies: Effective Measures for Network Security
In this article I am trying to explain what DDOS is and how it can be prevented. DDOS happens due to lack of security awareness of the network/server owners. On a daily basis we hear that a particular machine is under DDOS attack or NOC has unplugged the machine due to DDOS attack . So DDOS has become one of the common issues in this electronics world. DDOS is like a disease which doesn't have an anti-viral developed. So we should be carefull while dealing with it . Never take it lightly. In this article i am trying to explain the steps/measures which will help us defend from DDOS attack ,up to a certain extend . . What is a DDOS attack? Simply said, DDOS is an advanced version of DOS attack . Like DOS , DDOS also tries to deny the important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised. Normally, DDOS consists of 3 parts . One is the Master ,Other the slave and atlast the victim. The master is the attack launcher ie the person/machine behind all this,sound's COOL right . The slave is the network which is being compromised by the Master and Victim is the target site/server . Master informs the compromised machines, so called slaves to launch attack on the victim's site/machine. Hence its also called co-ordinated attack. In my term, Master is said to be the Master Brain, Slave is said to be the launch pad for the attack and Victim is the target. How do they Do it? DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase that they install DDOS tools and starts attacking the victims machines/site. This Phase is called Distributed DoS attacks phase. What Allowed them to do it? The reasons are given below :- 1) Vulnerable softwares/Applications running on a machine or network. 2) Open network setup. 3) Network/ machine setup without taking security into account. 4) No monitoring or DataAnalysis are being conducted. 5) No regular Audit / Software upgrades being conducted. What should we do if we are under attack? First Identify if you are really under attack. If yes, follow the below steps : Check if your machines load is high and you have large number of HTTP process running. To find the load just use the command w or uptime - --- Eg: Blessen@work > w 12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT --- To find if there is large number of HTTP process running use the command " ps -aux|grep HTTP|wc -l " Eg: -- [root@blessen root]# ps -aux|grep HTTP|wc -l 23 -- In a heavy server , the number of connection will go above 100. But during DDOS attack, the number will go even higher and thats when we need to find out from which all networks are these attacks coming. In DDOS the host machine doesn't have much importance. Its the network which is of importance here because, an attacker will use any machine on the compromised network or even will use all the machines in the network. Hence network address is of importance while fighting with the attack. If you have high load (say 5 or more ) and you have large number of HTTP process then i would request you to do the following 1) At command prompt execute the below command bash#netstat -lpn|grep :80 |awk '{print $5}'|sort 2) Check each block of ips. Like let me say , that you have more than 30 connection from a single ip. Under normal cases there is no need for that many number of connection requests from a single IP. Try to identify suchips/networks from the list you get 3) If more than 5 host/ip connects from the same network then its a clear sign of DDOS . 4) Block that ips/networks using iptables /Apf iptables -A INPUT -s -j DROP If you have apf then just add the ips which you want to block in the file /etc/apf/deny_hosts.rules 5) Keep on continuing this process untill the attack on the machine gets reduced. There is no complete or perfect solution to DDOS . The logic is simple, NO softwares or measures could handle attacks from multiple servers say from 50 - 100 servers all at a time . All that can be done is to take preventive measures . How can we prevent or defend ourselves from these attacks? Like said, Prevention is better than cure. Its very much true in the case of DDOS . In my Introduction, I had mentioned that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network. Attackers use those security holes to compromise the servers in different network and install the DDOS tools (eg trinoo -DDOS tool ) To prevent DDOS in future, follow the below steps which has 12 major steps Setup machine / network keeping security in mind (Implement Good Security policy) Setup a firewall which does Ingress and Egress Filtering at Gateway Eg: Steps to Install AFP ---- bash# wget https://rfxn.com/downloads/apf-current.tar.gz bash# tar -zxf apf-current.tar.gz bash# cd apf- bash# ./install.sh Notes: Go through the Document in the Apf and configure it for your needs. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root's cron has an entry like the one below */8 * * * * root /etc/apf/ad/antidos -a > > /dev/null 2> &1 ----- Install IDS on your gateway/hosts to alert you when someone tries to sniff In. Eg:AIDE ---------- (a) Wget (b) Untar it tar -zxvf aide-0.7.tar.gz (c) cd aide-0.7 (d) Then execute ./configure -with-gnu-regexp (e) Final steps to install make;make install (f) Now the main step..To configure AIDE.AIDE stores all its rule sets in the file called aide.conf. Lets populate it get more details of how to configure and all from man aide.conf (g) Here I am taking an example .See below Here is a sample short aide.conf: Rule = p+i+u+g+n+s+md5 /etc p+i+u+g /sbin Rule /usr/local/apache/conf Rule /var Rule !/var/spool/.* !/var/log/.* In the above configuration listed , a rule called "Rule" is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). This rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn't. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place. (h) After configuring AIDE should be initiated with all these rules. For that execute aide -init ---------- Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications. Use tools like RKDET(vancouver-webpages.com/rkdet),RKHUNTER() and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit has been already installed and to locate the effected binaries in the machine, if any. Please find a simple Audit check List below to be done on a Hosts Eg: Audit Check List --- A quick checklist: * Software Vulnerabilities. * Kernel Upgrades and vulnerabilities. * Check for any Trojans. * Run chkrootkit. * Check ports. * Check forany hidden processes. * Use audittools to check system. * Check logs. * Check binaries and RPMS. * Check for open email relays. * Check for malicious cron entries. * Check /dev /tmp /var directories. * Check whether backups are maintained. * Check for unwanted users, groups, etc. on the system. * Check for and disable any unneeded services. * Locate malicious scripts. * Querylog in DNS. * Check for the suid scripts and nouser scripts. * Check valid scripts in /tmp. * Use intrusion detection tools. * Check the system performance. * Check memory performance (run memtest). --- Enforce and Implement Security Measures on all hosts in the network. Machines new or old should only be allowed to run on your network, if your Security Admin or DSE (Dedicated Security Expert) member approves it with status ``OK-to go live' after auditing the box. All Host in the network should be checked on a regular basis by your DSE team to make sure that all hosts are uptodate and can fight any attacks. Audit network on a regular basis to see if your network is vulnerable to attacks Use Open Source Tools like NESSUS(https://www.tenable.com/ ,NMAP(www.insecure.org/nmap),SAINT( (www-arc.com/sara/sara.html)for auditing a network to find its vulnerabilities. Create a DSE (Dedicated Security Expert ) Team for your company. Collect your networks and hosts data . Analysis them and study them to see from where and what kind of attacks are coming into the network. This step will help us to understand what kind of attacks we are facing and will help us to strengthen the preventive measures. Let me tell you this move is worth the money you spend,for sure. Implement Sysctl protection against DDOS Eg: ---------- bash# vi /etc/sysctl.conf add the below code: # Enable IP spoofing protection, turn on Source Address Verification net.ipv4.conf.all.rp_filter = 1 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 Add the below code in /etc/rc.local and restart network for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > done echo 1 > /proc/sys/net/ipv4/tcp_syncookies ---------- Install Mod_dosevasive to your apache. Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below Eg: Install Mod_dosevasive ------ bash# wget bash# tar -zxvf mod_evasive_1.10.1.tar.gz bash# cd mod_evasive_1.10.1 bash# $APACHE_ROOT/bin/apxs -iac mod_evasive.c Dont get scared by the variable ``$APACHE_ROOT' . Its nothing, but a simple variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache) bash# vi /usr/loca/apache/conf/httpd.conf After this add the below code in httpd.conf DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 bash# /usr/loca/apache/bin/apachectl restart ------ Install Mod_security . Since DDOS normally targets http. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below Eg: Installation Steps ------ bash# https://github.com/owasp-modsecurity/ModSecurity bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz bash# cd modsecurity-apache-1.9.2 bash# /usr/local/apache/bin/apxs -cia mod_security.c Create a file named mod_security.conf under the folder /usr/local/apache/conf bash# vi /usr/local/apache/conf/mod_security.conf Create the rule with reference to the linkhttps://github.com/owasp-modsecurity/ModSecurity and add it in the mod_security.conf file. Add the location of mod_security.conf to httpd.conf bash# vi /usr/local/apache/conf/httpd.conf Add the string below Include /usr/local/apache/conf/mod_security.conf bash# /usr/local/apache/bin/apachectl stop bash# /usr/local/apache/bin/apachectl start ------- Best solution to fight DDOS to a certain extend will be to setup load balancer for your services. Creating awareness on Security This is the most important part. People should be Security conscious. Then only they will understand the importance of Security measures . Server owner's and users should be made aware of the issues which can rise due to bad security measures . Conclusion DDOS can be prevented to a certain extend, if hosts and network are secure. So I advice each server owners and network owners to implement security measures on their network ,if they want to fight against DDOS. About this document ... Preventing DDOS attacks Written By Blessen Cherian Sr.Executive Team Member of Bobcares.com [ Head Of Installation,Security and Networking Department ] Poornam Info Vision Pvt Ltd . To protect your network from DDoS attacks, implement diverse strategies like traffic analysis, rate limiting, and using a CDN for enhanced security.. DDoS Protection, Network Defense, Security Guidelines. . Blessen Cherian
Mar 16, 2006
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More