Stay Ahead With Linux Security Features
security advisory attack A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
Jun 08, 2026
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -3 articles for you...
102
network securitycyber attackssecurity testingEnhancing Security Posture With Effective Password Strength Testing Tools
Simple passwords can be incredibly weak, whether they match the username, are a blank password, or use keyboard combinations ("qwerty"). These types of passwords may be more accessible to remember, but they do not combat cybercriminals interested in stealing your information and threatening your data and network security. . A 2019 Google study showed that seventy-five percent of Americans were frustrated with keeping track of their passwords. This statistic supports the OWASP's SecLists project study that found that the five most common weak passwords are "123456," "Password," "12345678," "qwerty," and "123456789." Therefore, instigating cloud security breaches through brute-force attacks in network security has become the norm for cybercriminals. Weak passwords allow unauthorized access into a server, leading to catastrophic consequences like data loss and long-term downtime. Understanding how to store passwords and prevent attacks is crucial to maintaining data and network security. This article will discuss password cracking and testing tools that sysadmins can implement to improve security posture. What is Password Cracking? Password cracking is a hacking technique where cybercriminals obtain passwords through encrypted data stored in a computer or communicated through a server. System administrators can use password-cracking instruments as network security toolkits to see how hackable company passwords are. Then, they can have employees change weak passwords to prevent related cybersecurity vulnerabilities from continuing to be risky. The best tools can handle various targets simultaneously so you can see how effective different protocols and cybersecurity platforms are against a network security threat. What Types of Password Cracking Attacks Exist? There are three common types of password-cracking attacks in network security that businesses must keep in mind while testing their servers for weaknesses that require security patching: Dictionary attack : These cloud security breachesstart by collecting a list of previously leaked data that offers words, phrases, and possible passwords that a server uses. A dictionary attack goes through every password and phrase in the list to find the right one and break into the system. Brute-force attack : During these attacks in network security, password cracking tools will try to guess every password combination possible within a specific range and criteria that the user specifies. While this process is effective, it also moves quite slowly, as a nine-character password with upper- and lowercase letters and special characters can take up to nine years to crack. Rainbow tables : A cybercriminal will compare an existing data dump to a list of password hashes to see if they can determine the correct password in plaintext. Security-oriented applications usually have passwords stored in fixed-length hashes to make it more difficult to hack, so using rainbow tables works through these difficulties much easier and faster than brute-force attacks in network security. However, these cloud security breaches do not work when password hashes have been salted and their salt values are too large, as cracking the password would be a much more complex task. What Tools Can I Use to Test Password Cracking? An effective password cracker tool is essential so a business can determine if passwords are a site for cybersecurity vulnerabilities within their company. Here are a few options from which to choose when deciding how to test password cracking on your server. John the Ripper Released in 1996, John the Ripper is an open-source native, password cracker tool that was originally produced for UNIX-based systems. Today, the tool can run on many different operating systems including Android, Linux, macOS, and Windows. Designed to test password strength, brute-force encrypted passwords, and crack passwords via dictionary attacks, the tool quickly grew in popularity, and today is one of the most recognizable password cracker tools. Some of its keyfeatures include multiple modes to speed up password cracking, automatically detecting the hashing algorithm used by the encrypted passwords and the ease of configuring and running the tool. The tool comes in both GNU-licensed and proprietary versions with the latter being designed for use by professional penetration testers. John the Ripper Modes and a Use-Case John the Ripper utilizes modes to best meet the needs of its users. Three modes come with the tool: Single crack mode: This mode is recommended to be run first since it is the quickest mode. Single crack mode utilizes information from UNIX passwd files as presented in GECOS fields within UNIX passwd files or shadow files to guess passwords. This is helpful for use cases where a user has to set a password for an account based on commonly available information or a phrase in the username such as root:root or radha:radha456. Wordlist mode: Similar in its operation to a dictionary attack, this mode relies on the user providing a text file with a list of passwords, ideally one per line with no duplicates. The application also comes with a set of default wordlists, with the proprietary version offering more choice. Incremental mode: An equivalent mode to a brute-force attack method, this mode is only effective for most weak passwords. If a password is long enough or complex enough, this mode may never be able to complete in a decent amount of time and never terminate. In the case of several combinations being too large, the user will have to interrupt this mode. Here are some examples of use-cases for John the Ripper: Cracking a user account password in Kali Linux: This use-case scenario demonstrates the simplicity of using John the Ripper for cracking a user account password on Kali Linux. Say the user creates an account using the command: Say the user then sets the password for this account: To crack the password for the account with the username ‘James’ run the following command: Notonly will John the Ripper identify the hash method and display it on the terminal, but it will also decode the password hash into a raw password and display this password as well. Hashcat Hashcat is a popular and effective open-source password cracking tool widely used by penetration testers and system administrators. Considered the world’s first and only in-kernel engine, Hashcat supports many different platforms and operating systems such as Linux, macOS, and Windows for desktops. The tool also has mobile support for Android, iOS, and Windows as well. However, an issue with Hashcat is that it’s limited in the kinds of passwords that can be recovered since, unlike John the Ripper which can recover passwords for databases and operating systems, this tool is mostly limited to documents such as PDF files, and WIFI passwords. Still, Hashcat is very much an effective password cracker tool to consider. Hashcat’s Attack Arsenal and Use-Case At the most basic level Hashcat can guess a password, hash it, and then compare the resulting hash to the one it’s trying to crack. In addition to these brute-force attempts, Hashcat also supports dictionary attacks, combinator attacks, mask attacks, and rule-based attacks. Dictionary attack: Hashcat can utilize a word list text file to perform a dictionary attack. Users can start with the word list rockyou.txt . Containing more than 14 million passwords sorted by the frequency of use, using the word list with Hashcat can make for a very effective password cracker test. Combinator attack: These kinds of attacks work best for passwords that are two words together without a space. For example, passwords such as ‘yellowcar’ or ‘blackbike’ count as passwords that are vulnerable to a combinator attack. Hashcat’s way of doing a combinator attack is by taking a dictionary list and creating a new word list of every word combined with every other word. Hashcat can also add punctuation such as hyphens, exclamation points, and other specialcharacters to create a final word list with passwords such as ‘yellow-car!’ and ‘black-bike!’. Mask attack: A mask attack works by looking for passwords with a similar outline. For instance, passwords with one upper case letter followed by six letters and a digit at the end are common for older passwords. Hashcat can search for similar passwords using a mask attack. Mask attacks are often orders of magnitude faster than a brute-force attack, with some brute-force attacks taking 4 years to crack a password compared to 40 minutes for mask attacks. Rule-based attack: Hashcat offers a programming language-like syntax for rule-based attacks in which users can specify what kind of passwords to try. This is useful for cases where a user has a sense of how their target constructs a password. One of the most complicated of all the attacks offered by Hashcat, the rule-based attack offers functions to modify, cut or extend words and has conditional operators, making it the most flexible, accurate, and efficient kind of attack. Here is an example of a use-case for Hashcat: Word-list attack on a list of passwords stored in a hash file: A user has two files for the word-list and hash digest. The digest is a bcrypt-md5 hash Since Hashcat does not support the name of the hash, the user needs to provide the numeric id of it while launching the attack. These values can be found from hashcat help or the example page on AttackDefense . Now that the user has everything required for cracking the password, they can launch the brute-force attack by executing the following command: Once the kernel is initialized and the comparison starts, the password will be broken and given to the user in the format HASH:PlainText CrackStation What differentiates CrackStation from John the Ripper and Hashcat is that CrackStation does not offer a standalone program to be installed on the computer. Instead, the tool is a free web-based password cracker that uses the dictionary attacktechnique to crack hashes. This allows the program to be used on any kind of operating system, desktop and mobile included. The program also supports multiple protocols, such as LM, md2, md4, md5, ,d5(md5_hex), md5-half, MySQL 4.1+ (sha1(sha1_bin)). NTLM, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool,), and QubesV3.1BackupDefaults. The only downside to CrackStation is that only non-salted hashes without random strings can be used. How Does Crackstation Work and What is a Use-Case? Crackstation uses large pre-computed look-up tables to crack password hashes. These tables can store a mapping between the hash of a password, and the correct password for that hash. What makes it possible to quickly search the database for a given hash is that CrackStation indexes the hash values. If the hash is within the database, the password can be recovered in less than a second. However, this can only work for non-salted hashes. CrackStation offers a hashing security page to check password hashing systems that are not vulnerable to pre-computed look-up tables. Here is an example of a use-case for CrackStation: Cracking MD5 hashes: One of the most simple use-cases for CrackStation, the MD5 hash of a password can easily be translated to syntax using CrackStation. Let’s say for the password ‘ P@ssw0rd ’ the corresponding MD5 hash is. Plugging in this MD5 hash into CrackStation, the tool returns ‘ P@ssw0rd’. Final Thoughts on Password Cracking Password-cracking tests are essential to network security toolkits so sysadmins know how to create strong passwords that prevent issues in the future. Sysadmins should implement security measures that safeguard passwords appropriately and keep all information in secure locations. Consider changing passwords every ninety days and creating specifications for passwords so domain administrators can be sure that passwords are secure. Ensure employees understand not to include passwords or login credentials through electronic communications,whether through email or text message, to prevent a cybercriminal from accessing such details during cloud security breaches. Storing passwords safely is crucial for mitigating password cracking attacks in network security before they occur. Use trustworthy password managers so you can oversee and create complex, unique passwords and create new ones that protect and improve security posture. . A 2019 Google study showed that seventy-five percent of Americans were frustrated with keeping track. simple, passwords, incredibly, whether, match, username, blank, password. Hithesh Sathian. Anthony Pell
Dec 07, 2023
•
102
network securitycyber attacksDDoS attackComprehensive DDoS Protection Strategies for Linux Servers
Since the beginning of the modern internet, distributed Denial of Service (DDoS) attacks have been a scourge. The first known example of a major DDoS attack happened in 1996 when prominent New York commercial internet provider Panix suffered an attack that knocked its servers offline for several days. In the years since then, DDoS attacks have grown in size, scope, and frequency. . At the same time, the percentage of public-facing servers running one of the many versions of Linux has exploded. Today, ZDNet reports that 96.3% of all major web servers now run a Linux variant. Therefore, DDoS attacks are a massive network security threat that all administrators need to be aware of in order to mitigate and prevent any cyber security vulnerabilities that would allow for the attack to take place. However, DDoS tends not to have the easiest solutions, but that does not mean server admins should give up. To offer Linux admins the knowledge and basic skills they need, here's a comprehensive guide to preventing Linux DDoS attacks with minimal cybersecurity knowledge. We'll discuss exactly what DDoS attacks are, how they work, and why they often happen. Also, we'll brief the OSI layers that attackers might target and some typical defensive and mitigation strategies admins can use with stand-alone and cloud-based Linux servers. Finally, we'll cover common misconceptions about DDoS attacks and offer a quick overview of the top open-source DDoS mitigation tools for Linux available today. By the end, you'll know everything necessary to mount a competent defense against DDoS attacks for your Linux infrastructure. If you're ready, let's get started! Understanding DDoS Attacks Before you can learn how to defend your infrastructure from DDoS attacks, it's first necessary to understand what they are and how they work. The simplest way to describe a DDoS attack is that it's a deliberate attempt to overwhelm a server or server by directing a large volume of traffic at it simultaneously. During a DDoSattack, the target is knocked offline because legitimate traffic can't reach it. According to cybersecurity expert Hari Ravichandran, DDoS attacks have turned into a preferred tool for ransom-seeking hackers, joining purpose-built ransomware as the most prevalent criminal network security threat online today. He also notes that the rise of DDoS attacks is happening because of a simultaneous increase of botnet-for-hire schemes that make launching the attacks in network security both cheap and easy. This environment has enabled DDoS attacks to emerge as one of the most significant recent cyber security trends. In most instances, DDoS attacks rely on botnets, or masses of compromised devices and computers, to generate the required traffic. Lately, compromised IoT hardware has supercharged the size and ferocity of DDoS attacks. Perpetrators of such attacks may have a variety of motivations, including seeking business leverage, extortion, state-sponsored cyber warfare, ideological motivations, and attention-seeking. Worse still, there are multiple subtypes of DDoS attacks that Linux admins have to know. Here is a list of such network security threats and which OSI layers they target: UDP Flood A UDP, or User Datagram Protocol, is a layer-3 attack that involves an attacker flooding random ports on a targeted server with meaningless packets. This forces the server to look for applications listening on those ports, which consumes precious computing resources. Eventually, the target loses the ability to respond to legitimate requests for the duration of the attack and possibly longer if the server can't recover on its own, posing a significant network security threat. Ping Flood A ping attack is another layer-3 attack that takes advantage of a troubleshooting protocol meant to allow admins to test the accessibility of a server remotely. A ping is a type of Internet Control Messaging Protocol (ICMP) echo request involving data packets up to 64 bytes in size. When you ping a server underordinary circumstances, it will answer by sending a same-sized packet back to the origin of the ping. Attackers abuse this by sending huge floods of ping requests, which rapidly eat up both incoming and outgoing bandwidth to the server, making it difficult to maintain data and network security for the duration of the attack. Ping of Death A ping of death attack is a layer-3 attack that is similar to a ping flood, except that it involves the use of a malformed ping request. By manipulating the size and content of the ping request, the attacker causes a memory buffer overflow on the target server. This eats up resources and prevents the server from responding to legitimate traffic. SYN Flood A SYN flood attack is a layer-4 attack that takes advantage of the TCP handshake procedure, wherein the machine initiating a connection sends a SYN request to a target. In response, the target sends a SYN-ACK response to the source and then waits for the source to respond with an ACK. In a SYN flood attack, the attacker generates large numbers of SYN requests but never answers the target server's responses, forcing the target server to wait for an endless number of concurrent connections. Eventually, the server will run out of available connections and won't respond to any further incoming requests, legitimate or otherwise. HTTP Flood An HTTP flood attack is a layer-7 attack that involves an attacker directing large volumes of HTTP GET or POST requests toward a targeted web server. The idea is to tie up the web server's resources with these meaningless requests so it cannot answer real users. This is a particularly pernicious form of attack on network security because it requires no particular infrastructure and doesn't rely on massive bandwidth to be executed. Slowloris A slowloris attack is a type of webserver-to-webserver layer-7 attack where an attacking server opens and holds open multiple concurrent connections to the target server. It does this by sending endless HTTP headerswithout completing any requests. The process continues until the target server can no longer respond to other HTTP requests. NTP Amplification An NTP amplification attack is another layer-7 attack that involves an attacker directing traffic from public Network Time Protocol (NTP) servers toward a target server. Since a request to a pool of NTP servers can result in as many as 200 responses, it's possible to generate a huge volume of traffic in this way. In effect, an NTP amplification attack is a UDP flood attack that doesn't require access to a botnet to execute. Understanding the variety of network security threats posed by DDoS attacks is vital in making sure you stay on top of any and all cyber security vulnerabilities within your Linux system that could be at risk should you not ensure their protection. Historical Examples of Linux DDoS Attacks Unfortunately, it's not difficult to cite examples of DDoS attacks aimed at Linux-powered sites, services, or infrastructure. With so much of the internet relying on Linux to function, such incidents of attacks in network security are almost a given. Perhaps the most well-known recent example was a DDoS attack on Amazon's massive AWS infrastructure in February 2020. It was, at the time, the most significant DDoS attack in history, sending a gigantic flood of data at 2.3 Tbps to Amazon's servers. The attacker used a reflection attack, similar to an NTP attack, but targeting the Connectionless Lightweight Directory Access Protocol (CLDAP) instead. Another example of Linux-targeted DDoS attacks happened in July 2022, leveraging a botnet known as Mantis. It was an HTTP flood attack aimed at over 1,000 customers of Cloudflare, a major internet infrastructure company. The attack was most notable for its ferocity, reaching a rate of an astonishing 26 million requests per second at one point. In both cases, the attacks did untold financial damage to their targets and prevented legitimate users from accessing hundreds of sites andservices for significant periods. For administrators, they also created major headaches. In the aftermath of major DDoS attacks like these, admins have to review servers from top to bottom and often need to conduct cleanups to get everything running again. How Can I Mitigate Linux DDoS Attacks? There are a variety of methods you can use to mitigate the effects of DDoS attacks on a Linux server. The simplest way to do this, of course, is to engage network service providers like Cloudflare, Akamai, Imperva, and others to act as a shield for your servers. Those services feature advanced, built-in DDoS attack detection technology that can spot and halt DDoS attacks before connections ever reach your servers. There are also a few things you can do on your Linux servers themselves that will help blunt the effects of a DDoS attack. First, there are a variety of additions you can make to your server's sysctl.conf file that will help it withstand the most common DDoS attacks. Then, you can also add some simple iptables rules that will drop or reject most kinds of malicious traffic, such as: Block Invalid Packets - iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP Block Non-SYN Packets on New Connections - iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP Block Unusual Max Segment Sizes - iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP The three entries above are a good start, but there are plenty of other rules that can help too, which you can find here . The good news is that these settings work well on cloud-based Linux deployments, too. And when you combine them with the aforementioned protection services, you can be reasonably sure that your cloud deployment will weather any DDoS storm. Also, major cloud providers like Amazon and Google have their own built-in DDoS mitigation services you could use as well. Top Misunderstandings andMisconceptions about DDoS Attacks Unfortunately, the tech media treats DDoS attacks as a monolithic network security threat and spreads quite a bit of unintentional misinformation about them. That's a big reason why there are so many Linux admins who misunderstand the issues they face and what they mean. The biggest misconception among these is that DDoS attacks only befall large organizations because most articles on the subject only discuss service provider level victims. For example, in the two attacks detailed earlier in this article, only Cloudflare and AWS were mentioned as direct targets. However, in both cases, it was hundreds or thousands of their customers who were the real targets of the attacks on network security. This means every Linux admin, no matter how small a site or service they're running, needs to remain vigilant. Another major misconception is that deploying an anti-DDoS product is a viable set-it-and-forget-it solution. In most cases, admins will still need knowledge about dealing with a DDoS attack to effectively use such products. This is because, while many such products do offer some automated mitigation responses, there will always be a need for admins to take direct control and guide the response to an attack. Open-Source DDoS Mitigation Tools for Defense Although plenty of commercial DDoS mitigation solutions are available, it's a safe bet that most Linux admins would prefer to keep their stack as open-source as possible. To help with that, here are three excellent open-source DDoS mitigation tools for Linux: Switchblade Formerly known as the OWASP HTTP POST tool, Switchblade is an open-source utility that allows Linux admins to simulate various DDoS attack types on their systems. It's an excellent way to see if your defensive measures work and, if not, gain insight into addressing remaining network security issues. NGINX Although primarily known as a web server and reverse proxy platform, NGINX also works well as an open-source DDoSdefensive measure. There's voluminous information on configuring it for the purpose of preventing attacks on network security, too. DDoS Deflate DDoS Deflate is a suite of shell script tools aimed at giving Linux admins the ability to halt in-progress DDoS attacks. It has various features, including the ability to whitelist or blacklist IP ranges, rate-limit addresses with too many open connections, and more. Final Thoughts on Preventing Linux DDoS Attacks The bottom line is that DDoS attacks are an ever-present threat to Linux servers and other types of connected infrastructure. They're common enough that there's no server—no matter how insignificant—that should go without protection from them. Fortunately, basic anti-DDoS measures aren't tricky to implement, and security pros aren’t the only ones who can safeguard their systems against this threat. However, Linux admins shouldn't simply set them up and walk away; instead, they should try to stay up-to-date on the latest emerging patterns and attack types. This can help admins avoid future network security issues and evade current ones with these basic preventative measures. With care and vigilance, safety for Linux servers from the network security threat of DDoS disruptions is possible. . Discover strategies to securely mitigate DDoS incidents targeting Linux systems, utilizing fundamental security methods and free software solutions.. DDoS attack prevention, Linux cybersecurity, open-source mitigation tools. . Brittany Day
Aug 14, 2023
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More