Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found 0 articles for you...
102
data analysisLinux administrationsecurity toolsClatScope: Powerful OSINT Integration for Linux Administrators
Cyber threats never clock out, and neither do the challenges of staying ahead. . For me, OSINT isn't just about gathering data —it's about cutting through the noise to find what truly matters. Searching various sources, dealing with different platforms, and manually cross-referencing information is time-consuming and inefficient. So, I'm constantly on the lookout for tools that simplify the process and put actionable intelligence front and center. ClatScope is one of these. It is a powerful OSINT research tool that efficiently processes large volumes of unstructured data, transforming it into a streamlined and well-organized workflow. Let us explain how ClatScope is changing OSINT and why every security professional needs to have it. Challenges of Traditional OSINT Research Traditional Open Source Intelligence (OSINT) research can present numerous unique challenges. The sheer volume of online data available can be daunting; with new information being created alarmingly rapidly, finding relevant and reliable information may seem impossible. Compounding this issue further is its ever-increasing pace; keeping up with it all becomes impossible while remaining accurate over time. The accuracy and reliability of online sources are also often a top concern. The internet provides both credible and dubious sources, so researchers need to develop skills for distinguishing credible data from disinformation, propaganda, or deliberately deceptive content. Verifying data's authenticity often involves gathering information from multiple independent sources - which may take considerable time and energy. Security researchers like Dancho Danchev have spent years analyzing how OSINT can be used effectively to separate reliable intelligence from misinformation. How ClatScope Simplifies OSINT Research Before ClatScope, keeping track of data from various services like Shodan and HaveIBeenPwned meant handling numerous websites separately. You would have to open several tabs, log in to eachservice, and then pull it out by hand to get the information you need. It was time-consuming, and scripts or custom tools were often needed to make it all work. For a Linux administrator who was short on time, having to go back and forth to make sure nothing got missed was a pain. This is where it revolutionizes the process. ClatScope is a game-changer because it unites all those services through APIs . No more hopping between sites; you can do everything in one interface. With this tool, it's as easy to obtain the data you need as it is to set up some API keys. Then, you have one place to extract, process, and visualize your data. Easy and a massive time-saver. You don’t need to write complex scripts or handle unnecessary complications. The tool provides simple, easy-to-follow documentation to walk you through incorporating API keys, and before you know it, you’re pulling in data from all manner of sources with ease. It streamlines the whole process, enabling you to focus on what’s important—interpreting and acting on the data itself. In short, ClatScope makes what used to be a headache a simple, streamlined process. Give it a try, and see how much simpler your workflow can be. ClatScope Tool Features ClatScope is a comprehensive OSINT (Open-Source Intelligence) tool designed for retrieving geolocation, DNS, WHOIS data, phone and email information, data breaches , and more. It now includes 60 powerful OSINT features, making it a versatile tool perfect for investigators, pentesters, or anyone conducting reconnaissance activities. Here are some standout features of it: IP Address Lookups : Retrieves IP geolocation details, ISP, and region. Performs DNSBL checks to see if an IP is blacklisted. Phone Number Lookups : Fetches basic phone number details, such as region and carrier, and conducts reverse phone lookups via the Perplexity API. Email Lookups and Analysis : Checks email validity existence of mail exchanger (MX) records, performs data breach checks against Have IBeen Pwned (HIBP), and analyzes raw email headers. Username Searches : Searches across multiple platforms like Facebook, Twitter, Instagram, etc., to see if a username exists. Domain/Website Lookups : Conducts DNS record queries, WHOIS details retrieval, SSL certificate analysis, and more. Hudson Rock Lookups : Checks if an infostealer has compromised an email, username, or IP. Fact Check & Relationship Search : Verifies data accuracy and maps connections between individuals and entities. Travel Risk Analysis : Evaluates potential security risks based on 40 parameters Additional Features: Password strength checking, reverse DNS lookups, person name searches, settings menu for color scheme customization, and more. Simplicity and Efficiency Linux administrators understand the value of simplicity without compromising functionality, which it excels in doing. Its easy interface enables swift navigation through its various features, while its central role as an OSINT hub enables seamless information gathering using API integrations. API Integrations and Their OSINT Contributions When you're working with a lot of data, using ClatScope's APIs can make all the difference. You might want to connect to services that can get the data, work with it, and show it without you having to do all the hard work. The documentation is good, so even someone who has never used APIs before can get it up and running quickly. ClatScope API Integrations for OSINT Shodan : Allows the search and analysis of internet-connected devices, unveiling potential vulnerabilities and exposed services. HaveIBeenPwned (HIBP) : Checks for compromised email accounts and usernames in data breaches, detailing the nature of each breach. VirusTotal : Offers malware scanning for files and URLs, with comprehensive reports on detected threats. Censys : Provides insights into network and system exposure by delivering detailed security and configuration analyses. Hunter.io :Identifies email addresses linked to specific domains, including source and authority information. BinaryEdge : Conducts extensive data collection on exposed devices globally, identifying potential cyber threats. Pulsedive : Delivers threat intelligence by aggregating data from diverse sources to provide in-depth threat context and analysis. Hudson Rock : Identifies email, username, domain, and IP infections linked to infostealers. Botometer : Evaluates Twitter/X accounts for automated bot activity. ClatScope brings together diverse OSINT data sources, making it easier for Linux admins to conduct thorough investigations, identify potential risks, and ensure better network security. Setting Up API Keys First, gather an API key from the service you intend to connect to. Shodan or HaveIBeenPwned will issue you one after registering with them, with ClatScope providing instructions for plugging it into their tool. Benefits of API Integration With the help of these APIs, ClatScope facilitates the scanning of vulnerable devices, the detection of compromised accounts, and the proper visualization of data. It conserves time and effort by encompassing all these activities under the umbrella of one solution. Ease of Use and Data Aggregation The greatest advantage of this approach is its ease of use. There is no need for difficult coding: simply follow the steps outlined in the documentation and insert your API key when prompted. This will not only save you time but also allow you to explore data more deeply without the usual drawbacks inherent in its procurement and processing. It excels at data aggregation from multiple sources, giving an overall picture of what information you're investigating. From email breaches and social media activity to IP address details or IP address location details, ClatScope gathers this information in an organized, digestible manner. This makes analysis accessible for ethical hackers and pentesters who require extensive reconnaissance work. ClatScope Is Great for Novices and Experts One of ClatScope's greatest strengths lies in its ability to benefit both beginners and experts alike. For beginners looking to get involved with pentesting or OSINT, it provides an accessible setup process and clear documentation, helping lower the entry barrier into this field while providing ample guidance that makes complex tasks manageable. It also provides depth and flexibility to advanced users such as ethical hackers and security advocates, offering depth in its analyses while being easy to integrate into various data sources and tailor to complex investigations effectively. Steps for getting started with ClatScope include the following: Install ClatScope : Download and install it from its GitHub repository . Installation procedures should be similar to those of other Linux apps and should be well-documented on GitHub's page. Set Up API Keys : Once configured, API keys for each service you plan to integrate are guided through this step by the tool so you can easily connect with data sources that meet your criteria. Starting Your Investigation : To start your investigation efficiently, ClatScope features an intuitive GUI. Simply input all necessary parameters, select data sources, and let it gather and analyze all collected information - leaving an organized format suitable for further analysis or reporting purposes. Subscription Program ClatScope's Subscription Program offers ongoing support and updates that include technical assistance, exclusive features, and security patches, ensuring ClatScope remains an effective OSINT tool in your arsenal . Subscribers gain access to premium features, enhanced customer support, and regular software upgrades that keep the tool aligned with cyber threats that change quickly over time. Engaging with the ClatScope community offers numerous ways to learn and develop while contributing significantly to its advancement. Start by joining official forums or websites such as Reddit orStack Overflow, where you can join discussions, exchange knowledge, and provide solutions (or request them). Attending meetups, webinars, and online hackathons via social media and mailing lists is likewise beneficial. Creating tutorials or guides and contributing to shared knowledge repositories are highly appreciated as a way to expand documentation. ClatScope also offers a subscription service for users who prefer not to configure API keys manually. Subscribers receive a pre-configured version of ClatScope with API keys included, eliminating the need to set up third-party integrations. This version ensures full functionality, with built-in security measures to prevent unauthorized access. Subscription tiers provide different levels of API access, and new keys are issued monthly. Other than documentation, ClatScope community members can contribute by suggesting new features to make the tool more functional and user-friendly, translating its application and documentation for wider release, or reporting bugs with detailed descriptions so as to assist in fixing problems. ClatScope: The Future and Its Lasting Impact The tool is still in development , with constant improvements being made to make it even more efficient. Trend analysis with machine learning , more extensive API support, and automated report generation are some of the features being considered to improve its functionality. These will continue to make intelligence gathering easier, saving security experts time and effort. ClatScope is a super-effective and user-friendly OSINT tool that simplifies data collection and analysis through an intuitive interface, seamless API integration, and comprehensive data aggregation. Whether you're a Linux administrator, open-source security professional, pentester, or ethical hacker, it provides the tools you need for efficient and detailed intelligence gathering, making it a valuable asset. Thanks so much to Joshua Clatney for his help and review of this article! . Explore howClatScope revolutionizes OSINT for Linux admins, streamlining data collection and analysis.. cyber, threats, never, clock, neither, challenges, staying, ahead, osint, isn'. . MaK Ulac
Feb 18, 2025
•
102
dns securitynetwork defenselinux administrationImplementing ZTDNS Insights for Stronger Linux DNS Security
As a Linux administrator or security practitioner, you understand DNS's essential role in network security. Attacks and unauthorized access pose threats against DNS connections, so robust security protocols must be implemented to safeguard them. Zero-Trust DNS provides greater security, control, and flexibility over DNS traffic. . Security experts, like Bruce Schneier, have covered Microsoft’s plans to secure Windows DNS with Zero Trust , currently in private preview. However, if you’re a Linux user like me, you can still learn and benefit from Microsoft's work. While you’re not planning to switch to Windows anytime soon (I would hope!), let’s explore what you can learn from this initiative and practical measures you can take to improve DNS security. Understanding DNS & Its Importance Domain Name System (DNS) is an integral component of internet infrastructure that links domain names (such as example.com) with their associated IP addresses. Operating like a "phone book," DNS converts domain names into numerical IP addresses that network devices use for communication. DNS is a key component of network security by helping to detect potential threats or suspicious network activity. DNS logs and queries can aid in the identification of possible security risks, such as DNS spoofing or malware infections . Furthermore, DNS filtering services offer another layer of defense by blocking access to known malicious domains or providing protection against known phishing websites. Why Is DNS Vulnerable to Compromise? Despite its critical importance, DNS is vulnerable to compromise for the following reasons: DNS Cache Poisoning: Attackers can manipulate the DNS cache by exploiting vulnerabilities and injecting false information. By poisoning the DNS cache, attackers can redirect users to malicious sites or intercept communications. This can lead to phishing attacks or other cybercrime. DDoS attacks: DNS servers are susceptible to Distributed Denial-of-Service, or DDoS attacks ,which overwhelm them with massive traffic. This can cause service disruptions and make the DNS unavailable, preventing users from accessing websites. DNS Hijacking: Malicious actors may hijack DNS settings or compromise DNS servers to redirect users to malicious sites. This can be achieved through different techniques, such as DNS spoofing and DNS hijacking. The goal is to trick users into giving sensitive information or spreading malicious software. Lack of encryption: DNS queries and answers are sent in plaintext, which makes them vulnerable to interception and eavesdropping. Attackers can monitor DNS traffic to gather information on the websites users access, compromising their privacy and security. What Is ZTDNS & How Will Microsoft Use It to Improve DNS Security? Microsoft plans to enhance the security of Windows DNS with Zero Trust DNS (ZTDNS) , a recent initiative addressing long-standing security vulnerabilities associated with DNS (Domain Name System). DNS provides translation between human-readable domain names and numerical IP addresses but has long been vulnerable due to a lack of end-to-end encryption and potential malicious DNS servers. Until this point, prioritizing DNS security has typically forced admins to sacrifice visibility into network traffic. Admins have had to choose between unencrypted - and unprotected - DNS with monitoring capabilities or encrypted DNS that impedes monitoring and control. Integrating the Windows DNS engine and Windows Firewall directly into client devices, Microsoft’s ZTDNS seeks to help admins overcome this problem and achieve optimal security, visibility, and control simultaneously. How Does ZTDNS Work? ZTDNS blocks all outbound client device connections to IP addresses except protected DNS servers and necessary network services like DHCP and NDP. Any resolved IP addresses from the protected DNS servers will trigger exceptions in the firewall to allow outbound connections, effectively associating domain name resolutions withpermitted IP addresses. Optionally, administrators can use client certificates to enforce DNS resolution policies, enhancing security for remote or mobile device management. ZTDNS operates under the Zero-Trust Principle , which assumes all traffic is forbidden unless explicitly allowed. By default, it restricts outbound connections from other DNS servers except approved protective ones. ZTDNS doesn't introduce new network protocols but works seamlessly with either DNS over HTTPS (DoH) or TLS (DoT), offering significant security advantages network security while remaining compatible with both platforms. ZTDNS offers encrypted and authenticated connections between end-user clients and DNS servers, allowing administrators to securely limit the domains these servers can resolve. By integrating the Windows DNS engine with its filtering platform, ZTDNS provides organizations with an effective means to control and secure DNS traffic in Windows networks. Challenges & Considerations Although ZTDNS offers significant protection benefits, successful implementation may require extensive testing and organizational changes for optimal use. It is crucial to remember that ZTDNS is a DNS query encryption solution that reduces the visibility of DNS queries. However, this is compensated by providing endpoints with policy-enforced DNS solutions. Organizations must test their ZTDNS network configurations to ensure compatibility, functionality, and security. They will also need to adapt their operational and security practices. How Can Linux Users Improve DNS Security? While Linux users cannot directly benefit from Microsoft’s ZTDNS initiative, Microsoft’s recent efforts to lock down Windows DNS with ZTDNS underscores the importance of prioritizing robust DNS security regardless of the OS you use. To maximize DNS security in Linux environments, administrators can implement several best practices and practical measures: Implement DNSSEC (Domain Name System Security Extensions): DNSSEC addscryptographic signatures to DNS data to verify its authenticity and integrity, thus decreasing risks related to DNS spoofing and cache poisoning attacks. Use DNS Filtering: Deploy a DNS firewall or filtering solution to block access to malicious domains, block communication with known malicious IP addresses, and filter out any unauthorized DNS queries. Regular Patching and Updates: Ensure the DNS software and server remain up-to-date with the latest security patches to address vulnerabilities that attackers could exploit. Restrict Zone Transfers: Limit zone transfers to authorized DNS servers and networks to prevent unwarranted access to DNS data by attackers who can then conduct reconnaissance. Utilize DNS Logging and Monitoring: Enable DNS query logging and monitoring to detect abnormal or suspicious DNS activity, such as high volumes of failed or unusual queries that could signal an attack. Implement a Split DNS Architecture: Implementing a split DNS architecture will enable you to ensure internal DNS records do not appear on external networks, reducing attack surface area. Enable Response Rate Limiting (RRL): To prevent DNS amplification and DDoS attacks, configure RRL on DNS servers to limit how often they can answer identical queries. Strengthen Access Control and Authentication: Employ robust access control and authentication mechanisms to restrict access to DNS servers and ensure that only authorized personnel can modify DNS records or configurations. Regular Security Audits and Testing: Conduct regular security audits and vulnerability assessments on your DNS infrastructure to detect weaknesses or misconfigurations that attackers could exploit. Back-Up and Recovery Planning: Establish comprehensive backup and recovery procedures to safeguard DNS data in case of compromise or data loss. Implementing these best practices, Linux admins can significantly strengthen DNS security and reduce risks related to attacks or vulnerabilities involvingDNS-based attacks. Our Final Thoughts on the Importance of Linux DNS Security The critical importance of DNS security cannot be overlooked in any OS, and Microsoft's efforts to secure Windows DNS with Zero-Trust DNS (ZTDNS) demonstrate the tech giant’s recognition of this. Although Linux users cannot directly benefit from this initiative, there are practical measures and best practices they should engage in to strengthen DNS security in Linux environments, such as implementing DNSSEC, using DNS filtering, regular patching and updates, and conducting security audits. By prioritizing DNS security and following these practices, Linux admins can mitigate risks associated with DNS-based attacks and fortify their network infrastructure. . Linux administrators can boost DNS security by leveraging strategies from Microsoft’s Zero Trust DNS, covering DNSSEC, user education, and monitoring.. Linux Administration, ZTDNS, DNS Filters, Network Security Practices, Improving DNS Security. . Brittany Day
Jun 01, 2024
•
102
php securityweb serverbest practicesEffective Strategies to Secure PHP on Linux Web Servers for Safety
Running PHP on a Linux web server is a prerequisite for the use of many popular applications such as Wordpress, Joomla and Drupal. Linux administrators and web developers must approach PHP with caution, as new vulnerabilities in poorly written and implemented PHP code are abundant and dangerous. . In a recent security incident, hackers were able to add a backdoor to the PHP source code . Although the backdoor mechanism was discovered before it made it into production, the incident serves as the latest reminder of the importance of prioritizing PHP security. PHP security is inextricably tied to web server security. Because the popular open-source server-side scripting language is often paired with MySQL, PHP compromise can mean a compromise of the accompanying MySQL database, as well as any web applications running on the web server. This article will examine how you can configure and run PHP securely to mitigate the risk of attacks and compromise, secure web applications, protect user privacy and maintain a secure and properly functioning Linux web server. PHP Vulnerabilities Carry Great Risk for Admins Vulnerabilities in PHP code are a prevalent and serious threat to web server administrators and web application developers. These flaws are often introduced when developers are writing code, either due to a mistake or the inability to anticipate malicious hackers’ ever-evolving techniques. A plethora of vulnerabilities exist in the PHP core - with new security bugs being discovered each month. On March 28, 2021, hackers breached the internal PHP Git repository and inserted a backdoor into the PHP source code. Luckily, the malicious code was discovered by Michael Voříšek before it made it into production, and the hack led the PHP team to move source code management operations from its internal Git server to its official GitHub account, which will serve as PHP’s official Git repository going forward. In another PHP security incident that occurred less than three years ago and has yetto be explained today, hackers compromised the official PHP PEAR extensions system website and hosted a backdoored version of the PHP PEAR package manager for almost six months. PHP vulnerabilities can be exploited by attackers to spread malware & take control of hundreds of thousands of web servers in botnets. In one such instance this past year, the infamous hackers-for-hire group DarkCrewFriends resurfaced with a dangerous botnet strategy exploiting an unrestricted file upload vulnerability to compromise PHP servers running websites. In another malicious campaign a year prior, the Neutrino botnet was discovered hijacking servers by taking over other hackers’ PHP and Java web shells to install a cryptocurrency-mining malware . To help you better understand the threats that your web servers and web applications face, let’s take a look at some of the most notorious types of PHP vulnerabilities. A Quick Look at the Most Common & Dangerous Types of PHP Vulnerabilities Threatening Your Web Servers Remote Code Execution (RCE) In this type of vulnerability, a bug in a PHP application accepts user input and evaluates it as PHP code, enabling an attacker to upload code to a website and execute it. This could, for example, allow a malicious actor to tell the website to create a new file containing code that gives him or her full access to the compromised website. RCE vulnerabilities are very serious because they are easy to exploit and grant an attacker full access when exploited. SQL Injection (SQLi) SQL injection (SQLi) occurs when a hacker is able to send instructions to a database and the database executes those instructions. This type of vulnerability occurs when a PHP developer takes input from a website visitor and passes it to the database without reviewing it for malicious code. SQLi vulnerabilities are very serious because they are easy to exploit and often grant full access immediately. Cross-Site Scripting (XSS) Cross-site scripting (XSS) takes place when an attacker causesmalicious code to load in a website visitor’s browser and execute. This code often steals user cookies to grant the attacker administrative level access or performs functions as the user to grant additional access. Cross-site Request Forgery (CSRF) Cross-site request forgery (CSRF) describes a scenario in which a user is tricked into issuing a request that is not in his or her best interest. For instance, an attacker may create a link and trick an administrator into clicking on that link, causing the site to take a certain action such as creating a new ‘admin’ user with a known password. This critical WordPress vulnerability which was fixed in November of 2020 left servers vulnerable to a variety of attacks including cross-site request forgery and cross-site scripting. Authentication Bypass This type of vulnerability is introduced through incorrect validation that a site visitor has the access level required to take a certain action. For example, a developer may wrongly use a function called ‘is_admin()’ - which is designed to indicate if someone is viewing an admin page - to try to validate that someone is an administrator, mistakenly granting non-admin users access to features that only administrators should have access to. PHP Object Injection PHP object injection is a complex attack that occurs when a PHP application takes user input and passes it to the unserialize() function, which takes a stored object and turns it into an object in memory. This type of vulnerability occurs when a developer allows user input to be used in an unsafe way within a PHP application. The unserialize() function must be approached with extreme caution, as this function is commonly exploited by attackers. PHP 7 has includes a new filtered unserialize feature designed to mitigate the impact of code injection vulnerabilities by requiring that developers specify classes that are safe to unserialize. However, it is critical to keep in mind that even with this improvement, passing untrusted input tounserialize() is never safe. Remote File Inclusion (RFI) & Local File Inclusion (LFI) Remote file inclusion (RFI) and local file inclusion (LFI) take place when a PHP application takes user input and passes it to a function designed to load a file. The inclusion of a remote file in a URL is known as Remote File Inclusion (RFI) while the inclusion of a local file in a URL is known as Local File Inclusion (LFI). LFI is often the method an attacker employs to gain access to a WordPress website’s wp-config.php file. Source Code Revelation This type of vulnerability has to do with people being able to see the names and content of files that they shouldn’t be able to view due to the breakdown of a web server’s configuration. The code revealed in this type of vulnerability may list accessible configuration files or contain sensitive information such as database credentials. Session Hijacking Session hijacking occurs when a malicious actor steals a user’s session ID. When a session is set up between a client and a web server, PHP will store the session ID in a cookie on the client side. Sending the ID with the page request provides access to this confidential information, potentially resulting in session hijacking. Session IDs are commonly stolen via XSS attacks, and can also be vulnerable server-side through the use of hosting services that store session information in globally accessible directories. These vulnerabilities in Apache versions 2.4.33-1 and prior - which have since been fixed upstream - left web servers susceptible to session hijacking and an array of other dangerous exploits. Directory Traversal Directory traversal looks for vulnerable websites and causes files to be accessed that the owner did not plan on making publicly accessible. It is also referred to as the ../ (dot, dot, slash) attack, the climbing attack, or the backtracking attack. Tracking advisories is critical in preventing all of these prevalent and serious types of PHP vulnerabilities. Subscribing to ourweekly Linux Advisory Watch newsletter is an easy, convenient way to stay up-to-date on the latest advisories and updates issues by your Linux distro. In addition to tracking advisories, we recommend that web server administrators implement the ModSecurity web application firewall (WAF), which can provide another line of defense against the attacks listed above. The open-source, cross platform WAF has a robust event-based programming language and allows for HTTP traffic monitoring, logging and real-time analysis. Best Practices for Improving PHP Security The majority of attacks on Linux web servers can be attributed to misconfigurations and poor administration. Thus, it is essential that administrators configure their web servers to be as secure as is practical within the construct of their environment. The Open Web Application Security Project (OWASP) , a nonprofit fo undation we trust and admire that works to improve the security of software through community-led open-source projects, suggests that administrators and developers implement these secure PHP configuration recommendations to protect their web servers against dangerous PHP vulnerabilities and prevent attacks. LinuxSecurity.com PHP security experts Brittany Day and Dave Wreski have additional tips and advice for improving PHP security, which we will explore in this section. Our Top PHP Security Tips & Advice Update Your PHP Version and Modules Regularly It is critically important that administrators and developers update their PHP version and modules regularly. With the support of the open-source community behind PHP, patches and bug fixes for vulnerabilities are released frequently, and newer versions of PHP and its modules often contain mitigations for known security issues that can be exploited by malicious hackers. As of January, 2022, the stable release for PHP is version 8.1.1 , from December 2021. It should be noted that when PHP is being used in a hosting environment, users may not be able to update their PHPversion number. In such scenarios, users must be especially careful and vigilant. They should also explore potential workarounds and demand that their hosting provider update PHP at the earliest opportunity. Restrict PHP Information Leakage The unfortunate reality is that it is common for platforms to leak sensitive information - and PHP is no exception. For example, PHP releases versions and the fact that it is installed on a server through the expose_php directive. To prevent the leakage of this sensitive data, administrators should set this directive to off in /etc/php.d/security.ini. expose_php=Off Control File System Access PHP can access files by default via the open_basedir directive using functions like fopen(). To control file access and prevent security issues, the open_basedir directive should always be set to the /var/www/html directory. open_basedir="/var/www/html/" Disable Remote Code Execution (RCE) In PHP, remote code execution is enabled by default. The "allow_url_fopen" directive allows functions including require, include, or URL-aware fopen wrappers to obtain direct access to PHP files. Remote access can be obtained using the HTTP and FTP protocols, leaving system defenseless against code injection vulnerabilities. To protect against these types of exploits, administrators should disable remote code execution by setting the "allow_url_fopen" directive to "Off". Disable Dangerous PHP Functions & Get Rid of Unnecessary Modules PHP comes with a selection of useful functions, but is also plagued with functions that can be exploited by attackers and should be disabled. To disable these dangerous functions, administrators must edit the php.ini file. In this file, they should find the disable_functions directive and disable the dangerous functions in it using: disable_function =exec,passthru, shell_exec,system,proc_open, popen,curl_exec, curl_multi_exec,parse_ini_file,show_source PHP also comes with an array of excellent modules; however, not all modules arerequired for every project. In PHP, all the extension modules found in /etc/php.d/ directory are loaded by default. Administrators should get rid of all modules that are not currently required, as doing so will improve both security and performance. To view available PHP modules, use the command: php -m Once you have accessed this list, you will be able to get rid of all unnecessary modules. To enable or disable a particular module, simply find the configuration file in the /etc/php.d/ directory and comment the module name. Scan PHP Scripts & Audit PHP Code for Security Vulnerabilities Scanning PHP scripts and auditing PHP code is essential in identifying and fixing potential security vulnerabilities before they are exploited by attackers. There is a plethora of excellent free and open-source tools and utilities available to assist Linux users in this process. Here are some of our favorites: Phpcs-security-audit is a set of customizable PHP_CodeSniffer rules that identifies security vulnerabilities and weaknesses in PHP code. The tool checks for CVE issues and security adviso ries related to the CMS/framework, enabling administrators to follow the versioning o f components during static code analysis. SensioLabs Security Checker is a command line tool that checks if an application uses dependencies with known security vulnerabilities using the Security Check Web service and the Security Advisories Database . Suhosin is an advanced security system for PHP installations designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. PHP Malware Finder (PMF) is a self-hosted solution designed to help administrators and developers identify potentially malicious code in files. Detection is performed by crawling the filesystem and t esting files against a set of YARA rules. RIPS is a PHP static code analysis tool that is integrated through the development lifecycle to identify security issues in real-time. The toolsupports 15 different types of vulnerabilities, and is able to scan PHP applications very rapidly for PHP-specific vulnerabilities. SonarPHP is a static code analyzer that uses pattern matching and data fl ow techniques to identify vulnerabilities in PHP code. It is used as an extension for the SonarQube platform and features over 200 rules, along with support of custom rules. Dependency-check-cli is a great tool from OWASP that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries. PHP Secure Configuration Checker is a single file that checks a current PHP configuration for potential security flaws. It is user-friendly and has almost no dependencies. The Bottom Line PHP offers web server administrators and web application developers an array of valuable functions and modules paired with robust security inside out - a characteristic that can largely be attributed to the support that PHP receives from the vibrant, global open-source community. However, PHP security is ultimately in the hands of the administrator. He or she must make sure code is written properly, the proper configurations have been made and that the best practices covered in this article are being implemented. PHP security should be a primary concern for administrators and developers, as it is inextricably tied to the security of a web server as a whole. Sound PHP security can help mitigate the risk of attacks and compromise, secure web applications, protect user privacy and maintain a secure and properly functioning Linux web server. Do you have questions about PHP security or want to discuss the topic in more depth? Let’s chat! Connect with us on social media: Twitter | Facebook . In a recent security incident, hackers were able to add a backdoor tothe PHP source code. Although . running, linux, server, prerequisite, popular, applications. . Brittany Day
Jan 02, 2022
•
102
security practicesnetwork monitoringautomationPort Scanning and Securing Linux Servers With Nmap Utility
Hi, and welcome back to another edition of Hacks From Pax. Today we'll discuss hardening Linux servers by scanning for unnecessarily open network ports, and we'll show you how to automate port scanning so you can easily monitor your network for vulnerabilities. . Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. Any open ports that are unnecessary for proper system operation should be closed. Every open port is a possible access point for an unauthorized user, and every service accepting connections from the world could have a vulnerability. Even if you are diligent about applying patches, any unnecessarily running service is still a window an attacker could possibly climb through. One way of viewing open ports on your Linux system is with the netstat command. Issue the command netstat --inet -a to view both your established connections and open listening network ports. This command reads from your /etc/services file to determine the service name for a given port number, so seeing *:www under the Local Address heading indicates your server's port 80 is open and listening, not that there is necessarily a webserver running on that port. You should check the list and ensure that the servers listening are indeed desired, and if they are not, they should be disabled. For example, this output shows me that my system is accepting connections on the ports for www, ssh, smtp and https. [root@frylock /root]# netstat --inet -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:www *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:https *:* LISTEN The best way of viewing open ports on a remote server is to use the nmap network scanning tool. It's recommended to use nmap from a system that is outside any firewall protecting your network, since the goal is to determine what network ports are visible and listening from a hypothetical attacker's point of view. Running the command nmap -vv -sS 192.168.1.1 would perform a SYN scan of only the common ports on the given ip address. [root@frylock ~]# nmap -vv -sS 192.168.1.65 Starting nmap 3.81 ( https://nmap.org/ ) at 2005-07-02 13:17 EDT Initiating SYN Stealth Scan against meatwad.linuxsecurity.com (192.168.1.65) [1663 ports] at 13:17 Discovered open port 22/tcp on 192.168.1.65 Discovered open port 25/tcp on 192.168.1.65 Discovered open port 443/tcp on 192.168.1.65 Discovered open port 80/tcp on 192.168.1.65 Discovered open port 1022/tcp on 192.168.1.65 Discovered open port 8080/tcp on 192.168.1.65 The SYN Stealth Scan took 0.24s to scan 1663 total ports. Host meatwad.linuxsecurity.com (192.168.1.65) appears to be up ... good. Interesting ports on meatwad.linuxsecurity.com (192.168.1.65): (The 1657 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https 1022/tcp open unknown 8080/tcp open http-proxy MAC Address: 00:03:47:EF:42:42 (Intel) Nmap finished: 1 IP address (1 host up) scanned in 0.514 seconds Raw packets sent: 1665 (66.6KB) | Rcvd: 1670 (76.9KB) We can see that ports 22, 25, 80, 443, 1022 and 8080 are open and accepting connections. If we aren't using one or more of these services the unused ones should be disabled to lessen our security liabilities. This scan operates by sending a single SYN packet to each port, and listening for a returned SYN|ACK which indicates anopen port. Consult the nmap website for further information on the particulars of nmap usage. Nmap is an indispensable security tool that you should make a place for in your sysadmin toolbox. Nmap can be very useful for determining the outward facing open ports on your network when you remember to check, but with a little perl magic it can be useful for keeping an ongoing eye on your network as well. I've written a perl utility called NetDiff that scans a given network or multiple networks with nmap, stores the results in a database and then invokes diff on the result set to find newly opened and closed ports on a daily basis. NetDiff also will detect any systems newly added to or removed from the network, which can be useful for spotting, for example, that rogue wireless access point surreptitiously plugged into your network by the marketing department. NetDiff packages and documentation can be found on ftp.engardelinux.org. For those running EnGarde Secure Linux, I've written a WebTool module and packaged NetDiff rpm packages so you can simply install the packages and their required prerequisites and then configure your networks and later view the reports from within the EnGarde WebTool environment. NetDiff reports will display any network changes in a diff style format, prepending newly added lines with a '+' and removed lines with a '-'. For example, in the following NetDiff report we can see that the host at 192.168.42.64 was disconnected since the last scan, a host at 192.168.42.127 was connected, and a telnet service was started on 192.168.42.1 . Investigating these results against preplanned administration work is an exercise for the sysadmin reading the report. Perhaps the telnet port was opened for a reason, but perhaps a hacker has penetrated that system and opened the port for nefarious purposes. # # NetDiff Report # # Networks scanned : # 192.168.42.0/24 # # Last scan completed : 2005-07-03 02:05:43 # Scan started : 2005-07-04 01:00:01 # Scancompleted : 2005-07-04 02:06:31 # Hosts Scanned/Found : 35/35 # 192.168.42.64 ** MISSING ** 192.168.42.64 ** CHANGED ** -192.168.42.64 Status up -192.168.42.64 Extra Ports filtered 1662 -192.168.42.64 Port 80 http closed table 3 ----------------------------------------------------------------------------192.168.42.127 ** NEW HOST ** 192.168.42.127 ** CHANGED ** +192.168.42.127 Status up +192.168.42.127 Extra Ports filtered 1662 +192.168.42.127 Port 80 http closed table 3 ----------------------------------------------------------------------------192.168.42.1 ** CHANGED ** -192.168.42.1 Extra Ports closed 1663 +192.168.42.1 Extra Ports closed 1662 +192.168.42.1 Port 23 telnet open table 3 ---------------------------------------------------------------------------- Setting up netdiff to run daily will allow you a quick and easy way to view your recent network changes. Discovering an newly opened port on your network can be a telltale sign of a hacker's penetration or simply another sysadmin's mistake, but you'll know about it immediately and can take action to investigate the offending port and server. No scanning or reporting tool can replace a competent sysadmin, but a good reporting tool can guide a sysadmin towards anomalies on his or her network that require further sleuthing. Until next time, stay secure, and know your network like the back of your hand. I'll see you again soon, in the next episode of Hacks From Pax. -- Pax Dickinson has over ten years of experience in systems administration and software development on a wide variety of hardware and software platforms. He is currently employed by Guardian Digital as a systems programmer where he develops and implements security solutions using EnGarde Secure Linux. His experience includes UNIX and Windows systems engineering and support at Prudential Insurance, Guardian LifeInsurance, Philips Electronics and a wide variety of small business consulting roles. . Portscanning, for the uninitiated, involves sending connection requests to a remote host to determin. welcome, another, edition, hacks, today, we', discuss, hardening, linux, serve. . Anthony Pell
Feb 04, 2010
•
102
risk managementsoftware patchsecurity best practicesRamen Worm Analysis: Risks and System Security Improvements
This article outlines the importance of monitoring vendor advisories and applying appropriate software patches when necessary. It uses the Ramen epidemic as an example showing the possible effects of poor system administration. . Whether you're a security professional, system administrator, or average Linux user you've probably already heard many of the stories surrounding the recent outbreak of the Ramen worm. If you haven't heard the details, or would like an overview of the specifics, you may want to skip down to the middle of this paper. I have answered some of the most common questions and provided specific information on how to prevent and disable the worm as well as how it works. Ramen does not only exploit vulnerabilities in wu-ftpd, nfs, and LRPng, it takes advantage of lazy/inattentive/irresponsible/naive system administrators. In this paper I answer many questions. What actually enabled the Ramen worm to be so successful? Who's responsible? What knowledge can we take from this situation? Maintaining a secure network can be broken up into 4 abstract parts: 1. Know your system 2. Be proactive 3. Update when necessary 4. Educate yourself Know your system - One of the most important factors of maintaining a system is knowing what you have. This often means reading documentation completely before installing, understanding all configuration options, and being aware of any risk that a particular package may incur. If you do not have a specific need for a package or service, then by all means remove it. Packages just lying around should be considered a threat and removed immediately. An administrator should be aware of all executables, configuration files, processes, users, and normal system operation. Know your system intimately! The Ramen worm is a great example showing how package negligence can lead to vulnerabilities. This particular worm attacks nfs, wu-ftpd, andLPRng, but it might as well have been a samba exploit in a general case. The specific vulnerable packages do not matter, it is the attitude of the administrator. I would be willing to bet that in most cases where there was a compromise the vulnerable services were not in use. Most users install Linux using an "out-of-the-box" configuration leaving the door wide open to compromise. Most distributions require a small bit of configuration before actually being ready for the Internet. Too often, unskilled users put boxes up not knowing what kind of significant effect it can have. This is a problem that will continue until vendors put more emphasis on a secure default configuration. Many times users will ignore warnings given simply because they do not maintain a high-profile server or have a connection faster than dialup, cable, or DSL. Proper precautions should still be taken because privately owned systems are often used as stepping stones to attack larger servers. By not updating regularly, you are contributing to the problem. Be proactive - Having a cut down Linux box is a good first step, but that does not eliminate the problem. It is necessary to monitor vendor advisories from the packages and distributions that you are using. Again, knowing your system is helpful. What packages do you have installed? Many system administrators have trouble managing advisories, keeping up with the lists, and following through. We have tried to make this process easier for you. For those of you who are not aware, we release a weekly vulnerability newsletter " Linux Advisory Watch ." Linux Advisory Watch is comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. Update when necessary - If no steps aretaken to fix known problems then the system is still vulnerable. Often, administrators will read new vendor advisories, but then get distracted performing other tasks. The system then sits idle and remains vulnerable until a new release of the distribution is installed. The process repeats itself. Advisories are often numerous and annoying. This is why it is necessary to have the minimum amount of packages installed. It should be your sole purpose in life to make sure that vulnerable packages are patched as soon as an advisory is released. If you are/were vulnerable to the Ramen worm, a general updating scheme could have eliminated that risk. Advisories dating back to June 2000 provided fixes to today's Ramen worm problem. Who's fault it that? If not this time, it will be the next. Staying current is extremely important. At times there may be situations when a patch is not available and you want to limit the impact of a vulnerability that may arise. Something as simple as: ipchains -A input -i eth0 -p tcp -s 0/0 -d 192.168.1.1 21 -j DENY ipchains -A input -i eth0 -p tcp -s 0/0 -d 192.168.1.1 23 -j DENY can be used to restrict access to telnet and ftp from the external interface. Although beyond the scope of this paper, ipchains should play an important roll in your configuration. Educate yourself - When you have time on your hands, it can be best spent reading articles and white papers that describe how to build and maintain secure networks. Where can you find good papers? Each week, in the "Linux Security Week" newsletter, LinuxSecurity.com outlines the best two or three articles/papers released. An archive of releases can be found here: LinuxSecurity News Education will help you avoid falling into problems that other people have faced. Security requires experience and often a bit of creativity. What else can be done? Testing your system often revealsvulnerabilities that you may not have been aware of. Here is an excellent paper on NMAP that can get you started. Red Hat users may want to consider using up2date (Red Hat Update Agent), a program that initiates an interactive process to easy apply the appropriate RPMSs to a system. The Ramen worm was successful because of a few factors. Lack of system knowledge Systems are installed using all default values not giving the configuration any thought Passive Administrators Advisories are not monitored and taken into consideration Failure to see significance. Vendor Advisories should be held in high regard and taken seriously Education Security requires constant learning. How can you prepare for new vulnerabilities? What is the Ramen Worm? The 'Ramen worm' is a set of scripts written to propagate by compromising vulnerable systems, downloading itself, and then using the compromised host to search for other systems to attack. After the system is compromised, the script replaces all files named 'index.html' with the text "Hackers looooooooooove noodles" and a picture touting their favorite snack, "Top Ramen." After the damage has taken place the scripts seemingly close the vulnerabilities (only disable FTP) to prevent the server from future Ramen attacks or looting script kiddies. What systems are vulnerable? Red Hat 6.2 systems not patched for wu-ftp for nfs vulnerabilities and Red Hat 7.0 systems not patched for LPRng are vulnerable. Although Red Hat is the only distribution specifically mentioned, other distributions (especially those based on Red Hat) that distribute these packages are also at risk. What exactly does the Ramen Worm do? do { Initially after a system has been compromised, the Ramen worm starts scanning forsystems with port 21 (common port used for FTP) open. The scripts then grab the FTP banner and use the version and date information to determine which vulnerability would most likely exist. After a system is exploited it creates a directory "/usr/src/.poop" and requests a copy of itself (ramen.tgz) for download through its own port 27374. It then changes every instance of "index.html" found on the system. } while (NETWORK_CONNECTION); How can it be prevented? After reading the text above, you should probably already know the answer to this question. In short, get to know your system, remove what you don't use, and update what you do use. Currently the Ramen worm targets Red Hat systems running LPRng, wu-ftp, and nfs. Red Hat 6.2 - wu-ftpd 6/23/2000 23:14 : Red Hat: wu-ftpd update Red Hat Advisories rpm -Uvh Red Hat 6.2 - nfs-utils 7/17/2000 23:19 : Red Hat: Updated package for nfs-utils available Red Hat Advisories rpm -Uvh 7/21/2000 13:32 : Red Hat: UPDATE: nfs-utils vulnerability Red Hat Advisories Red Hat 7.0 - LPRng 09/26/2000 13:28 : Red Hat: 'LPRng' vulnerability Red Hat Advisories rpm -Uvh How do I detect and remove the worm? Max Vision has written an excellent paper that describes the makeup of the Ramen Worm in great detail. It is titled "Ramen Internet Worm Analysis" and is located here: He offers a detailed section on removal and incident recovery. Here is the method that he outlines for removal. If you have any questions or have the curiosity to want to know how the scripts actually work I would highly recommend reading his paper. If you want to allow anonymous FTP, then remove "ftp" and "anonymous" from /etc/ftpusers If you use wu-ftpd thenupgrade to the latest version from the Red Hat errata web site If you use NFS then upgrade to the latest version from the Red Hat errata web site If you use LPRng then upgrade to the latest version from the Red Hat errata web site Remove "/usr/src/.poop/start*.sh" from /etc/rc.d/rc.sysinit Delete the /usr/src/.poop directory containing worm files Delete /tmp/ramen.tgz Delete /sbin/asp Change /etc/xinetd.conf or /etc/inetd to no include /sbin/asp Red Hat 6.2: Remove "asp stream tcp nowait root" from /etc/inetd.conf Red Hat 7.0: Remove asp entry from /etc/xinetd.conf Restore /etc/hosts.deny unless you didn't use tcp wrappers Restore any replaced index.html files with originals from backup Reboot the system to kill active worm daemons . Tracking supplier alerts is crucial for maintaining protection and reducing threats linked to the Sushi malware incident.. Ramen Worm, Software Patch Management, Risk Mitigation, System Security, Linux Administration. . Brittany Day
Jan 29, 2001
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More