Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -2 articles for you...
102
data protectioncybersecuritysecurity techniquesExploring Nmap Techniques for Better Network Protection
Cybercriminals implement scanning into their attacks to find network machines with open ports that they can utilize to bypass security and harm businesses and employees. Before launching an attack, threat actors run cloud security scanners like Linux Nmap that can sweep servers and find cybersecurity vulnerabilities to exploit. Once they identify a target, an intruder can use TCP stack fingerprinting to determine the type of machine they are breaching. . Organizations must work with the same tools that threat actors implement so employees can see what network security issues permit cybercriminals into a system. This article will discuss Nmap, how to utilize it in various privacy sandboxes, and how to prevent cloud security breaches from entering your server so you can improve your security posture. What is Nmap? Nmap is a free-to-download service under the GNU General Public License (GPL) that can analyze collected data regarding hosts and services within a network. We will focus on how to work with Nmap on the command line as we move forward. Let’s start with a few basic explanations and steps that can help with your understanding of this cloud security framework: Within the "nmap" command line, scans have an -s flag specifying their type. Select one of the scanner options and what host or network you want to target. You can scan one host or an entire network with the correct configurations. Providing a network address with "/mask" appended to it can help you learn more about your targets. Once you understand how Nmap functions, you can run root commands and custom packets that prove effective in your analysis. Specify networks with wildcards such as 192.168.7.*, 192.168.7.0/24, or 192.168.7.1,4,8-12 to scan selected hosts on a subnet. What Techniques Can I Use on Nmap to Find Cybersecurity Vulnerabilities on My Server? You must learn the various methods you can implement for testing your server so you can integrate security patching as best as possible tokeep your organization and employees secure. Here are some configurations you can utilize to strengthen data and network security: Ping Sweeping Intruders can sweep entire networks looking for targets with Nmap. This is usually done with a ping scan using the "-sP" flag. By default, Nmap will send an ICMP echo and a TCP ACK to each host it scans. Nmap will consider hosts that respond to either to be up. In this example, scan all hosts on the 192.168.7.0 network: # nmap -sP 192.168.7.0/24 Starting nmap V. 2.12 by Fyodor (
Nov 27, 2023
•
102
security practicesnetwork monitoringautomationPort Scanning and Securing Linux Servers With Nmap Utility
Hi, and welcome back to another edition of Hacks From Pax. Today we'll discuss hardening Linux servers by scanning for unnecessarily open network ports, and we'll show you how to automate port scanning so you can easily monitor your network for vulnerabilities. . Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. Any open ports that are unnecessary for proper system operation should be closed. Every open port is a possible access point for an unauthorized user, and every service accepting connections from the world could have a vulnerability. Even if you are diligent about applying patches, any unnecessarily running service is still a window an attacker could possibly climb through. One way of viewing open ports on your Linux system is with the netstat command. Issue the command netstat --inet -a to view both your established connections and open listening network ports. This command reads from your /etc/services file to determine the service name for a given port number, so seeing *:www under the Local Address heading indicates your server's port 80 is open and listening, not that there is necessarily a webserver running on that port. You should check the list and ensure that the servers listening are indeed desired, and if they are not, they should be disabled. For example, this output shows me that my system is accepting connections on the ports for www, ssh, smtp and https. [root@frylock /root]# netstat --inet -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:www *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:https *:* LISTEN The best way of viewing open ports on a remote server is to use the nmap network scanning tool. It's recommended to use nmap from a system that is outside any firewall protecting your network, since the goal is to determine what network ports are visible and listening from a hypothetical attacker's point of view. Running the command nmap -vv -sS 192.168.1.1 would perform a SYN scan of only the common ports on the given ip address. [root@frylock ~]# nmap -vv -sS 192.168.1.65 Starting nmap 3.81 ( https://nmap.org/ ) at 2005-07-02 13:17 EDT Initiating SYN Stealth Scan against meatwad.linuxsecurity.com (192.168.1.65) [1663 ports] at 13:17 Discovered open port 22/tcp on 192.168.1.65 Discovered open port 25/tcp on 192.168.1.65 Discovered open port 443/tcp on 192.168.1.65 Discovered open port 80/tcp on 192.168.1.65 Discovered open port 1022/tcp on 192.168.1.65 Discovered open port 8080/tcp on 192.168.1.65 The SYN Stealth Scan took 0.24s to scan 1663 total ports. Host meatwad.linuxsecurity.com (192.168.1.65) appears to be up ... good. Interesting ports on meatwad.linuxsecurity.com (192.168.1.65): (The 1657 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https 1022/tcp open unknown 8080/tcp open http-proxy MAC Address: 00:03:47:EF:42:42 (Intel) Nmap finished: 1 IP address (1 host up) scanned in 0.514 seconds Raw packets sent: 1665 (66.6KB) | Rcvd: 1670 (76.9KB) We can see that ports 22, 25, 80, 443, 1022 and 8080 are open and accepting connections. If we aren't using one or more of these services the unused ones should be disabled to lessen our security liabilities. This scan operates by sending a single SYN packet to each port, and listening for a returned SYN|ACK which indicates anopen port. Consult the nmap website for further information on the particulars of nmap usage. Nmap is an indispensable security tool that you should make a place for in your sysadmin toolbox. Nmap can be very useful for determining the outward facing open ports on your network when you remember to check, but with a little perl magic it can be useful for keeping an ongoing eye on your network as well. I've written a perl utility called NetDiff that scans a given network or multiple networks with nmap, stores the results in a database and then invokes diff on the result set to find newly opened and closed ports on a daily basis. NetDiff also will detect any systems newly added to or removed from the network, which can be useful for spotting, for example, that rogue wireless access point surreptitiously plugged into your network by the marketing department. NetDiff packages and documentation can be found on ftp.engardelinux.org. For those running EnGarde Secure Linux, I've written a WebTool module and packaged NetDiff rpm packages so you can simply install the packages and their required prerequisites and then configure your networks and later view the reports from within the EnGarde WebTool environment. NetDiff reports will display any network changes in a diff style format, prepending newly added lines with a '+' and removed lines with a '-'. For example, in the following NetDiff report we can see that the host at 192.168.42.64 was disconnected since the last scan, a host at 192.168.42.127 was connected, and a telnet service was started on 192.168.42.1 . Investigating these results against preplanned administration work is an exercise for the sysadmin reading the report. Perhaps the telnet port was opened for a reason, but perhaps a hacker has penetrated that system and opened the port for nefarious purposes. # # NetDiff Report # # Networks scanned : # 192.168.42.0/24 # # Last scan completed : 2005-07-03 02:05:43 # Scan started : 2005-07-04 01:00:01 # Scancompleted : 2005-07-04 02:06:31 # Hosts Scanned/Found : 35/35 # 192.168.42.64 ** MISSING ** 192.168.42.64 ** CHANGED ** -192.168.42.64 Status up -192.168.42.64 Extra Ports filtered 1662 -192.168.42.64 Port 80 http closed table 3 ----------------------------------------------------------------------------192.168.42.127 ** NEW HOST ** 192.168.42.127 ** CHANGED ** +192.168.42.127 Status up +192.168.42.127 Extra Ports filtered 1662 +192.168.42.127 Port 80 http closed table 3 ----------------------------------------------------------------------------192.168.42.1 ** CHANGED ** -192.168.42.1 Extra Ports closed 1663 +192.168.42.1 Extra Ports closed 1662 +192.168.42.1 Port 23 telnet open table 3 ---------------------------------------------------------------------------- Setting up netdiff to run daily will allow you a quick and easy way to view your recent network changes. Discovering an newly opened port on your network can be a telltale sign of a hacker's penetration or simply another sysadmin's mistake, but you'll know about it immediately and can take action to investigate the offending port and server. No scanning or reporting tool can replace a competent sysadmin, but a good reporting tool can guide a sysadmin towards anomalies on his or her network that require further sleuthing. Until next time, stay secure, and know your network like the back of your hand. I'll see you again soon, in the next episode of Hacks From Pax. -- Pax Dickinson has over ten years of experience in systems administration and software development on a wide variety of hardware and software platforms. He is currently employed by Guardian Digital as a systems programmer where he develops and implements security solutions using EnGarde Secure Linux. His experience includes UNIX and Windows systems engineering and support at Prudential Insurance, Guardian LifeInsurance, Philips Electronics and a wide variety of small business consulting roles. . Portscanning, for the uninitiated, involves sending connection requests to a remote host to determin. welcome, another, edition, hacks, today, we', discuss, hardening, linux, serve. . Anthony Pell
Feb 04, 2010
•
102
intrusion detectionsecurity toolnetwork scannerExploring Essential Network Scanners and Security Tools for Linux Admins
"A scanner is a program that automatically detects security weaknesses in a remote or localhost.". Scanners are important to Internet security because they reveal weaknesses in the network. . System administrators can strengthen the security of networks by scanning their own networks. The primary attributes of a scanner should be: The capability to find a machine or network. The capability to find out what services are being run on the host ( once having found the machine). The capability to test those services for known holes. There are various tools available for Linux system scanning and intrusion detection. I will explain some of the very famous tools available. I have divided the scanners into three categories: Host Scanners, Network Scanners, and Intrusion Scanners. Host Scanners Host scanners are software you run locally on the system to probe for problems. Cops COPS is a collection of security tools that are designed specifically to aid the typical UNIX systems administrator, programmer, operator, or consultant in the oft neglected area of computer security. COPS is available at: Tiger Tiger is a UNIX Security Checker. Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. You can get it from: check.pl Check.pl a perl script that looks through your entire filesystem, (or just the directory you tell it to) for suid, sgid, sticky, and writeable files. You should run it as a regular user maybe once a week to check for permission problems. It will output a list of questionable files to stdout which you can redirect wherever. It's available at: . Network Scanners Network scanners are run from a host and pound away on other machines, looking for open services. If you can find them, chances are anattacker can too. These are generally very useful for ensuring your firewall works. NSS (Network Security Scanner) NSS is a perl script that scans either individual remote hosts or entire subnets of hosts for various simple network security problems. It is extremely fast. Routine checks that it can perform include the following: sendmail Anon FTP NFS Exports TFTP Hosts.equiv Xhost NSS can be found at: SATAN (Security Administrator's Tool for Analyzing Networks) SATAN is an automated network vulnerability search and report tool that provides an excellent framework for expansion.Satan scans remote hosts for most known holes: FTPD vulnerabilities and writable FTP directories NFS vulnerabilities NIS vulnerabilities RSH vulnerability sendmail X server vulnerabilities SATAN performs these probes automatically and provides this information in an extremely easy to use package. You can obtain SATAN from: Network Scanners (cont.) Strobe Strobe is Super optimised TCP port surveyor. It is a network/security tool that locates and describes all listening tcp ports on a (remote) host or on many hosts in a bandwidth utilisation maximising, and pro- cess resource minimising manner. It is simple to use and very fast, but doesn't have any of the features newer port scanners have. Strobe is available at: . Nmap Nmap is a newer and much more fully-featured host scanning tool. Specifically, nmap supports: Vanilla TCP connect() scanning TCP SYN (half open) scanning TCP FIN, Xmas, or NULL (stealth) scanning TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters) TCP ACK and Window scanning UDP raw ICMP port unreachable scanning ICMP scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap isavailable at: Nmap: the Network Mapper - Free Security Scanner . Portscanner PortScanner is a Network Utility especially designed to "scan" for listening TCP ports. It uses a simple method to achieve its goal, and it is extremely compact taking in account all of the options available. It's opensource and free to use, you can get it at: . Queso Queso is a tool to detect what OS a remote host is running with a pretty good degree of accuracy . Using a variety of valid and invalid tcp packets to probe the remote host it checks the response against a list of known responses for various operating systems, and will tell you which OS the remote end is running. You can get Queso from: . Intrusion Scanners Intrusion scanners are software packages that will actually identify vulnerabilities, and in some cases allow you to actively try and exploit them. Nessus Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.Nessus is one of the best intrusion scanning tools. It has a client/server architecture, the server currently runs on Linux, FreeBSD, NetBSD and Solaris, clients are available for Linux, Windows and there is a Java client. Nessus supports port scanning, and attacking, based on IP addresses or host name(s). It can also search through network DNS information and attack related hosts at your request. Nessus is available from Tenable® - The Exposure Management Company . Saint SAINT is the Security Administrator's Integrated Network Tool. Saint also uses a client/server architecture, but uses a www interface instead of a client program. In its simplest mode, it gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services. Saint produces very easy to read and understand output, with security problems graded by priority (although not always correctly) and also supports add-in scanning modules making it veryflexible. Saint is available from: Products - Trusted Cybersecurity and Risk Management . Cheops Cheops is useful for detecting a hosts OS and dealing with a large number of hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture of a domain, or IP block, what hosts are running and so on. It is extremely useful for preparing an initial scan as you can locate interesting items (HP printers, Ascend routers, etc) quickly. Cheops is available at: Marko.net - Get some help using the Wayback Machine . Ftpcheck / Relaycheck Ftpcheck and Relaycheck are two simple utilities that scan for ftp servers and mail servers that allow relaying. These are available from: . BASS BASS is the "Bulk Auditing Security Scanner" allows you to scan the Internet for a variety of well known exploits. You can get it from: Firewall Scanners There are also a number of programs now that scan firewalls and execute other penetration tests in order to find out how a firewall is configured. Firewalk Firewalking is a tool that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. System administrators should utilize this tool against their systems to tighten up security. Firewalk is available from: . Conclusion "Security is not a solution, it's a way of life." System Administrators must continuously scan their systems for security holes and fix the hole on detection. This will tighten the security of system and reduce the chance of security breaches. This process is a continuous process. The security vulnerabilities will keep on arising and process of fixing the security holes will never end! After all, "Precaution is better than cure." This article is Copyright (c) 2000 by Kapil Sharma. This material may be distributed only subject to the terms and conditions setforth in the Open Publication License, v1.0 or later (the latest version is presently available at opencontent). Written by: Kapil Sharma Email:
Sep 13, 2000
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More