Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -1 articles for you...
102
linux toolssecurity assessmentadministrationPort Scanning Explained: Tools, Techniques, and Best Open-Source Port Scanners for Linux
Most Linux admins assume they know which TCP/IP ports their servers expose, until a scan reveals something unexpected. A database port listening on all interfaces, a forgotten development service, or a management interface that was meant to stay internal can easily appear once you look from the network side. . In this article, we’ll focus on how port scanning works in practice and how Linux administrators can use common tools and techniques to identify open ports and verify network exposure. Port Scanning Techniques and How They Work Once you understand what port scanning is , the next question is how scanners discover those ports. The technique used determines how visible the scan is and how accurate the results might be, with different methods affecting both speed and detection. SYN Scan The SYN scan is one of the most common techniques used in network port scanning. It begins the normal TCP handshake by sending a SYN packet to a target port. If the port is open, the system replies with a SYN-ACK. Instead of completing the connection, the scanner immediately resets it. That small interruption is the key detail. The connection never fully establishes, which makes the scan faster and slightly less visible in application logs. Tools like Nmap use SYN scanning by default when they have the permissions needed to craft raw packets. TCP Connect Scan A TCP connect scan takes the more straightforward approach. It performs a full TCP handshake with each port and establishes a normal connection before closing it. Because this process uses the operating system’s standard networking functions, it works even when the scanning tool does not have elevated privileges. The tradeoff is visibility. Every completed connection is easier to log and detect on the target system. UDP Port Scan Scanning UDP ports works differently because UDP does not rely on a handshake. Instead, the scanner sends a packet and waits to see if the system responds. If the port is closed, the host oftenreturns an ICMP message indicating that the destination port is unreachable. If the port is open, there may be no response at all unless the service sends one. That silence makes UDP port scanning slower and sometimes less precise than TCP scanning. Despite the challenges, UDP scans remain useful because many important services rely on the protocol. FIN, NULL, and Xmas Scans Some scanning methods experiment with less conventional packet flags. FIN scans, NULL scans, and Xmas scans fall into this category. Each sends packets with unusual combinations of TCP flags and observes how the system reacts. These techniques were originally designed to slip past simple firewall rules that only expected normal connection attempts. The important takeaway is that no single technique reveals everything. Different scanning methods interact with systems in different ways, and that interaction shapes the results you see. When administrators compare scan outputs from different tools or techniques, those subtle differences in network behavior often explain why the results do not always match. Best Port Scanning Tools for Linux Admins The best tool choice becomes less about features and more about how each scanner behaves on the network. Some focus on depth. Others prioritize speed or large-scale discovery. Most Linux admins settle on two or three tools that fit their workflow. One for detailed analysis. Another for rapid discovery. Sometimes, a simple utility for quick checks. Nmap Nmap is still the tool most administrators reach for first, and there is a reason for that. It sits between speed and detail, capable of scanning thousands of hosts or slowing down to understand exactly what is running on a single system. Identifies open ports and running services Performs service discovery and version detection Often estimates the operating system behind the host Uses response analysis and fingerprinting to map services Supports a scripting engine for extended checks, from basicvulnerability detection to configuration gathering Nmap often identifies the application behind it, and sometimes even the exact version running. It is rarely the fastest scanner available, but it is often the most informative. Masscan Masscan sends packets as quickly as the network allows and records which hosts respond. The design allows it to scan enormous address ranges very quickly. In large environments, that speed is useful: Scans entire subnets or organization-wide address space in a short time Quickly identifies which hosts respond on which ports That speed comes with tradeoffs: Limited service identification Minimal analysis of application responses Focused on discovery, not what software is behind the port As a result, administrators often pair it with another scanner. Masscan finds open ports quickly across a large network, and then a deeper tool like Nmap analyzes the interesting hosts. RustScan RustScan appeared more recently and fills a niche between speed and analysis. Its role is straightforward: Fast port discovery across a host Automatically hands results to Nmap for deeper inspection Preserves speed without losing service detection and fingerprinting The workflow reflects how many admins already operate. Find the open ports first. Investigate them second. ZMap ZMap was designed for large-scale network research and prioritizes speed at scale: Scans extremely large portions of the internet quickly Uses highly optimized probe packets for large address spaces Built for distribution analysis across massive networks Because of that design: Not ideal for day-to-day system administration Better suited for researchers and large network operators For typical Linux environments, deeper tools like Nmap tend to be more practical. Naabu Naabu is a lightweight scanner built for speed and automation: Quickly discovers open ports across many hosts Integrates easily intoreconnaissance and asset discovery workflows Works well in automated security pipelines Its design allows repeated scans without placing a heavy load on the network, which makes it useful in environments where exposure needs to be tracked continuously. Angry IP Scanner Angry IP Scanner takes a different approach by focusing on visibility: Provides a graphical interface for scanning IP ranges Quickly identifies responsive hosts on a network Useful for fast, visual discovery in smaller environments Admins often use it to scan a subnet and immediately see which devices respond, then follow up with deeper tools as needed. Netcat Netcat is not a dedicated scanner, but it shows up often because of how simple it is: Tests connectivity to specific ports Confirms whether a service is reachable and responding Works as a quick diagnostic tool rather than a full scan solution When you already know which port to check, it gives a fast answer without running a full scan. Over time, you begin to see how these tools complement one another. Some specialize in speed, others in depth, and a few provide quick visibility when you just need to check a single service. The choice depends less on which tool is considered the best port scanner and more on what question you are trying to answer at that moment. How Do These Port Scanning Tools Compare? Once you start working with several scanning tools , the differences become easier to see. They all perform the same basic task, but the details are where they separate. Some prioritize accuracy and service detection. Others focus almost entirely on speed. A few are designed for very large network studies rather than everyday system administration. Tool Scan Speed Service Detection OS Fingerprinting Scale Best Use Case Nmap Moderate Yes Yes Small to medium networks Detailed audits andservice identification Masscan Extremely fast Limited No Very large networks Rapid discovery of open ports RustScan Fast Through Nmap Through Nmap Medium networks Fast discovery followed by deeper analysis ZMap Extremely fast No No Internet-scale Research and large-scale network measurement Naabu Very fast Limited No Medium to large environments Automation and continuous scanning The main difference is how much information each tool gathers. Nmap spends time analyzing responses, identifying services, and sometimes operating systems. It’s slower, but far more informative. Masscan and ZMap focus on speed. They send packets quickly and record which hosts respond, making them useful for large environments. RustScan and Naabu sit in between. They handle fast discovery, then pass results to deeper tools for analysis. You start to see why administrators rarely rely on just one scanner. One finds open ports quickly. Another explains what’s running behind them. Together, they give a clearer view than either alone. Practical Port Scanning Workflows for Linux Admins Most administrators use network port scanning in a few repeatable ways. Find All Open Ports on a Server One of the most common checks is scanning a server across the full TCP port range. This shows every port that responds, not just the common ones. nmap -p- server_ip The -p- option tells Nmap to scan all 65,535 TCP ports. The interesting moments happen when extra ports appear. A Redis service on 6379. A database on 3306. Occasionally, something more obscure, like a development service that was installed during troubleshooting and never removed. You start to notice this after scanning enough systems. The scan often reveals services no one remembersenabling. Verify Firewall Exposure Another common workflow is comparing scan results with what the system itself reports. A server may believe it is listening on certain ports, but that does not always mean the network can reach them. On the host, administrators often check active listening services like this: ss -tulnp This command shows which processes are bound to network sockets. When you compare that list with the results of a network port scanning tool, the differences become meaningful. If a service appears in ss -tulnp but not in a scan, the firewall may be blocking it. If a port appears in a scan that you did not expect, the service might be bound to an interface that exposes it externally. Detect Unnecessary Services It’s also a simple way to audit server roles. A typical web server might intentionally expose only a few ports. SSH for administration, and HTTP or HTTPS for the application itself. If a scan reveals additional services, that usually deserves a closer look. For example, a scan might return results like: 22/tcp open ssh 80/tcp open http 443/tcp open https 3306/tcp open mysql 6379/tcp open redis A port scan makes that exposure visible very quickly. Discover Devices on a Network It’s also useful for discovering systems across an entire subnet. Instead of targeting a single host, the scan probes every address in the range to see which machines respond. nmap -sn 192.168.1.0/24 This type of scan does not focus on ports. It simply identifies which hosts appear active on the network. Administrators often use it when building network inventories or trying to locate devices that have appeared unexpectedly. You start to see a clearer picture of the environment once you run scans like this. Servers show up first, but so do routers, embedded devices, and various pieces of equipment that quietly joined the network. Find All Printers on the Network Certain devices expose very recognizable ports. Network printers are a commonexample. Many models respond on port 9100 for raw printing. Scanning for that port across a subnet can quickly identify printers that exist on the network. nmap -p 9100 192.168.1.0/24 The results often include devices that were never added to asset inventories. These small discoveries are where port scanning becomes genuinely practical. It is not just about identifying open ports. Over time, it becomes a way to understand what systems actually exist on a network and which services they expose. Final Thoughts on Using Port Scanning to Understand What Your Systems Actually Expose Port scanning is often described as a form of network reconnaissance, and that description is technically correct. In everyday administration, though, its role is simpler. It helps confirm which TCP/IP ports are exposed, which services respond to the network, and how large the attack surface of a system really is. Over time, administrators start using port scanning in predictable ways. Checking open ports after configuration changes. Verifying firewall behavior. Scanning subnets to see which devices actually exist on the network. Tools like Nmap, Masscan, and RustScan approach this task from different angles, but the goal stays the same. Understand how systems appear from the network side and ensure that only the services meant to be visible are the ones that respond. . Explore techniques and tools for effective port scanning on Linux, ensuring you understand network exposure and service behavior.. Linux Port Scanners, Network Security Tools, System Administration, Open Ports, Security Assessment. . Brittany Day
Mar 20, 2026
•
102
security advisorynetwork securityintrusion detectionProven Strategies to Assess the Security of Your Linux Server Setup
Linux is a widespread OS known for its robust data and network security . That being said, cybersecurity vulnerabilities are inevitable in any OS. Therefore, Linux system administrators must be vigilant about monitoring and verifying the safety of their servers on an ongoing basis in order to protect sensitive data and prevent attacks on network security. After all, the majority of exploits in cybersecurity on Linux systems resulted from poor administration . . The only way to be sure your server is as well protected as needed is to test it and verify it is working as you expect. This article will introduce LinuxSecurity’s top methods and tools for checking that your Linux server security is safe. We will cover port scanning, intrusion detection, penetration testing, reverse engineering, and auditing, and we will guide you in the direction of other valuable resources to help you get started on your journey to stronger security. What Are the Top Methods for Verifying Linux Server Security? Port Scanning Port scanning, or the process of evaluating ports on a server to identify cybersecurity vulnerabilities, is one method that administrators should employ when looking to evaluate the overall security of a Linux server. Port scanning Linux servers reveals what ports are open to receiving information and what security devices exist between the sender and the target. This information can be used to identify potential network security issues that could be exploited by attackers. Linux users have an array of excellent port scanners to choose from. In this section, we’ll introduce our three favorite open-source port scanners and direct you to some helpful tutorials demonstrating how to perform a port scan on your Linux servers. Let’s take a look at three great port scanners available to Linux users: Nmap Nmap , which stands for “Network Mapper,” is by far the most popular and versatile port scanner available, for good reason. The free and open-source port scanner offers an array of optionsfor performing quick, effective scans on both local and remote networks. Nmap can be used for active port scanning to discover open ports on specific networks/hosts, as well as for host discovery to identify potential hosts that are responding to network requests. Linux Nmap’s capabilities extend beyond port scanning, as it can also be used for penetration testing, fingerprinting operating systems, vulnerability scanning, OS detection, and application version detection. Nmap has both CLI and GUI interfaces (the GUI is called Zenmap ) and can also be run from the classic command line terminal. You can learn how to install Nmap on Linux here . Learn how to perform a ping scan, a host scan, and an OS and services scan with Nmap. Unicornscan Unicornscan is the second most popular open-source port scanner after Nmap. It features renowned asynchronous TCP and UDP scanning capabilities as well as non-common network discovery patterns that provide alternative ways to find out important details about remote operating systems and services. Unicornscan can be used for both active and passive remote OS, application, and component identification. The fast, comprehensive port scanner offers custom module support, customized data-set views, and PCAP file logging and filtering. You can download Unicornscan here . Angry IP Scanner Thanks to its multi-thread approach that separates each scan, Angry IP Scanner is known for its impressive scanning speed. The free multi-platform scanner searches for open ports on any remote network and then exports scanned results into either TXT, XML, or CSV files. Angry IP Scanner has other notable features , including its web server and NetBIOS information detection capabilities and its easy, seamless plugin integration with Java. Angry IP Scanner Linux can be downloaded here . Intrusion Detection Intrusion detection , or monitoring a network or system for malicious activity or policy violations, is a critical part of maintaining a secure Linux server. The informationgathered through intrusion detection provides administrators with valuable insight into the attacks in network security that could potentially threaten their servers. This is valuable information to be aware of when setting up preventative defenses. In this section, we’ll examine a few great open-source Linux Intrusion Detection System (IDS) tools and honeypots that can help server administrators proactively identify and respond to network security threats to their systems, thus preventing data theft and system compromise. We’ll then explore the importance of monitoring logs. Snort Snort is the leader in free and open-source Network Intrusion Detection Systems (NIDS). The popular network security toolkit has various modes that can be used to analyze real-time traffic. The intrusion detection mode is based on a set of rules that the user can either create or download from the Snort community . Linux Snort can also be used for port scanning, OS fingerprinting, and detecting attacks in network security using signature-based and anomaly-based techniques. Snort is easy to install and supported by a large, vibrant community, which makes this cloud security scanner and detection service all the more reassuring. Snort can be downloaded here. Learn how to install and use Snort for intrusion detection in this LinuxHint tutorial . OSSEC In the realm of Host-based Intrusion Detection Systems (HIDS), OSSEC dominates. This full-featured open-source IDS tool is highly effective and extensible. OSSEC’s client/server-based management and logging architecture secures sensitive information against exploits in cybersecurity like tampering and theft by delivering alerts and logs to a centralized server. This server can analyze and notify regarding network security threats even if the host system is compromised or offline. A convenient benefit of this client/server design is one’s ability to centrally manage agents from a single server. OSSEC is very lightweight and is backed by a strong, supportive community.OSSEC can be downloaded here. Learn how to install and use OSSEC for intrusion detection in this LinuxHint tutorial . Suricata Suricata is a modern NIDS that employs signature-based, anomaly-based, and policy-driven intrusion detection methods. It features multi-threading capabilities, GPU acceleration, and multiple-model statistical anomaly detection. Suricata can examine HTTP requests, TLS/SSL certificates, and DNS transactions. Suricata is compatible with Snort's data structure, enabling users to implement Snort policies in Suricata. Suricata can be downloaded here. Cowrie Cowrie is a medium interaction SSH and telnet honeypot that logs brute force attacks in network security and shell interaction. The open-source honeypot emulates a Unix system in Python and functions as a proxy to log malicious activity. Cowrie features JSON logging for easy processing in log management solutions. Monitoring Logs Monitoring logs is an essential part of verifying the data and network security of a server. It must be done on a regular basis to ensure that your systems remain secure. Critical Linux log monitoring categories include application, event, service, and system logs. Many Linux distributions offer network security toolkits for automating this ongoing task. The Logwatch Linux application, for instance, sends a daily email report of all of the logs on a server, providing administrators with valuable information, including potential malicious activity, SSH attempts, IPs causing errors, and the number of sent emails in the server. In a large corporate environment, it is a common practice to send Logwatch emails (along with other mail directed to the root user) to a single company email list. Administrators in the company then subscribe to this email list to stay informed of any notifications regarding suspicious activity detected in any of the company’s server logs. Logwatch can be downloaded here. Fail2ban is another excellent application for monitoring logs and detecting intrusionattempts. This intrusion prevention software and cloud security framework keeps servers safe against brute-force attacks in network security by reacting to intrusion attempts. These reactions could be either installing firewall rules to reject potentially malicious IP addresses for a certain amount of time or blocking access to a specific port. Linux Fail2ban can be downloaded here. Penetration Testing Penetration testing (commonly referred to as pen testing or ethical hacking) is the practice of testing a computer system, network, or application to identify cybersecurity vulnerabilities that could be exploited by malicious actors. As you can imagine, information gathered in pen tests is invaluable in verifying the data and network security of a Linux server and preventing attacks. There are an array of excellent pentesting network security toolkits available to Linux users, and there is a certain group of Linux distro for penetration testing . In this section, we’ll introduce our top two distros for Linux penetration testing: Kali Linux and ParrotOS. Kali Linux Kali Linux is one of the most popular Linux distros among pentesters, ethical hackers, and security researchers. The flexible, full-featured distro contains hundreds of pentesting tools, protects sensitive pentesting data with LUKS full-disk encryption, and offers high customization levels. Kali Linux also offers training and support through the Kali Linux Dojo training suite. Key Features & Benefits: Kali Linux uses LUKS full-disk encryption to secure sensitive pentesting data against loss, tampering, and theft. “Forensics” mode makes this distro perfect for investigative work. Users can automate and customize their Kali Linux installations over the network. This flexible distro offers full customization with live-build . On the training suite, Kali Linux Dojo users can learn how to customize their own Kali ISO and learn the basics of pentesting. All of these resources are available on Kali’s website , freeof charge. Kali Linux also offers a paid-for pentesting course that can be taken online with a 24-hour certification exam. Once you pass this exam, you’re a qualified pentester! ParrotOS Parrot OS is a fully-portable laboratory for pentesting, reverse engineering, and digital forensics. The fast, lightweight distro is frequently updated and offers a wide array of hardening and privacy sandboxing options. ParrotOS tools and features are designed to be compatible with the majority of devices via containerization technologies such as Docker or Podman . Key Features & Benefits: ParrotOS provides pentesters and digital forensics experts with a state-of-the-art “laboratory” featuring a full suite of tools accompanied by standard privacy and security features. Applications that run on Parrot OS are fully sandboxed and protected. Parrot OS is fast, lightweight, and compatible with most devices. Reverse Engineering & Malware Scanning Reverse engineering, or the process of deconstructing an artificial environment to gain insight into its design, architecture, and code, can be extremely helpful in securing or verifying the data and network security of a Linux server. This process plays a central role in malware detection and analysis, as it can help administrators identify network security threats like malware on their systems, which they can then study, eliminate, and learn from so they can apply the knowledge to prevent future attacks in network security. In this section, we will profile the six malware scanning and reverse engineering tools Linux favors, as well as some toolkits and utilities. REMnux REMnux is a free, community-powered toolkit for reverse engineering and malware analysis. The toolkit conveniently enables analysts to investigate malware without having to find, install, and configure the tools needed to do so. REMnux offers a distro that can be downloaded as a VM in the OVO format and then imported into your hypervisor, installed from scratch on a dedicatedhost, added to an existing system running a compatible version of Ubuntu, or run as a Docker container . Chkrootkit Chkrootkit is a free and open-source rootkit detector that locally scans for signs of a rootkit and hidden security holes on Unix/Linux systems. The scanner consists of a shell script that checks system binaries for rootkit modification along with a selection of programs designed to scan systems for different network security issues. Chkrootkit can be downloaded here. Rkhunter Rkhunter is a powerful and user-friendly open-source tool designed to scan Linux systems for rootkits, backdoors, and local exploits in cybersecurity. The comprehensive cloud security scanner inspects and analyzes a system to detect hidden security holes. Rkhunter Linux can be downloaded here. Lynis Lynis is a powerful and popular malware and vulnerability scanning and auditing tool for Unix/Linux operating systems. The free and open-source scanner detects network security issues and configuration errors, performs firewall auditing, checks file/directory permissions, and verifies file integrity and installed software. Lynis can be downloaded here . Learn how to scan your Linux system with Lynis in this Opensource.com tutorial . LMD Linux Malware Detect (LMD) is a full-featured, open-source malware scanner designed specifically for hosted environments; however, this tool can be used to detect network security threats on any Linux system. Linux LMD includes a full reporting system, where administrators can view both current and past scan results accompanied by email alerts after every scan and an array of other useful features. The scanner can be integrated with the ClamAV scanner engine for stronger performance and improved security posture. Project Freta Microsoft recently announced Project Freta , a free cloud-based malware scanning tool for Linux. The tool uses snapshot-based memory forensics, comparing thousands of images of Linux VMs to identify previously undetected malware. Auditing Conducting frequent cloud security audits is an essential part of establishing the data and network security of your Linux servers. System auditing Linux enables administrators to discover security bugs, breaches, or policy violations on their systems. In this section, we’ll take a look at the Linux Auditing System (AuditD) and the insight that this valuable feature can provide administrators into the security, stability, and functionality of their systems. What is the Linux Auditing System? The Linux Auditing System (AuditD) is a native feature of the Linux kernel that collects information on system activity to facilitate the investigation of potential network security issues. AduditD works on the kernel level, where it can oversee all system processes and activities and uses the AuditD daemon to log what it finds. In most Linux distributions, AuditD is installed by default and runs automatically with the system. It logs information according to auditing and added rules. AuditD monitors three categories of events: system calls, file access, and select, pre-configured auditable events within the kernel. It enables administrators to audit activity using these categories of events, including authentications, failed cryptographic operations, abnormal terminations, SELinux modification, and program execution. When any one of the audit rules in place is triggered, AuditD outputs a comprehensive record that can be used to investigate the incident. When implementing the Linux Auditing System, you will likely need to create some of your own rules. There are two types of rules that administrators can write: file system and system call rules. System activities like specific scripts executed, userland events, and internal kernel behaviors cannot be triggered using AuditD. When writing rules, it is critical to remember that audit rules work on a “first match wins” basis. In other words, once audited activity matches a rule, no further rules will be evaluated. Thus, the order in which rules arewritten is of utmost importance. To view the audit records generated by a triggered rule, administrators can use the native ausearch and aureport utilities. Ausearch lets you search your audit log files for specific criteria, and aureport creates summary reports from the audit log files. It is crucial for administrators to ensure that AuditD is properly configured and hardened to provide genuine, reliable information. Begin by checking that AuditD’s configuration is immutable using the control option “-e 2.” Then, confirm that logs are stored in a centralized, secure location - ideally, a server dedicated to accepting remote syslog events. AuditD is a very useful and free feature for facilitating investigations, especially historical investigations, in response to an incident. That being said, AuditD does have some serious weaknesses that should be taken into consideration, namely bugginess, excessive overhead, lack of granularity, missing container support, and onerous output. Final Thoughts on Verifying Linux Server Security Regardless of the OS you’re running, securing your servers is an ongoing process that requires vigilant monitoring, testing, verification, and maintenance. In recent years, Linux has become an increasingly popular target among cybercriminals due to its growing popularity. However, the good news is that the majority of attacks in network security on Linux systems can be attributed to poor administration and can thus be prevented with greater attention to security and system hardening. Frequently verifying the data and network security of your Linux servers using methods such as port scanning, intrusion detection, penetration testing, reverse engineering, and auditing is the only way to confirm that your servers are indeed as secure as you need them to be. . The only way to be sure your server is as well protected as needed is to test it and verify it is wo. linux, widespread, known, robust, network, security, being, cybersecur. . Brittany Day
Mar 27, 2023
•
102
cybersecuritynetworkingcyber defenseValentina's Nmap Journey: Insights on TryHackMe and Cybersecurity
Thank you to Oyelakin Timilehin Valentina for contributing this article. Our newest member, Valentina, an up and coming cybersecurity professional in Nigeria, studying cybersecurity and showing stellar skills in learning and applying her knowledge, recently went through the Tryhackme online learning platform, and shared her experiences, as well as a few quick tips on using nmap. . Tryhackme is an online platform with courses available for beginners, intermediates and professionals in cybersecurity. There are real world labs and challenges to give you an on-the-job challenge and experience. Nmap is one of the courses in this platform and an important tool in cybersecurity that is used for port scanning. This article explains the following; How, why I got into Tech and also my Tech Background My experience with a mentor How I discovered the online platform, Tryhackme My experience getting through the Nmap lab Getting Into Tech In my high school days, I wanted to be referred to as Engr. Val; although I was clueless as to what part of engineering I would like to venture into. Because I loved the name Engr., I made sure I worked towards getting into an engineering department in college where I obtained a degree in Electronics and Computer Engineering in the University of Port Harcourt, Nigeria. I must tell you; I was still as clueless as I was in my high school days on what path to follow. Then came a seminar in my second year that structured and shaped my vision in the department and also connected me to my first mentor. I realized then and found telecommunications interesting and I started doing some research on it and took my telecommunication courses more seriously; it was indeed interesting. I got my first 6 months internship job with Nokia Solutions and Network, Nigeria in my fourth year and the experiencewas priceless, but I still wasn’t satisfied, I just kept telling myself that there is more in tech. After graduation, I decided to do moreresearch on areas of technology and I discovered cyber security. Wow, I bonded so much with this aspect of technology that I was so much convinced this is it. Before then, I didn’t find any programming language interesting, but discovering that knowledge of it is needed made me go into learning python programming; that I find very interesting now. You would ask what my major drive is; I just want to make my country a safer place, I want to reduce criminal activity in my country and discovering cybersecurity became the answer to my thirst in technology. I did a lot of research and I am still doing, I discovered a lot of areas in cyber security, I took 3 certification exams which are Introduction In Cyber Security and IT Essentials, both in Cisco, HCIA(Routing and Switching). In All of These, I was still uncertain on the path to take in Cyber Security. This led to the next point on this article. Getting a Mentor This aspect of my life helped and guided me to where I am today; my first mentor gave me an insight in technology. My second mentor guided me into taking the Routing and Switching course with Huawei. My third mentor guided me all through my training in IT essentials with cisco. But I still needed someone in the cyber security field, I had lots of questions in my mind to clear the uncertainty in my head as to what to do to start my career in cybersecurity, there are numerous fields in cybersecurity that I discovered during my research, so I needed to know which aligns with my passion. On Monday, December, 7 2020, I saw a post on twitter with the tag #cybermentoringmonday, I went through it and indicated that I needed a mentor; there I met one. I told him about the areas of cybersecurity that I am interested in and why I am interested in them, I also told him what I was doing at the moment to gain more knowledge in tech. He demystified the areas of cybersecurity I was interested in and told me in his words “you sound more blue team oriented” he went further to explain the blue team andalso the red team, this cleared the uncertainty in my head to a large extent. He introduced me to Mosse Cyber Security institute where I did research on my own and it helped me to gain more knowledge. Getting to Know the Amazing TryHackMe On New Year Day, he introduced me to Tryhackme and sponsored me for a membership for 2 months with the instruction that I will update him on my progress and most likely get an extension of my membership for a year, this was my first 2021 big gift and I was excited. He said “let me know if you have questions or get stuck and I think you will learn a lot” .He is always there to answer my questions. Getting Through the nmap Lab You know that excitement that comes after completing a task, that excitement you get after crossing a hurdle and you get the right to say “I am proud of myself” that was me after getting through the Nmap lab. The first learning path I started in Tryhackme was Cyber Defense, you would ask why this was my first, it was the first captivating topic, but little did I know that I need the knowledge of some fundamentals that include Nmap. The first room in cyber defense; introductory networking, is an introduction to the basic principles of networking, it gave me the detailed and easy understanding of the OSI model and also the TCP/IP model, where I got a better understanding of the “three-way handshake”. I was also introduced to the Wireshark tool which is used to capture and analyze packets of data going across a network. This room also explained some networking tools like ping that are used to test the possibility of a connection to a remote network. Traceroute tool that is used to show all the routes your request took as it gets to you. Whois tool that lets you query who a domain name is registered to and Dig tool that lets you query any DNS servers to get information about their domain. This room was very interesting and easy and I was eager to go to the next room- network services. In the network services room, I gotto know about SMB(Server Message Block) Protocol which is used to share access to files, printers, serial ports and some other resources on a network. Also, I got the understanding of telnet, an application protocol that works with a telnet client and aids in connection and execution of commands on a remote machine that is hosting the telnet server. Finally, FTP (File Transfer Protocol) as its name implies, lets you transfer files remotely over a network. This particular room was more difficult than the previous, but I kept moving to the next room which is Network services 2 But, a good knowledge on Linux would have made this room much easier to walkthrough. In the network services 2 room, I got to know about NFS (Network file System) that allows sharing of files/directories by a system with others over a network, I was finding it all interesting until I got to task 3, Enumerating NFS and got stuck, I couldn’t provide answers to the quiz. At this point, I had to tell my mentor, the first thing he said was that I should make sure that I am always connected to the OpenVPN Server, this helped me get through the task but I got stuck again in task 4, Exploiting NFS, at this stage I realized I needed the good understanding of NMAP. So, I diverted to the NMAP room. You may be thinking, how did I know that I needed to divert to Nmap room, in the task 3 of network services 2, one of the topics mentioned was port scanning, which was covered but not detailed, then my first quiz for the task 3 was about scanning for open port, and this can only be answered by getting the understanding of how to scan for open port which can be learnt in the Nmap lab. Diverting to the Nmap room helped me answer the quiz. In the NMAP room, I made sure that I was connected to the OpenVPN server, and then I deployed my machine. Nmap means network mapper and I learnt about the NMAP switches, the Scan types which are TCP connect scans (-sT) that takes into consideration the TCP three-way handshake. Here, NMAP connects to each TCPport and determines if the port is open or closed. if port is open, a TCP packet with the SYN/ACK flag is sent, if port is closed a RST (reset) flag is sent back, if a port is filtered, it is because it is protected by a firewall, in this case, when Nmap sends a TCP SYN request, it receives nothing back. Another scan type, the SYN scans(-sS) is referred to as half-open scans or stealth scans and are used by Nmap if they are run with sudo permissions, the only difference between TCP scan and SYN scan is in the case of open port, in SYN scans, when port is open, an RST packet is received. The next scan type, which is the UDP scan(-Su), a port is considered open|filtered when no response is sent back, but when a response is received (which is rarely possible), then the port is open, a port is closed when the target response with an ICMP ping packet message indicating that the port is unreachable. The less commonly used TCP port scans; Null (-sN), FIN (-sF), Xmas (-sX) Scans were also taught, and the response expected is similar to that of UDP port scan. The next task talks about the ICMP Network scanning where I was taught how to perform a ping sweep; a ping sweep is used to see IP addresses with an active host and those without. When I got to task 10, NSE (Nmap Scripting Engine) scripts, I got stuck again, I couldn’t give correct answers to the quiz, and I decided to watch videos on Nmap and noticed that Nmap is being performed on kali Linux. Also, I applied for an internship position sometime last month and lack of experience in Linux couldn’t let me get it, this made me divert to the Linux fundamentals, after completing part 1 and 2 of Linux fundamentals, I was able to successfully complete the Nmap lab. Conclusion From my experience so far, it is first about your passion, then the effort you put into gaining more knowledge and experience. If you enjoy what you do, you will thirst for more knowledge and experience. To become a pro or an expert in something, you have to startfrom today, put in effort, then more effort, you just can’t stop putting in effort, and you have to be up to date, to remain relevant in the field. Most importantly, get a mentor that will guide you and when you do, give him/her every reason to be happy and proud to be your mentor; this is through the effort you make into gaining more knowledge and showing positive results. . My journey with Nmap and TryHackMe has been pivotal in my cybersecurity growth, enhancing both my skills and knowledge of networks for aspiring professionals. Nmap Training, TryHackMe Courses, Cybersecurity Learning. . Brittany Day
Feb 16, 2021
•
102
security practicesnetwork monitoringautomationPort Scanning and Securing Linux Servers With Nmap Utility
Hi, and welcome back to another edition of Hacks From Pax. Today we'll discuss hardening Linux servers by scanning for unnecessarily open network ports, and we'll show you how to automate port scanning so you can easily monitor your network for vulnerabilities. . Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. Any open ports that are unnecessary for proper system operation should be closed. Every open port is a possible access point for an unauthorized user, and every service accepting connections from the world could have a vulnerability. Even if you are diligent about applying patches, any unnecessarily running service is still a window an attacker could possibly climb through. One way of viewing open ports on your Linux system is with the netstat command. Issue the command netstat --inet -a to view both your established connections and open listening network ports. This command reads from your /etc/services file to determine the service name for a given port number, so seeing *:www under the Local Address heading indicates your server's port 80 is open and listening, not that there is necessarily a webserver running on that port. You should check the list and ensure that the servers listening are indeed desired, and if they are not, they should be disabled. For example, this output shows me that my system is accepting connections on the ports for www, ssh, smtp and https. [root@frylock /root]# netstat --inet -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:www *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:https *:* LISTEN The best way of viewing open ports on a remote server is to use the nmap network scanning tool. It's recommended to use nmap from a system that is outside any firewall protecting your network, since the goal is to determine what network ports are visible and listening from a hypothetical attacker's point of view. Running the command nmap -vv -sS 192.168.1.1 would perform a SYN scan of only the common ports on the given ip address. [root@frylock ~]# nmap -vv -sS 192.168.1.65 Starting nmap 3.81 ( https://nmap.org/ ) at 2005-07-02 13:17 EDT Initiating SYN Stealth Scan against meatwad.linuxsecurity.com (192.168.1.65) [1663 ports] at 13:17 Discovered open port 22/tcp on 192.168.1.65 Discovered open port 25/tcp on 192.168.1.65 Discovered open port 443/tcp on 192.168.1.65 Discovered open port 80/tcp on 192.168.1.65 Discovered open port 1022/tcp on 192.168.1.65 Discovered open port 8080/tcp on 192.168.1.65 The SYN Stealth Scan took 0.24s to scan 1663 total ports. Host meatwad.linuxsecurity.com (192.168.1.65) appears to be up ... good. Interesting ports on meatwad.linuxsecurity.com (192.168.1.65): (The 1657 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https 1022/tcp open unknown 8080/tcp open http-proxy MAC Address: 00:03:47:EF:42:42 (Intel) Nmap finished: 1 IP address (1 host up) scanned in 0.514 seconds Raw packets sent: 1665 (66.6KB) | Rcvd: 1670 (76.9KB) We can see that ports 22, 25, 80, 443, 1022 and 8080 are open and accepting connections. If we aren't using one or more of these services the unused ones should be disabled to lessen our security liabilities. This scan operates by sending a single SYN packet to each port, and listening for a returned SYN|ACK which indicates anopen port. Consult the nmap website for further information on the particulars of nmap usage. Nmap is an indispensable security tool that you should make a place for in your sysadmin toolbox. Nmap can be very useful for determining the outward facing open ports on your network when you remember to check, but with a little perl magic it can be useful for keeping an ongoing eye on your network as well. I've written a perl utility called NetDiff that scans a given network or multiple networks with nmap, stores the results in a database and then invokes diff on the result set to find newly opened and closed ports on a daily basis. NetDiff also will detect any systems newly added to or removed from the network, which can be useful for spotting, for example, that rogue wireless access point surreptitiously plugged into your network by the marketing department. NetDiff packages and documentation can be found on ftp.engardelinux.org. For those running EnGarde Secure Linux, I've written a WebTool module and packaged NetDiff rpm packages so you can simply install the packages and their required prerequisites and then configure your networks and later view the reports from within the EnGarde WebTool environment. NetDiff reports will display any network changes in a diff style format, prepending newly added lines with a '+' and removed lines with a '-'. For example, in the following NetDiff report we can see that the host at 192.168.42.64 was disconnected since the last scan, a host at 192.168.42.127 was connected, and a telnet service was started on 192.168.42.1 . Investigating these results against preplanned administration work is an exercise for the sysadmin reading the report. Perhaps the telnet port was opened for a reason, but perhaps a hacker has penetrated that system and opened the port for nefarious purposes. # # NetDiff Report # # Networks scanned : # 192.168.42.0/24 # # Last scan completed : 2005-07-03 02:05:43 # Scan started : 2005-07-04 01:00:01 # Scancompleted : 2005-07-04 02:06:31 # Hosts Scanned/Found : 35/35 # 192.168.42.64 ** MISSING ** 192.168.42.64 ** CHANGED ** -192.168.42.64 Status up -192.168.42.64 Extra Ports filtered 1662 -192.168.42.64 Port 80 http closed table 3 ----------------------------------------------------------------------------192.168.42.127 ** NEW HOST ** 192.168.42.127 ** CHANGED ** +192.168.42.127 Status up +192.168.42.127 Extra Ports filtered 1662 +192.168.42.127 Port 80 http closed table 3 ----------------------------------------------------------------------------192.168.42.1 ** CHANGED ** -192.168.42.1 Extra Ports closed 1663 +192.168.42.1 Extra Ports closed 1662 +192.168.42.1 Port 23 telnet open table 3 ---------------------------------------------------------------------------- Setting up netdiff to run daily will allow you a quick and easy way to view your recent network changes. Discovering an newly opened port on your network can be a telltale sign of a hacker's penetration or simply another sysadmin's mistake, but you'll know about it immediately and can take action to investigate the offending port and server. No scanning or reporting tool can replace a competent sysadmin, but a good reporting tool can guide a sysadmin towards anomalies on his or her network that require further sleuthing. Until next time, stay secure, and know your network like the back of your hand. I'll see you again soon, in the next episode of Hacks From Pax. -- Pax Dickinson has over ten years of experience in systems administration and software development on a wide variety of hardware and software platforms. He is currently employed by Guardian Digital as a systems programmer where he develops and implements security solutions using EnGarde Secure Linux. His experience includes UNIX and Windows systems engineering and support at Prudential Insurance, Guardian LifeInsurance, Philips Electronics and a wide variety of small business consulting roles. . Portscanning, for the uninitiated, involves sending connection requests to a remote host to determin. welcome, another, edition, hacks, today, we', discuss, hardening, linux, serve. . Anthony Pell
Feb 04, 2010
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More