Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -3 articles for you...
102
command lineshell scriptingbashMaster Shell Scripting: A Step-by-Step Tutorial for New Users
Blessen Cherian, CTO and Executive Team Member of bobcares.com writes, "Shell scripting is nothing but a group of commands put together and executed one after another in a sequential way. Let's start by mentioning the steps to write and execute a shell script." . Step 1: touch a file e.g.: touch Firstshellscript.sh Step 2: Open the file using the command vi or pico e.g.: vi Firstshellscript.sh Step 3: All shell script should begin with "#!/bin/bash ". This line is called the Shebang and this line looks like a comment but its not. It's a message which talks about the interpreter to be used for this script. Normally the format is #! Step 4: Write the code / script which you want to develop in the file named Firstshellscript.sh. Here let's write our first shell script and let it be the normal hello world display script. Step 5: For hello world to be displayed in the shell script. Put this content in the file Firstshellscript.sh. echo "Hello World" Step 6: Next step is to make the script executable by using the command chmod e.g.: chmod 744 Firstshellscript.sh or chmod u + x Firstshellscript.sh Step 7 : Execute the script using the command sh i.e. bash> sh Firstshellscript.sh If you want to see the entire execution then use the command sh -xv < script name> Step 8: The above command would display the contents like what is shown below bash> sh Firstshellscript.sh bash > Hello World Finally Success, we have written our first shellscript and executed it. A hello world script will look like what is shown below, if you cat or open the script named Firstshellscript.sh cat Firstshellscript.sh #!/bin/bash echo Hello World Comments in a Shell All lines beginning with # is a comment in shell scripting. You can have multiple comments by using colonand single quotes. e.g.: :' This is a comment line Again this is a comment line My God again this is a comment line' Notes: This will not work if there is a single quote in between the contents. Variables As you all know, variables are the most significant part of any software language, be it Perl, C or anything. Similarly, in shell scripting as well variables are very significant and is classified mainly into 2. They are System Variables and User Defined Variables. System Variables The System Variables are variables which are already defined and kept in the OS and they are also called Environment Variables. These variables are all named in capital letters. One can see these variables and their values by executing the command set. Examples of System variables are PWD, HOME, USER etc. The values of these system variables can be displayed individually by echoing the System variables i.e. echo $HOME, will display the value stored in the system variable HOME. To set a System Variable use "set" command e.g.: bash > set $PATH=/home/blessen/shellscript User Defined Variables These kinds of variables are commonly used in scripting. They are normal variables but their variable name should not be in capital letters, should not start with a number etc. An ideal naming of variable will be like _define_tempval. To set or define a user defined variable, please read below. When we assign or create a variable we just write the variable name, equal to its value i.e. _define_tempval = blessen. Now to use / display the value in the variable _define_tempval we have to use echo command i.e. echo _define_tempval. The out put of which will be blessen Please find an example script which will set a variable named username and displays its content on the screen when it is executed. #!/bin/bash username=blessen echo " Theusername is $username" Command Line Arguments These are variables which pass values or argument to a script to process it. These variables which are passed into the script are accessed using $1,$2...$n where $1 is the first command line argument and $2 the next etc. The delimiter is space here. $0 is the name of the script. The variable $# will display the number of command line argument supplied. Let me explain. Consider a script which will take in 2 command line arguments and displays it. The name of the script is commandline.sh and the script will look like the one below #!/bin/bash echo "The first variable is $1" echo "The second variable is $2" When I execute commandline.sh with command line argument like blessen and lijoe then the output of the script will be like the one shown below bash> sh commandline.sh blessen lijoe The first variable is blessen The second variable is lijoe Exit status variable This variable tells us if the command executed just above this was successful or not. The variable is represented using $?. If the value is 0, it means that the command which was executed just above this was successful. But if the value is any other number it means that the above command was unsuccessful. Thus it is very useful in scripting. For testing, create a file named test by using the command touch test. Then try cating the file bash > cat test Then check the value of $?. bash> echo $? 0 The value is zero because the command was successful. Now try catting a file which is not there. Let it be xyz1. bash> cat xyz1 bash> echo $? 1 The value 1 for the exit status shows that the above command was unsuccessful. Scope of a Variable I am sure most of the programmers have learned and most probably worked with variables and its scope. In shellalso we use the scope of a variable for various programming activities. In shell there are 2 types of scope. One is global and other is local scope. From the name itself you can understand that scope of global variable is throughout the program i.e. any other shell program can use these variables for its functioning and its set using the export command. Syntax is: variable1= export variable1 In shell program the local variables are defined using a local tag before the variables, while it is defined. Syntax is: local variable= The below script will demonstrate the scope of a local and global variable. #!/bin/bash function display() { local local_var=100 global_var=blessen echo " local variable is $local_var\n"; echo "global variable is $global_var\n"; } echo " ======================" display echo "=======outside ========" echo "local variable outside function is $local_var\n"; echo "global variable outside function is $global_var\n"; Input and Output in shell scripting For taking inputs from keyboard we will have to use a tool provided by shell which is called read. The read command will read the values which are typed from keyboard and assigns it to the variable mentioned along with it. Syntax is: read For outputting, we use echo command and we have already dealt with it in our above explanation. Syntax is: echo "statement to be displayed" Arithmetic Operations in shell scripting Like all other scripting languages shell script also allows us to play with numerical and functions associated with it like addition, subtraction, multiplication and division. To do these arithmetic operations a function called expr is used, which tells the shell script interpreter that these are numerical on which the specified function is to be performed, i.e. expra + b means add a and b . Syntax: expr e.g.: sum=`expr 12 + 20` Similarly syntax can be used for Subtraction, Division and Multiplication. There is another way to handle Arithmetic operations; include the variables and function inside a square bracket which starts with a $sign. The syntax is Syntax is: $[expression / statement] e.g.: echo $[12 + 10] Conditional Loops Lets have some fun with a conditional statements like "if condition . Learn the basics of creating and executing shell scripts with clear guidelines and practical examples. Gain expertise in key scripting concepts and commands. shell scripting, bash scripting, command line guide, scripting tutorial, execute scripts. . Benjamin D. Thomas
Nov 26, 2006
•
102
security measuresphp securityweb serverBest Practices For Securing PHP Installations on Linux Using Apache
As we know that the vulnerabilities in PHP are increasing day by day there comes the need to secure the PHP installation to the highest level. Due to its popularity and its wide usage most of the developers and the administrators will be in trouble if they don't take appropriate steps on security issues during the installation. . First comes the question of choosing the platform for PHP! I have choosen Linux OS and Apache Web server to explain this because of its performance and security aspects. It depends on the developer's need whether he is going to install it as an Apache module or a CGI interpreter. When choosing to build PHP in either of the two ways, you should consider the advantages and drawbacks of each method. Building as a shared object will mean that you can compile apache separately, and you don't have to recompile everything as you add to, or change PHP. Building PHP into apache staticly means that PHP will load and run faster. Advantages Server is more flexible. It can be run as SSL, mod_perl, or php with only one installation. Servers can be extended with other modules even after installation. Easier module development and testing as the compiling apache source is not required each time the module is changed. Disadvantages DSO is not supported on all platforms. Startup of the server is 20% slower due to symbol resolving. The server is approximately 5% slower at execution time under some platforms because position independent code (PIC) sometimes needs complicated assembler tricks for relative addressing which are not necessarily as fast as absolute addressing. DSO can produce a slightly slower server depending on platform and address resolutioning. DSO modules cannot be linked with other DSO modules. For example a.out-based platforms usually don't provide this functionality while ELF-based platforms do. You cannot use the DSO mechanism for all types of modules. This requires either the code be referenced directly through theApache core, or that you compile Apache with chaining available. Some platforms cannot force the linker to export all global symbols for linking DSO and Apache executables. This is overcome using the SHARED_CORE feature of Apache and is used by default on such platforms. Advantages/Disadvantages of compiling PHP as a CGI interpreter PHP can be compiled as a CGI binary, this allows a user to separate PHP from their web server entirely. Each PHP script that is written will need to contain a statement that points to the path of the PHP binary just as in PERL. #!/usr/local/bin/php CERT Advisory CA-96.11 advises against placing any type of interpreter in the CGI-BIN so it is a good idea to create an isolated directory where PHP can be run. PHP has built in security measure to prevent malicious attacks of this type as well. In the configuration file for PHP, you can specify the following security features: doc_root This options only works when PHP is installed in Safe Mode. This specifies where the root document directory of PHP is. Scripts outside of this directory will not be interpreted. User_dir This option only works when PHP is installed in Safe Mode. This variable specifies user directories so that scripts outside of this directory cannot be executed. --enable-force-CGI-redirect This allows you to force redirection so that scripts cannot be access directly from the internet. Scripts are redirected to a URL, hiding their full path names. Building as a CGI Binary means efficiency could be improved by having only a single Perl interpreter running in memory, and passing it the Perl scripts. This is where mod_perl comes in to the picture. It provides a single embedded Perl interpreter within the Apache web server. This can be either statically linked, or as a DSO module. Some of the advantages of mod_perl are: Able to write Apache modules entirely in Perl. Having a persistentinterpreter in the server saves on overheads due to starting a perl interpreter for each script. Offers code caching, where the modules and scripts are being loaded and compiled only once. Increased power and speed. Full access to the web server. Allows customized processing of URI to filename translation, authentication, response generation and logging practically no run-time overhead. Improved performance of %200 - %2000 is apparently obtained. One of the major drawbacks of a CGI interpreter is when PHP is compiled as a CGI. This means a lack of effieciency in handling high traffic applications. PHP installation is very easy but installing PHP in a secured manner depends on your platform, installation type selection, and configuration options considered. Whatever method you choose please remember to follow the recommended PHP Configuration Options. There are various options that can be set in PHP to increase the overall security of your server. We will discuss some of the most common and useful options. Safe_mode Safe mode is required for nearly all of the following options, safe mode allows PHP to impose more security restrictions than a normal configuration. Safe_mode_exec_dir Setting this variable helps you in forceing PHP to only execute scripts from a specified directory. Open_basedir This option allows you to control which directories PHP scripts are allowed to access files from. By default PHP will allow a script to access a file from anywhere so it is recommended that is option be set. By predefining valid directories, data can be protected. Max_execution_time This variable enables you to set a maximum execution time that a script can have. If a script runs longer than the allocated execution time, it will be terminated. This option will allow you to prevent attackers from tying up your web server with malicious scripts that could cause denial of service. Memory_limit This allows you to control the maximumamount of memory that a script can use. Using this will help to prevent buffer overflows which may lead to more serious threats. Upload_tmp_dir This designates where PHP will place files that are being uploaded. We will discuss both cases here. PHP AS AN APACHE MODULE: Here Apache should run as an ordinary user with least privileges. Never run apache as a root user. Try to run Apache in a root jail. If you are running PHP as an Apache Module it is fine, means it provides maximum security. Following are the steps to install and configure the same. gunzip apache_xxx.tar.gz tar -xvf apache_xxx.tar gunzip php-xxx.tar.gz tar -xvf php-xxx.tar cd apache_xxx ./configure --prefix=/www --enable-module=so make make install cd ../php-xxx ./configure --with-mysql --with-apxs=/www/bin/apxs make make install If you decide to change your configuration options after installation, you just have to repeat the last three steps. You also have to restart apache for the new module to take effect. A recompile of Apache is not needed. cp php.ini-dist /usr/local/lib/php.ini You can edit your .ini file to set PHP options. If you prefer this file in another location, use --with-config-file-path=/path in step 8. Edit your httpd.conf or srm.conf file and check that these lines are present and not commented out: AddType application/x-httpd-php .php LoadModule php4_module libexec/libphp4.so The path on the right hand side of the LoadModule statement must point to the path of the PHP module on your system. The above statement is correct for the steps shown above. Different examples of compiling PHP for apache are as follows: ./configure --with-apxs --with-pgsql This will create a libmodphp4.a library, a mod_php4.c and some accompanying files and copy this into the src/modules/php4 directory in the Apache source tree. Then youcompile Apache using --activate-module=src/modules/php4/libphp4.a and the Apache build system will create libphp4.a and link it statically into the httpd binary. The PostgreSQL support is included directly into this httpd binary, so the final result here is a single httpd binary that includes all of Apache and all of PHP. ./configure --with-apache=/path/to/apache_source --with-pgsql=shared ./confgure --enable-debug=no Note: Will not disclose the physical path if some error occurs. ./confgure --enable-safe-mode Banner Off in apache's configuration file httpd.conf, will not disclose the server's banner information. This makes attacks more difficult for would-be intruders. Lets consider the second case... PHP AS A CGI INTERPRETER: Download the latest version of PHP from PHP: Downloads . Extract the package # tar zxvf php-x.x.x.tar.gz Where x.x.x. is the version number. Change to the PHP directory # cd php-x.x.x Configure it with the various options present #./configure --without-apache --without-apxs --enable-force-cgi-redirect This is to tell PHP that it isis built without Apache support and as a CGI binary. You should get the binary in /usr/local/bin/php. Now you know why it is compiled with the --enable-force-cgi-redirect option. The CGI binary isn't compiled within Apache, it runs under a separate process and user. Hence the question comes of placing the CGI binary in a proper location. I would suggest that the CGI binary should be placed outside the web directory, as the risk would be greatly reduced and also make sure that you have enabled safe mode in the php.ini configuration file. Most commonly attacks arise in the form of getting access to files. Therefore you can prevent the user from calling the CGI binary directly by forcing a CGI to redirect within Apache. For this, just add the following directives in Apache's httpd.conf file: Action php-script /cgi-bin/php.cgi AddHandler php-script .php Now you will see that URL is rewritten http;//test.com/application/test.htm into: Note: Ensure that you perform permission checks on the application/directory in the process. This gives you the added benefit of making the URL a little shorter. Lastly, change your doc_root and user_dir options in the php.ini appropriately. SUMMARY: Here we have discussed the issues on how best the user can secure PHP installation considering both cases and I hope this will be helpful to all those who are keen in securing PHP and thus eliminating the many of the security risks involved. Article By: Dharmendra.T Linux Security Expert
Aug 22, 2002
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More