Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -1 articles for you...
102
network securitymalwaresecurity awarenessProtecting Your Linux Systems Against Emerging Malware Threats
If you’ve been keeping up with the latest IT security news, you may have noticed the increase in the number of attacks on network security within Linux systems. Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT, and Tycoon have become prime malware variants to be aware of when working. . Linux is considered a highly secure operating system, so these cloud security breaches may leave users concerned about the integrity of the company. In this article, LinuxSecurity.com aims to put these recent Linux attacks into perspective, provide some background on Linux malware, and shed some light on other concerns users might have. The Modern Linux Threat Landscape in a Nutshell Despite the heralded safety landscape on Linux operating systems, network security threats, including malware and viruses, have grown to be serious concerns for Linux users. Attacks in network security have targeted Linux, as threat actors hope to obtain a Return on Investment when accessing such systems. As of March 2018, 15,762 new Linux malware variants were developed , which is a notable increase from the 4,706 new variants developed by March 2017 . The evolution of malware research in recent years has offered superior visibility into exploits in cyber security that threaten Linux servers. A vulnerable server of any sort is an open door for data and credential theft, DDoS attacks, cryptocurrency mining, and web traffic redirection. Most significantly, it can be used to host malicious Command and Control (C&C) servers. Just over a year ago, bringing to conclusion a collaborative three-year effort, security researchers identified various OpenSSH backdoors, including the notorious Linux/Ebury backdoor, which could be used to compromise servers with dangerous malware. Simultaneously, ESET researchers exposed 21 Linux-based malware families , 12 of which were previously undocumented. In a sense, these findings confirmed an evolving, increasingly dangerous array of data and network security threats, putting Linuxusers and their systems at risk. A Brief History of Linux Malware The increasing prevalence of Linux malware in recent years arguably creates the illusion of a new network security threat targeting Linux systems; unfortunately, though, Linux malware has been around for quite some time. The first piece of Linux malware, dubbed Stoag, was identified in 1996. Staog was a basic virus that attempted to gain root access by attaching itself to running executables, but it did not spread very successfully and was rapidly patched. Stoag made its claim to fame as the first piece of Linux malware, but Bliss, recognized in 1997, was the first Linux malware variant to grab headlines. Similar to Stoag, Bliss was a fairly mild infection that attempted to grab permissions via compromised executables, but it could be deactivated with a simple shell switch, fortunately. Guardian Digital CEO and LinuxSecurity.com founder Dave Wreski commented on the evolution of Linux malware, “Over the years, malware targeting Linux systems has become both more sophisticated and more common; however, up until fairly recently, Linux malware was still relatively scarce and primitive compared to the variants that threatened proprietary operating systems. As of 2018, there had not yet been a single widespread Linux malware attack or virus comparable to those that frequently target Microsoft Windows - which can be attributed to a lack of root access and rapid updates to the majority of Linux vulnerabilities.” Unfortunately for Linux users, the era of complete data and network security has ended, as the Linux threat landscape has remodeled to become significantly more complex and dangerous to users. Why Is Linux Malware A Growing Concern for Administrators? Much to the dismay of Linux system administrators and users, all of 2019 and the start of 2020 were plagued with emerging malware campaigns targeting Linux servers. These attacks in network security demonstrated new and dangerous tactics for spreading, allowing such cloudsecurity breaches to remain undetected prior to compromising servers. Let’s go over the main Linux malware strains that have popularized in the past couple of years. CloudSnooper CloudSnooper uses a unique combination of sophisticated techniques to sneak into Linux and Windows servers so the malware can communicate freely with command and control servers through firewalls. CloudSnooper enables threat actors to work through servers “from the inside out” and is the first example of an attack formula that combines a bypassing technique with a multi-platform payload, targeting both Windows and Linux systems. While each individual element of CloudSnooper’s Tactics, Techniques, and Procedures (TTPs) has been observed previously, these aspects have not been utilized in combination until now. Experts in cyber security trends predict that this package of TTPs will be used as blueprints for dangerous new firewall attacks that could put data and network security in the line of fire. In sophisticated exploits in cyber security utilizing CloudSnooper, hackers pawned Amazon Web Services (AWS) servers and set up a rootkit, which enabled the cybercriminals to remotely control servers. Once they did this, the threat actors funneled sensitive data from compromised Windows and Linux machines to Command and Control (C2) servers. Security researcher Willem Mouton describes the attack: “From a technical perspective, it is a thing of beauty, as well as the fact that they made it cross-platform.” EvilGnome Discovered in July 2019, EvilGnome disguises itself as a Gnome shell extension so it can remain undetected by security software while spying on desktop users. EvilGnome is delivered via a self-extractable archive created using the make self shell script, and the infection is automated with the help of an autorun argument left in the headers of the self-executable payload. When downloaded on a Linux system, the malware is capable of stealing files, taking desktop screenshots, and capturing audio recordings fromthe user’s microphone so they can be downloaded and utilized in other modules. EvilGnome attacks have been linked to the Gamaredon Group, a Russian Advanced Persistent Threat (APT) group notorious for developing custom malware variants. Both hacker groups use the same hosting provider and engage with the same C2 domains. Nothing has been confirmed regarding the connection between the groups, but Linux malware experiences have been similar between EvilGnome and Gamaredon Group. Therefore, it is highly likely that these attacks on network security come from the same source. HiddenWasp In early 2019, security researchers discovered a new strain of Linux malware created by Chinese hackers, which could be used to remotely control infected systems. Dubbed HiddenWasp, this sophisticated malware consists of a trojan, a user-mode rootkit, and an initial deployment script. HiddenWasp is deployed as a second-stage payload and is capable of running terminal commands, interacting with the local filesystem, and more. HiddenWasp displays similarities to several other Linux malware families, including Azazel, ChinaZ, and Adore-ng, suggesting that some of its code may have been borrowed. Unlike common Linux malware, HiddenWasp is not focused on DDoS activity or crypto-mining. Instead, it is a trojan used solely for targeted remote control. QNAPCrypt This past summer, security researchers identified a rare instance of Linux ransomware targeting Network-Attached Storage (NAS) servers. The malware, which they named QNAPCrypt, is an ARM variant that encrypts all files; however, unlike standard ransomware, the ransom note is delivered solely as a text file without any message on the screen. Each victim is provided with a unique Bitcoin wallet, a tactic that helps conceal the identity of the attackers. Once a system is infected, the ransomware requests a wallet address and a public RSA key from the C2 before file encryption. Fortunately, this is a flaw in QNAPCrypt’s design that enables victims to temporarily blockthreat actors’ operations to protect further data and network security. Despite this weakness, QNAPCrypt represents the “evolution and adaptation of an attack to bypass security controls.” Unfortunately, it isn’t very common for Linux system administrators to deploy endpoint monitoring to network file servers. GonnaCry GonnaCry is an emerging Linux ransomware variant under active development in Python and C for research purposes. Lead developer Tarcisio Marinho explains the motivation behind his work: “Since the worldwide spread of the Wannacry ransomware in May 2017 affected so many countries and companies, I kept wondering: Is it really hard to mess with a company’s or a person’s life with a computer? The answer is yes, it’s possible. And ransomware is a computer virus so powerful to do so.” GonnaCry begins its work by finding the files it will encrypt. Once it has identified these, the malware starts its encryption routine and creates a desktop file that will help the decryptor access the path, key, and IV used to encrypt each file. The ransomware then frees the memory allocated by the files on the computer. GonnaCry does not rival notorious variants like WannaCry and Petya in complexity, but according to Marinho, “The basic structure is working.” FBOT FBOT is a client variant of the infamous Mirai botnet that targets Linux IoT devices. According to the “Malware Must Die!” blog, FBOT re-emerged on February 9, 2020, after a month of inactivity, offering several technical updates , including advances in its infection method and its increased propagation speed. “Malware Must Die!” reflects on the re-emergence of FBOT and the future of Linux IoT malware: “We are in an era where Linux or IoT malware is getting into better form with advantages. It is important to work together with threat intelligence and knowledge sharing to stop emerging malicious activity before it becomes a big problem for all of us later on.” Tycoon Tycoon is an emerging strain of Java-basedransomware that targets both Linux and Windows systems. This dangerous ransomware variant, which was discovered by Blackberry security researchers, uses a little-known file format, making it highly difficult to detect before it detonates its file-encrypting payload. The researchers who discovered Tycoon reported that this was the first time they had seen a ransomware module compiled into a Java image (JIMAGE) file format. JIMAGE files are rarely scanned by anti-malware engines, and malicious JIMAGE files stand a good chance of going undetected as a result. BlackBerry explains in a blog post , “Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats.” BlackBerry researchers say that they have recently observed roughly a dozen “highly targeted” Tycoon infections, and the attackers appear to carefully select their victims, favoring small- and medium-sized businesses in the software and education industries. However, as is often the case, the researchers suggest that the actual number of infections is likely much higher. Knowing the various network security threats taking control of Linux systems is vital in making sure you take care of your server to prevent cyber security vulnerabilities from being exploited. Tips & Tools for Defending Linux Servers Against Malware With attacks in network security targeting Linux servers becoming increasingly common and dangerous, defending against malware and other advanced Linux threats is more critical than ever in maintaining a secure Linux system. Here are some tips and tools to consider when securing your Linux system, all of which can mitigate cyber security vulnerabilities and provide more data and network security: Double-check all cloud configurations, as user misconfiguration and lack of visibility are the top causes of cloud security breaches. Ensure that remote access portals are properlysecured. Many network-level attacks are made possible because attackers find their way in through a legitimate, insecure remote access portal by impersonating a trusted source. Create a complete inventory of all devices connected to a network and update all security software used on these devices frequently. Make sure that all external-facing services are fully patched. Be aware that firewall security is not a substitute for an organization’s own cloud security measures, and security patching should be done regularly. Set special rules in your firewall to block control packets specific to Cloud Snooper. Enable multi-factor authentication on all security dashboards or control panels used internally to prevent threat actors from disabling security software in the event of an attack. Review system logs regularly. It’s rare that threat actors are able to take over servers without leaving some trace of their actions, such as log entries showing unexpected or unauthorized kernel drivers being activated. Keep in mind, however, that criminals who already have root powers can tamper with your logging configuration and the logs themselves, making it more difficult to spot malicious activity. Remember that a comprehensive, defense-in-depth approach to security is essential in protecting your system from modern, advanced exploits in cyber security. How Can I Rapidly and Accurately Identify and Eliminate Linux Malware? If malware does get downloaded on your system, being able to rapidly and accurately identify and eliminate it is critical to protecting yourself, your users, and your files. Luckily, there are various effective open-source network security toolkits that can be used to detect and remove malware on your system: Linux Malware Detect: Linux Malware Detect is a malware cloud security scanner that can be used to detect malware in shared Linux environments. It utilizes threat data from network edge intrusion detection systems to identify and extract malware that is actively beingused in attacks and generates signatures for detection. This tool also derives threat data from user submissions and community resources. The Rootkit Hunter & Check Rootkit: The Rootkit Hunter (Rkhunter) and Check Rootkit ( chkrootkit ) are tools that scan local systems, identifying any potentially malicious software, such as malware and viruses that mask their existence on a system. Volatility: Volatility is an open-source memory forensics cloud security framework for incident response and malware analysis. Lynis: Lynis is a command-line application that scans a local or remote system to help an auditor identify potential network security issues. Cuckoo Sandbox: Cuckoo Sandbox is an excellent privacy sandbox for malware analysis. This tool allows you to safely execute possible malware samples, and it provides a comprehensive report on the code executed. Kali Linux: Kali Linux is a Linux distribution used for penetration testing, ethical hacking, and digital forensics. The included security penetration and management tools can be used for network discovery and other research purposes, as well as to identify potential cybersecurity vulnerabilities. Kali Linux includes many of the other network security. Malware as a Business The malware market is rapidly expanding and evolving, forcing the security industry to keep pace. The success of this market drives rapid innovation, perpetuating growth and encouraging further malicious activity. Threat actors are cr eating and utilizing increasingly agile and sophisticated malware strains in their attacks on network security, challenging engineers to build stronger defenses against them. Traditional antivirus software is no longer effective in detecting and combating advanced, modern exploits in cyber security. Protecting against today’s sophisticated malware threats requires a comprehensive, defense-in-depth approach to digital security. According to Verizon, 92.4 percent of malware is delivered via email . Thus, an effectiveemail security strategy is imperative in preventing dangerous and costly infections. Malware is a serious network security threat to all businesses, as an infection can result in significant downtime, recovery costs, and reputation damage. Small businesses face a heightened risk because they often lack the resources and funding necessary to support a full-time IT department. Guardian Digital EnGarde Cloud Email Security provides fully managed, multi-layered email protection against malware, phishing, and other persistent email-borne network security threats. Through a transparent, collaborative, open-source approach to software development, Guardian Digital is able to access and provide resources and tools from an innovative global community in a way that no other vendor can. This approach, combined with decades of industry experience and engineering expertise, enables Guardian Digital to offer flexible enterprise-grade solutions to businesses of all sizes at competitive prices. Key benefits of EnGarde’s protection include: Advanced real-time defenses against social engineering and impersonation attacks Email encryption and sender authentication protocols detect fake “From” addresses and block them automatically Neutralizes network security threats associated with malicious attachments and links A scalable cloud-based system simplifies deployment and increases availability Tighter data and network security, adaptive implementation, and eliminated risk of vendor lock-in through the use of a community-powered open-source approach to software development Professional engineering services, as Guardian Digital expert engineers take the time to learn about each client’s key assets, operations, and specific needs Passionate, knowledgeable, around-the-clock customer support services Final Thoughts on Linux Malware Despite the growing number of data and network security threats targeting Linux systems, there is still solid evidence that Linux is secure by design. There is avibrant worldwide community that provides strong arguments and seeks to improve security posture by scrutinizing all resources introduced, allowing companies to have more transparency with their open-source code once it is accessible to all operating systems intended. Because of the workers constantly reviewing the source code in Linux kernels, cyber security vulnerabilities are identified and remedied faster than flaws that exist in the opaque source code of proprietary operating systems like Microsoft Windows. Threat actors recognize and exploit such weaknesses, directing the majority of their attacks at proprietary software, platforms, and operating systems. According to ESET security researchers, the Operation Windigo botnet, which uses Cdorked web servers to compromise Apache and more, has been detected in 26,000 infections since May 2013. The infamous ZeroAccess Windows-based botnet had infected nearly two million Windows PCs before it was taken down in December 2013. The digital threat landscape is rapidly evolving to become more advanced and dangerous. While the majority of attacks in network security still victimize proprietary operating systems, threat actors are experimenting with newer targets like Linux. Linux users should undoubtedly be aware of the growing risk that their systems face and recognize that as this new decade unfolds, prioritizing system data and network security and maintenance is more critical than ever. In many cases, malware attacks can be attributed to administration issues and cyber security vulnerabilities in individual accounts instead of to poor operations. Guardian Digital CEO Dave Wreski states, “Although it may be easy to blame the rise in Linux malware in recent years on security vulnerabilities in the operating system as a whole, this is unfair and largely untrue. The majority of malware exploits on Linux systems can be attributed to misconfigured servers.” On a broader scale, the rise of Linux malware should serve as a wake-up call for the securityindustry to allocate more resources to detect these network security threats. As Linux malware continues to become more complex, even more common malware will target Linux frequently and still fly under the radar. . Linux is considered a highly secure operating system, so these cloud security breaches may leave use. you’ve, keeping, latest, security, noticed, increase. . Brittany Day
Jun 18, 2023
•
102
social engineeringsecurity awarenessbusiness riskGian Spicuzza on Social Engineering and Exploiting Business Risks
We are happy to announce a new addition to the Linux Security Contributing Team: Gian G. Spicuzza. Currently a Graduate Student pursuing a Masters Degree in Computer Security (MSIA), Gian is a certified Linux/Unix administrator, the lead developer for the OSCAR-Backup System (at Sourceforge.com) and has experience in a variety of CSO, Management and consulting positions. His first topic is a quick foray into the world and psychology of Social Engineering: All the security in the world isn't going to stop one of your employees or coworkers from giving up information. Just how easy is it? Craig never worked for Linda's company, nor did he call from IT. Craig was an unethical hacker who just gained unauthorized access to her account. Why? Because a phone call is simple. Read on to see just how easy businesses can be exploited. . Social Engineering is not just a definition! By: Gian G. Spicuzza (
May 31, 2010
•
102
network securitysecurity measuresattack preventionDDoS Protection Strategies: Effective Measures for Network Security
In this article I am trying to explain what DDOS is and how it can be prevented. DDOS happens due to lack of security awareness of the network/server owners. On a daily basis we hear that a particular machine is under DDOS attack or NOC has unplugged the machine due to DDOS attack . So DDOS has become one of the common issues in this electronics world. DDOS is like a disease which doesn't have an anti-viral developed. So we should be carefull while dealing with it . Never take it lightly. In this article i am trying to explain the steps/measures which will help us defend from DDOS attack ,up to a certain extend . . What is a DDOS attack? Simply said, DDOS is an advanced version of DOS attack . Like DOS , DDOS also tries to deny the important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised. Normally, DDOS consists of 3 parts . One is the Master ,Other the slave and atlast the victim. The master is the attack launcher ie the person/machine behind all this,sound's COOL right . The slave is the network which is being compromised by the Master and Victim is the target site/server . Master informs the compromised machines, so called slaves to launch attack on the victim's site/machine. Hence its also called co-ordinated attack. In my term, Master is said to be the Master Brain, Slave is said to be the launch pad for the attack and Victim is the target. How do they Do it? DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase that they install DDOS tools and starts attacking the victims machines/site. This Phase is called Distributed DoS attacks phase. What Allowed them to do it? The reasons are given below :- 1) Vulnerable softwares/Applications running on a machine or network. 2) Open network setup. 3) Network/ machine setup without taking security into account. 4) No monitoring or DataAnalysis are being conducted. 5) No regular Audit / Software upgrades being conducted. What should we do if we are under attack? First Identify if you are really under attack. If yes, follow the below steps : Check if your machines load is high and you have large number of HTTP process running. To find the load just use the command w or uptime - --- Eg: Blessen@work > w 12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT --- To find if there is large number of HTTP process running use the command " ps -aux|grep HTTP|wc -l " Eg: -- [root@blessen root]# ps -aux|grep HTTP|wc -l 23 -- In a heavy server , the number of connection will go above 100. But during DDOS attack, the number will go even higher and thats when we need to find out from which all networks are these attacks coming. In DDOS the host machine doesn't have much importance. Its the network which is of importance here because, an attacker will use any machine on the compromised network or even will use all the machines in the network. Hence network address is of importance while fighting with the attack. If you have high load (say 5 or more ) and you have large number of HTTP process then i would request you to do the following 1) At command prompt execute the below command bash#netstat -lpn|grep :80 |awk '{print $5}'|sort 2) Check each block of ips. Like let me say , that you have more than 30 connection from a single ip. Under normal cases there is no need for that many number of connection requests from a single IP. Try to identify suchips/networks from the list you get 3) If more than 5 host/ip connects from the same network then its a clear sign of DDOS . 4) Block that ips/networks using iptables /Apf iptables -A INPUT -s -j DROP If you have apf then just add the ips which you want to block in the file /etc/apf/deny_hosts.rules 5) Keep on continuing this process untill the attack on the machine gets reduced. There is no complete or perfect solution to DDOS . The logic is simple, NO softwares or measures could handle attacks from multiple servers say from 50 - 100 servers all at a time . All that can be done is to take preventive measures . How can we prevent or defend ourselves from these attacks? Like said, Prevention is better than cure. Its very much true in the case of DDOS . In my Introduction, I had mentioned that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network. Attackers use those security holes to compromise the servers in different network and install the DDOS tools (eg trinoo -DDOS tool ) To prevent DDOS in future, follow the below steps which has 12 major steps Setup machine / network keeping security in mind (Implement Good Security policy) Setup a firewall which does Ingress and Egress Filtering at Gateway Eg: Steps to Install AFP ---- bash# wget https://rfxn.com/downloads/apf-current.tar.gz bash# tar -zxf apf-current.tar.gz bash# cd apf- bash# ./install.sh Notes: Go through the Document in the Apf and configure it for your needs. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root's cron has an entry like the one below */8 * * * * root /etc/apf/ad/antidos -a > > /dev/null 2> &1 ----- Install IDS on your gateway/hosts to alert you when someone tries to sniff In. Eg:AIDE ---------- (a) Wget (b) Untar it tar -zxvf aide-0.7.tar.gz (c) cd aide-0.7 (d) Then execute ./configure -with-gnu-regexp (e) Final steps to install make;make install (f) Now the main step..To configure AIDE.AIDE stores all its rule sets in the file called aide.conf. Lets populate it get more details of how to configure and all from man aide.conf (g) Here I am taking an example .See below Here is a sample short aide.conf: Rule = p+i+u+g+n+s+md5 /etc p+i+u+g /sbin Rule /usr/local/apache/conf Rule /var Rule !/var/spool/.* !/var/log/.* In the above configuration listed , a rule called "Rule" is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). This rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn't. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place. (h) After configuring AIDE should be initiated with all these rules. For that execute aide -init ---------- Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications. Use tools like RKDET(vancouver-webpages.com/rkdet),RKHUNTER() and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit has been already installed and to locate the effected binaries in the machine, if any. Please find a simple Audit check List below to be done on a Hosts Eg: Audit Check List --- A quick checklist: * Software Vulnerabilities. * Kernel Upgrades and vulnerabilities. * Check for any Trojans. * Run chkrootkit. * Check ports. * Check forany hidden processes. * Use audittools to check system. * Check logs. * Check binaries and RPMS. * Check for open email relays. * Check for malicious cron entries. * Check /dev /tmp /var directories. * Check whether backups are maintained. * Check for unwanted users, groups, etc. on the system. * Check for and disable any unneeded services. * Locate malicious scripts. * Querylog in DNS. * Check for the suid scripts and nouser scripts. * Check valid scripts in /tmp. * Use intrusion detection tools. * Check the system performance. * Check memory performance (run memtest). --- Enforce and Implement Security Measures on all hosts in the network. Machines new or old should only be allowed to run on your network, if your Security Admin or DSE (Dedicated Security Expert) member approves it with status ``OK-to go live' after auditing the box. All Host in the network should be checked on a regular basis by your DSE team to make sure that all hosts are uptodate and can fight any attacks. Audit network on a regular basis to see if your network is vulnerable to attacks Use Open Source Tools like NESSUS(https://www.tenable.com/ ,NMAP(www.insecure.org/nmap),SAINT( (www-arc.com/sara/sara.html)for auditing a network to find its vulnerabilities. Create a DSE (Dedicated Security Expert ) Team for your company. Collect your networks and hosts data . Analysis them and study them to see from where and what kind of attacks are coming into the network. This step will help us to understand what kind of attacks we are facing and will help us to strengthen the preventive measures. Let me tell you this move is worth the money you spend,for sure. Implement Sysctl protection against DDOS Eg: ---------- bash# vi /etc/sysctl.conf add the below code: # Enable IP spoofing protection, turn on Source Address Verification net.ipv4.conf.all.rp_filter = 1 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 Add the below code in /etc/rc.local and restart network for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > done echo 1 > /proc/sys/net/ipv4/tcp_syncookies ---------- Install Mod_dosevasive to your apache. Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below Eg: Install Mod_dosevasive ------ bash# wget bash# tar -zxvf mod_evasive_1.10.1.tar.gz bash# cd mod_evasive_1.10.1 bash# $APACHE_ROOT/bin/apxs -iac mod_evasive.c Dont get scared by the variable ``$APACHE_ROOT' . Its nothing, but a simple variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache) bash# vi /usr/loca/apache/conf/httpd.conf After this add the below code in httpd.conf DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 bash# /usr/loca/apache/bin/apachectl restart ------ Install Mod_security . Since DDOS normally targets http. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below Eg: Installation Steps ------ bash# https://github.com/owasp-modsecurity/ModSecurity bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz bash# cd modsecurity-apache-1.9.2 bash# /usr/local/apache/bin/apxs -cia mod_security.c Create a file named mod_security.conf under the folder /usr/local/apache/conf bash# vi /usr/local/apache/conf/mod_security.conf Create the rule with reference to the linkhttps://github.com/owasp-modsecurity/ModSecurity and add it in the mod_security.conf file. Add the location of mod_security.conf to httpd.conf bash# vi /usr/local/apache/conf/httpd.conf Add the string below Include /usr/local/apache/conf/mod_security.conf bash# /usr/local/apache/bin/apachectl stop bash# /usr/local/apache/bin/apachectl start ------- Best solution to fight DDOS to a certain extend will be to setup load balancer for your services. Creating awareness on Security This is the most important part. People should be Security conscious. Then only they will understand the importance of Security measures . Server owner's and users should be made aware of the issues which can rise due to bad security measures . Conclusion DDOS can be prevented to a certain extend, if hosts and network are secure. So I advice each server owners and network owners to implement security measures on their network ,if they want to fight against DDOS. About this document ... Preventing DDOS attacks Written By Blessen Cherian Sr.Executive Team Member of Bobcares.com [ Head Of Installation,Security and Networking Department ] Poornam Info Vision Pvt Ltd . To protect your network from DDoS attacks, implement diverse strategies like traffic analysis, rate limiting, and using a CDN for enhanced security.. DDoS Protection, Network Defense, Security Guidelines. . Blessen Cherian
Mar 16, 2006
•
102
denial of serviceroot accesskernel flaw2004 Security Overview: Kernel Flaws And User Awareness
In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. Also, Guardian Digital launched the new LinuxSecurity.com, users continue to be targeted by automated attacks, and the need for security awareness and education continues to rise. . Kernel Issues 2004 started off on shaky ground with a , a piece of kernel code that controls virtual memory. It affected versions 2.2, 2.4, and 2.6. It was later discovered that the same vulnerability was used to exploit several high-profile Linux development sites in November 2003. Patches were released in early January by each of the major distributions. The flaw was fixed in further kernel releases. In February, a second mremap vulnerability was discovered by the Polish security consulting firm ISec. The was unrelated, but just as serious as the first. In theory, it could result in a denial of service or privilege escalation to root. Vendors responded much more quickly in this second instance. Fixes for 2.4 and 2.6 were released only in a matter of hours this second time. In March, Paul Starzetz of ISec released proof-of-concept exploit code for the second mremap flaw that was released in February. Several news sites failed to accurately read the report released in March and reported that a third kernel flaw as found. This was wrong, but it sparked a lot . Many were relieved to find out that the "third vulnerability" was in fact a misinterpretation. It was beginning to look like the "year of the kernel flaw," but luckily things quieted down in second quarter. The remaining portion of the year was scattered with other kernel vulnerabilities, but non received as much press as mremap. Anothernotable one was discovered in 2.6 last October. It was claimed that the vulnerability could be used to shut down 2.6-based systems remotely. It only affected those systems using iptables based firewalls, because the flaw had to do with the way 2.6 handled firewall logging. Patches were released and the problem was resolved. The volume of press generated by kernel vulnerabilities is ever increasing. With the growing number of a major enterprises adopting Linux as an operational component, trade magazines are dedicating a greater percentage of their editorial scope to it. From a journalist's perspective, flaws in the kernel make great news items. It invokes fear, causing people to pay attention. While news of the mremap vulnerability may not sway the opinion of you or me, it has great potential to make a CIO reluctant to adopt that long-term Linux project all of his techs have been begging for. This year though, the Linux community has stepped up, fixed its problems, and walked away with a lot of class. Instead of headlines reading, "Is Linux Ready for the Enterprise?," journalist were writing pieces about the efficiency of open source leading to a quick resolution. Rather than criticizing Linux because of its flaws, it was praised because of its ability to work through issues. Finally, people were starting to realize that large proprietary software companies often deny that vulnerabilities exist and sneak in security patches during upgrades. Linux is about openness and full-disclosure, a great benefit to all of its users. Linux Vulnerabilities The flip-side is that full-disclosure can be very overwhelming. For example, 35 Linux vendor security advisories were released last week alone. One can easily see this by taking a few minutes to walk through our Linux security advisory archive . Roughly 35 advisories a week for an entire year is 1,820. When other proprietary operating system vendors release a much smallnumber of advisories per year, people make quick and inaccurate conclusions. For example, suppose Microsoft released 50 advisories, and Linux vendors released 2000 in a given time period. 50 is less than 2000; therefore Windows must be more secure. Of course it is flawed logic, but in previous years people believed such numbers. Often, people failed to realized that Linux advisories are released for each individual package, for each distribution, and in many cases for very minor theoretical problems. In previous years, the full picture was not taken into account. Now, the public as well as many journalist are starting to realize that severity of vulnerability is also an important factor. Rather than the discovery of a vulnerability considered another failure for Linux, it is now seen as a success by many because it is one less unknown flaw. This year particularly, I have seen a shift in the IT community's way of thinking. Rather than ignoring vulnerabilities until they're a much bigger problem, much more emphasis is being placed on proactive resolution. In my opinion this is a major step in the right direction. Conflicting Reports While the question of Linux security vs.Windows security has always been around, 2004 has been plagued with groups of analysts, independent researchers, and analyst trying to authoritatively answer that question. British based the "most breached" OS, while Linux security experts considered the findings false because the virus/worm threat was not factored into their analysis. Windows advocates claim that Windows systems are breached more because they are a much more attractive target, Linux administrators claim that Windows systems are compromised more because they're impossible to secure. It has been a year of dueling reports. One month "Linux is less secure," the next, "." In the midst of all the swirling FUD, some truth did come out. Security depends on the administrator .Although I strongly believe that Linux has the potential to be more secure, I won't claim that it always is. The security of any system depends greatly on it's administrator. Lazy operating practices lead to stupid mistakes that can be exploited. Although high-profile vulnerabilities exist, many are only theoretical, or exploit code is not widespread. A significant number of compromises are still caused by poor configuration practices, or majorly outdated software. A proactive administrator greatly reduces the likelihood of major compromise regardless of the operating system. However, an open source operating system such as Linux provides an unmatched level of flexibility that allows a willing administrator to secure a system to any level he/she desires. Major Announcements One of the more interesting announcements in 2004 was the Mozilla Foundation offering a $500 bounty to those who discover bugs in its software. As I wrote previously, proactive measures are becoming common practice, not just a vague concept in an information security professional's dreamland. Other projects such as ethereal and several other open source projects announced updates to vulnerabilities found during a code audits. I see this as great progress. Like clockwork, SANS/FBI released its Top-20 vulnerability list. Some of the most significant Unix vulnerabilities outlined include BIND, webservers, authentication, version control systems, SNMP, SSL, misconfigured services, databases, and the kernel. ( SANS/FBI Top-20 ) The projects that we've been working on at Guardian Digital are close to my heart. 2004 has been a record year in many ways. We've announced the release of two new monthly newsletters, released new versions of EnGarde Secure Professional, the Intrusion Detection and Defense System, Secure Mail Suite, proactively protected customers from Linux kernel flaws, created and announced a worldwide partner division,continued to increase our customer base, and create a program to help companies address Sarbanes Oxley compliance. In the past month, Guardian Digital's major announcement has been the launch of the new LinuxSecurity.com . We updated the site to include all the old features many have grown to depend on while adding additional ones to better serve our readership. From a completely operational perspective this includes implementing an open source content management system, upgrading servers, as well as increasing bandwidth capacity. It has been an amazing year for us at Guardian Digital. Without your support, none of this would be possible. Security Overview 2004 has been a year of increased statistics. As predicted, security attacks are on the rise, the volume of spam has increased, viruses/worms continue to increase in severity, and security continues to grow as a concern. In the corporate world, this is mostly due to Sarbanes-Oxley . Because there are now strict penalties for negligence, executive management in most corporations are starting to get the picture and call for drastic improvements in security. From a home-user's perspective security is also playing a larger role. Windows users are adopting 'personal firewalls' at an increased rate, and others are getting disgusted by a continuously hijacked browser and increasing number of spyware applications. This constant nuisance has lead many to look for alternatives, which has fueled greater interest in Linux and Firefox. Although 2004 has been an active year in security, it has not been revolutionary. From a technological perspective the year has been semi-quiet. This past year, many have focused on improving the process of security, rather than looking for a magic bullet. Again, I think this is a sign of InfoSec's growing maturity. However, in my opinion it is mostly due to the fact that most have been working on a tightly constrained budget. Whilethere have been reports suggesting several terrorist organizations have been taking a much closer look into information security, viruses continue to run rampant in the Windows world, and DDoS attacks continue to be a major problem, I have not lost all confidence in the IT industry's ability to improve overall security. In my opinion, the single most significant factor holding back progress is user education. While companies can implement security awareness and training programs, the average home user does not stand a chance. New hacks and scams are invented each day. Unless a user is proactively aware, sooner or later they will be fooled. Although phishing attacks have existed for quite some time, they have become mainstream in 2004. I'm not sure a day goes by when I don't receive at least one email asking me to 'verify my PayPal information' or 'reactivate my Ebay account.' Although I have not fallen for any of these scams, countless others have. It is just another form of social engineering that is difficult to solve (if not impossible) purely with technology. User knowledge is as important as ever. Concluding Remarks In the Linux community, security continues to be a major concern and priority. Security is now viewed as a differentiator rather than a nuisance. While distributions like EnGarde Secure Linux, Trustix, and others have taken security seriously from the beginning, others such as Red Hat and Gentoo are looking to make SELinux an integral part of its structure. Implementation of security may differ between distributions, but everyone's goal is the same. Some users prefer greater security, other prefer ease of use. It is up to you to find the distribution which best fits your needs and goals. Also, it is important to stay informed and make implementation changes whenever necessary. Security is a road to be traveled, not a destination. . In 2004, Linux faced significant kernel vulnerabilities,underscoring the necessity for heightened advisories and user education regarding potential security threats.. Kernel Flaws, Security Awareness, Vendor Advisories, User Education, Linux Risks. . Benjamin D. Thomas
Dec 23, 2004
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More