Alerts This Week
Warning Icon 1 619
Alerts This Week
Warning Icon 1 619

Stay Ahead With Linux Security Features

Cron Hero Esm H350
Price Tag 1security advisory attack

A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
1 min read
Siem Architecture Hero Esm H350
Price Tag 1threat detection scalability

Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
4 - 7 min read
Http2 Bomb Hero 2026 Esm H350
Price Tag 1security advisory apache

A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
3 - 5 min read
Supply Chain Risk Starts At The Workstation Hero Esm H350
Price Tag 1security advisory important

The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
3 - 5 min read
Persistence Tricks Hero Esm H350
Price Tag 1security advisory open-source

You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
4 - 7 min read
Filter Icon Refine features
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":548,"type":"x","order":1,"pct":78.51,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.3,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.87,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.32,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security features

We found 0 articles for you...
102
4.Lock AbstractDigital Esm H240
Price Tag 1security advisorycriticaldata breach

Squid: Critical Advisory For 9.8 Threats And DDoS Attacks

Security professionals have discovered various cybersecurity vulnerabilities in the popular Squid caching proxy. These network security issues include request and response smuggling in HTTP/1.1 and ICAP ( CVE-2023-46846 ), Distributed Denial of Service (DDoS) in HTTP Digest Authentication ( CVE-2023-46847 ), and DDoS in FTP ( CVE-2023-46848 ). . Let's review these vulnerabilities and how to boost data and network security to combat these risks. How Can These Cybersecurity Vulnerabilities Affect My Linux Systems? These bugs can compromise sensitive data, crash servers, and harm your company's reputation. CVE-2023-46846 and CVE-2023-46847 have a National Vulnerability Database base score of 9.8 out of 10 since they can lead to cloud security breaches and other system access instabilities and blockings. What Should I Do to Protect My Linux Systems? Squid plans to mitigate these dangerous cybersecurity vulnerabilities with recent critical updates that should reduce the threat landscape for users. Systems that face attacks in network security must go through immediate privacy sandboxing and security patching to prevent new issues from arising on a server. Apply Mageia , Oracle , SciLinux , and SUSE cybersecurity solutions to combat significant downtime, system compromise, and data theft. Stay on top of the latest cybersecurity trends, computer security news, and general updates by registering under our open-source cybersecurity projects and applications. If you are a LinuxSecurity user , subscribe to our Linux Advisory Watch security newsletter and customize your advisories based on your distro(s). Having these updates will keep you from falling behind on security patching and other network security issues that could make your system more susceptible to attacks in the future. Also, follow @LS_Advisories on Twitter for real-time updates . Recommended Reading Looking to learn more about the benefits and drawbacks of Linux proxy servers and how to set up a Squid proxy server? Ourrecent feature article, Everything You Need to Know About Linux Proxy Servers , provides an in-depth discussion of the topic. Have additional questions regarding how to improve security posture? Drop us a note so we can help you out! . Examine pivotal Squid weaknesses and discover methods to bolster information and network protection against potential threats.. Squid Proxy, Cybersecurity Threats, System Protection, Network Security Updates. . Brittany Day

Calendar 2 Nov 13, 2023 User Avatar Brittany Day
102
32.Lock Code Circular Esm H240
Price Tag 1network securitymalwaresecurity awareness

Protecting Your Linux Systems Against Emerging Malware Threats

If you’ve been keeping up with the latest IT security news, you may have noticed the increase in the number of attacks on network security within Linux systems. Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT, and Tycoon have become prime malware variants to be aware of when working. . Linux is considered a highly secure operating system, so these cloud security breaches may leave users concerned about the integrity of the company. In this article, LinuxSecurity.com aims to put these recent Linux attacks into perspective, provide some background on Linux malware, and shed some light on other concerns users might have. The Modern Linux Threat Landscape in a Nutshell Despite the heralded safety landscape on Linux operating systems, network security threats, including malware and viruses, have grown to be serious concerns for Linux users. Attacks in network security have targeted Linux, as threat actors hope to obtain a Return on Investment when accessing such systems. As of March 2018, 15,762 new Linux malware variants were developed , which is a notable increase from the 4,706 new variants developed by March 2017 . The evolution of malware research in recent years has offered superior visibility into exploits in cyber security that threaten Linux servers. A vulnerable server of any sort is an open door for data and credential theft, DDoS attacks, cryptocurrency mining, and web traffic redirection. Most significantly, it can be used to host malicious Command and Control (C&C) servers. Just over a year ago, bringing to conclusion a collaborative three-year effort, security researchers identified various OpenSSH backdoors, including the notorious Linux/Ebury backdoor, which could be used to compromise servers with dangerous malware. Simultaneously, ESET researchers exposed 21 Linux-based malware families , 12 of which were previously undocumented. In a sense, these findings confirmed an evolving, increasingly dangerous array of data and network security threats, putting Linuxusers and their systems at risk. A Brief History of Linux Malware The increasing prevalence of Linux malware in recent years arguably creates the illusion of a new network security threat targeting Linux systems; unfortunately, though, Linux malware has been around for quite some time. The first piece of Linux malware, dubbed Stoag, was identified in 1996. Staog was a basic virus that attempted to gain root access by attaching itself to running executables, but it did not spread very successfully and was rapidly patched. Stoag made its claim to fame as the first piece of Linux malware, but Bliss, recognized in 1997, was the first Linux malware variant to grab headlines. Similar to Stoag, Bliss was a fairly mild infection that attempted to grab permissions via compromised executables, but it could be deactivated with a simple shell switch, fortunately. Guardian Digital CEO and LinuxSecurity.com founder Dave Wreski commented on the evolution of Linux malware, “Over the years, malware targeting Linux systems has become both more sophisticated and more common; however, up until fairly recently, Linux malware was still relatively scarce and primitive compared to the variants that threatened proprietary operating systems. As of 2018, there had not yet been a single widespread Linux malware attack or virus comparable to those that frequently target Microsoft Windows - which can be attributed to a lack of root access and rapid updates to the majority of Linux vulnerabilities.” Unfortunately for Linux users, the era of complete data and network security has ended, as the Linux threat landscape has remodeled to become significantly more complex and dangerous to users. Why Is Linux Malware A Growing Concern for Administrators? Much to the dismay of Linux system administrators and users, all of 2019 and the start of 2020 were plagued with emerging malware campaigns targeting Linux servers. These attacks in network security demonstrated new and dangerous tactics for spreading, allowing such cloudsecurity breaches to remain undetected prior to compromising servers. Let’s go over the main Linux malware strains that have popularized in the past couple of years. CloudSnooper CloudSnooper uses a unique combination of sophisticated techniques to sneak into Linux and Windows servers so the malware can communicate freely with command and control servers through firewalls. CloudSnooper enables threat actors to work through servers “from the inside out” and is the first example of an attack formula that combines a bypassing technique with a multi-platform payload, targeting both Windows and Linux systems. While each individual element of CloudSnooper’s Tactics, Techniques, and Procedures (TTPs) has been observed previously, these aspects have not been utilized in combination until now. Experts in cyber security trends predict that this package of TTPs will be used as blueprints for dangerous new firewall attacks that could put data and network security in the line of fire. In sophisticated exploits in cyber security utilizing CloudSnooper, hackers pawned Amazon Web Services (AWS) servers and set up a rootkit, which enabled the cybercriminals to remotely control servers. Once they did this, the threat actors funneled sensitive data from compromised Windows and Linux machines to Command and Control (C2) servers. Security researcher Willem Mouton describes the attack: “From a technical perspective, it is a thing of beauty, as well as the fact that they made it cross-platform.” EvilGnome Discovered in July 2019, EvilGnome disguises itself as a Gnome shell extension so it can remain undetected by security software while spying on desktop users. EvilGnome is delivered via a self-extractable archive created using the make self shell script, and the infection is automated with the help of an autorun argument left in the headers of the self-executable payload. When downloaded on a Linux system, the malware is capable of stealing files, taking desktop screenshots, and capturing audio recordings fromthe user’s microphone so they can be downloaded and utilized in other modules. EvilGnome attacks have been linked to the Gamaredon Group, a Russian Advanced Persistent Threat (APT) group notorious for developing custom malware variants. Both hacker groups use the same hosting provider and engage with the same C2 domains. Nothing has been confirmed regarding the connection between the groups, but Linux malware experiences have been similar between EvilGnome and Gamaredon Group. Therefore, it is highly likely that these attacks on network security come from the same source. HiddenWasp In early 2019, security researchers discovered a new strain of Linux malware created by Chinese hackers, which could be used to remotely control infected systems. Dubbed HiddenWasp, this sophisticated malware consists of a trojan, a user-mode rootkit, and an initial deployment script. HiddenWasp is deployed as a second-stage payload and is capable of running terminal commands, interacting with the local filesystem, and more. HiddenWasp displays similarities to several other Linux malware families, including Azazel, ChinaZ, and Adore-ng, suggesting that some of its code may have been borrowed. Unlike common Linux malware, HiddenWasp is not focused on DDoS activity or crypto-mining. Instead, it is a trojan used solely for targeted remote control. QNAPCrypt This past summer, security researchers identified a rare instance of Linux ransomware targeting Network-Attached Storage (NAS) servers. The malware, which they named QNAPCrypt, is an ARM variant that encrypts all files; however, unlike standard ransomware, the ransom note is delivered solely as a text file without any message on the screen. Each victim is provided with a unique Bitcoin wallet, a tactic that helps conceal the identity of the attackers. Once a system is infected, the ransomware requests a wallet address and a public RSA key from the C2 before file encryption. Fortunately, this is a flaw in QNAPCrypt’s design that enables victims to temporarily blockthreat actors’ operations to protect further data and network security. Despite this weakness, QNAPCrypt represents the “evolution and adaptation of an attack to bypass security controls.” Unfortunately, it isn’t very common for Linux system administrators to deploy endpoint monitoring to network file servers. GonnaCry GonnaCry is an emerging Linux ransomware variant under active development in Python and C for research purposes. Lead developer Tarcisio Marinho explains the motivation behind his work: “Since the worldwide spread of the Wannacry ransomware in May 2017 affected so many countries and companies, I kept wondering: Is it really hard to mess with a company’s or a person’s life with a computer? The answer is yes, it’s possible. And ransomware is a computer virus so powerful to do so.” GonnaCry begins its work by finding the files it will encrypt. Once it has identified these, the malware starts its encryption routine and creates a desktop file that will help the decryptor access the path, key, and IV used to encrypt each file. The ransomware then frees the memory allocated by the files on the computer. GonnaCry does not rival notorious variants like WannaCry and Petya in complexity, but according to Marinho, “The basic structure is working.” FBOT FBOT is a client variant of the infamous Mirai botnet that targets Linux IoT devices. According to the “Malware Must Die!” blog, FBOT re-emerged on February 9, 2020, after a month of inactivity, offering several technical updates , including advances in its infection method and its increased propagation speed. “Malware Must Die!” reflects on the re-emergence of FBOT and the future of Linux IoT malware: “We are in an era where Linux or IoT malware is getting into better form with advantages. It is important to work together with threat intelligence and knowledge sharing to stop emerging malicious activity before it becomes a big problem for all of us later on.” Tycoon Tycoon is an emerging strain of Java-basedransomware that targets both Linux and Windows systems. This dangerous ransomware variant, which was discovered by Blackberry security researchers, uses a little-known file format, making it highly difficult to detect before it detonates its file-encrypting payload. The researchers who discovered Tycoon reported that this was the first time they had seen a ransomware module compiled into a Java image (JIMAGE) file format. JIMAGE files are rarely scanned by anti-malware engines, and malicious JIMAGE files stand a good chance of going undetected as a result. BlackBerry explains in a blog post , “Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats.” BlackBerry researchers say that they have recently observed roughly a dozen “highly targeted” Tycoon infections, and the attackers appear to carefully select their victims, favoring small- and medium-sized businesses in the software and education industries. However, as is often the case, the researchers suggest that the actual number of infections is likely much higher. Knowing the various network security threats taking control of Linux systems is vital in making sure you take care of your server to prevent cyber security vulnerabilities from being exploited. Tips & Tools for Defending Linux Servers Against Malware With attacks in network security targeting Linux servers becoming increasingly common and dangerous, defending against malware and other advanced Linux threats is more critical than ever in maintaining a secure Linux system. Here are some tips and tools to consider when securing your Linux system, all of which can mitigate cyber security vulnerabilities and provide more data and network security: Double-check all cloud configurations, as user misconfiguration and lack of visibility are the top causes of cloud security breaches. Ensure that remote access portals are properlysecured. Many network-level attacks are made possible because attackers find their way in through a legitimate, insecure remote access portal by impersonating a trusted source. Create a complete inventory of all devices connected to a network and update all security software used on these devices frequently. Make sure that all external-facing services are fully patched. Be aware that firewall security is not a substitute for an organization’s own cloud security measures, and security patching should be done regularly. Set special rules in your firewall to block control packets specific to Cloud Snooper. Enable multi-factor authentication on all security dashboards or control panels used internally to prevent threat actors from disabling security software in the event of an attack. Review system logs regularly. It’s rare that threat actors are able to take over servers without leaving some trace of their actions, such as log entries showing unexpected or unauthorized kernel drivers being activated. Keep in mind, however, that criminals who already have root powers can tamper with your logging configuration and the logs themselves, making it more difficult to spot malicious activity. Remember that a comprehensive, defense-in-depth approach to security is essential in protecting your system from modern, advanced exploits in cyber security. How Can I Rapidly and Accurately Identify and Eliminate Linux Malware? If malware does get downloaded on your system, being able to rapidly and accurately identify and eliminate it is critical to protecting yourself, your users, and your files. Luckily, there are various effective open-source network security toolkits that can be used to detect and remove malware on your system: Linux Malware Detect: Linux Malware Detect is a malware cloud security scanner that can be used to detect malware in shared Linux environments. It utilizes threat data from network edge intrusion detection systems to identify and extract malware that is actively beingused in attacks and generates signatures for detection. This tool also derives threat data from user submissions and community resources. The Rootkit Hunter & Check Rootkit: The Rootkit Hunter (Rkhunter) and Check Rootkit ( chkrootkit ) are tools that scan local systems, identifying any potentially malicious software, such as malware and viruses that mask their existence on a system. Volatility: Volatility is an open-source memory forensics cloud security framework for incident response and malware analysis. Lynis: Lynis is a command-line application that scans a local or remote system to help an auditor identify potential network security issues. Cuckoo Sandbox: Cuckoo Sandbox is an excellent privacy sandbox for malware analysis. This tool allows you to safely execute possible malware samples, and it provides a comprehensive report on the code executed. Kali Linux: Kali Linux is a Linux distribution used for penetration testing, ethical hacking, and digital forensics. The included security penetration and management tools can be used for network discovery and other research purposes, as well as to identify potential cybersecurity vulnerabilities. Kali Linux includes many of the other network security. Malware as a Business The malware market is rapidly expanding and evolving, forcing the security industry to keep pace. The success of this market drives rapid innovation, perpetuating growth and encouraging further malicious activity. Threat actors are cr eating and utilizing increasingly agile and sophisticated malware strains in their attacks on network security, challenging engineers to build stronger defenses against them. Traditional antivirus software is no longer effective in detecting and combating advanced, modern exploits in cyber security. Protecting against today’s sophisticated malware threats requires a comprehensive, defense-in-depth approach to digital security. According to Verizon, 92.4 percent of malware is delivered via email . Thus, an effectiveemail security strategy is imperative in preventing dangerous and costly infections. Malware is a serious network security threat to all businesses, as an infection can result in significant downtime, recovery costs, and reputation damage. Small businesses face a heightened risk because they often lack the resources and funding necessary to support a full-time IT department. Guardian Digital EnGarde Cloud Email Security provides fully managed, multi-layered email protection against malware, phishing, and other persistent email-borne network security threats. Through a transparent, collaborative, open-source approach to software development, Guardian Digital is able to access and provide resources and tools from an innovative global community in a way that no other vendor can. This approach, combined with decades of industry experience and engineering expertise, enables Guardian Digital to offer flexible enterprise-grade solutions to businesses of all sizes at competitive prices. Key benefits of EnGarde’s protection include: Advanced real-time defenses against social engineering and impersonation attacks Email encryption and sender authentication protocols detect fake “From” addresses and block them automatically Neutralizes network security threats associated with malicious attachments and links A scalable cloud-based system simplifies deployment and increases availability Tighter data and network security, adaptive implementation, and eliminated risk of vendor lock-in through the use of a community-powered open-source approach to software development Professional engineering services, as Guardian Digital expert engineers take the time to learn about each client’s key assets, operations, and specific needs Passionate, knowledgeable, around-the-clock customer support services Final Thoughts on Linux Malware Despite the growing number of data and network security threats targeting Linux systems, there is still solid evidence that Linux is secure by design. There is avibrant worldwide community that provides strong arguments and seeks to improve security posture by scrutinizing all resources introduced, allowing companies to have more transparency with their open-source code once it is accessible to all operating systems intended. Because of the workers constantly reviewing the source code in Linux kernels, cyber security vulnerabilities are identified and remedied faster than flaws that exist in the opaque source code of proprietary operating systems like Microsoft Windows. Threat actors recognize and exploit such weaknesses, directing the majority of their attacks at proprietary software, platforms, and operating systems. According to ESET security researchers, the Operation Windigo botnet, which uses Cdorked web servers to compromise Apache and more, has been detected in 26,000 infections since May 2013. The infamous ZeroAccess Windows-based botnet had infected nearly two million Windows PCs before it was taken down in December 2013. The digital threat landscape is rapidly evolving to become more advanced and dangerous. While the majority of attacks in network security still victimize proprietary operating systems, threat actors are experimenting with newer targets like Linux. Linux users should undoubtedly be aware of the growing risk that their systems face and recognize that as this new decade unfolds, prioritizing system data and network security and maintenance is more critical than ever. In many cases, malware attacks can be attributed to administration issues and cyber security vulnerabilities in individual accounts instead of to poor operations. Guardian Digital CEO Dave Wreski states, “Although it may be easy to blame the rise in Linux malware in recent years on security vulnerabilities in the operating system as a whole, this is unfair and largely untrue. The majority of malware exploits on Linux systems can be attributed to misconfigured servers.” On a broader scale, the rise of Linux malware should serve as a wake-up call for the securityindustry to allocate more resources to detect these network security threats. As Linux malware continues to become more complex, even more common malware will target Linux frequently and still fly under the radar. . Linux is considered a highly secure operating system, so these cloud security breaches may leave use. you’ve, keeping, latest, security, noticed, increase. . Brittany Day

Calendar 2 Jun 18, 2023 User Avatar Brittany Day
Banner 1 1028x280 1708121660 1771599717
102
Rocky Linux Esm H240
Price Tag 1security advisorysecurity updatesystem protection

Rocky Linux 9 Security Advisory Updates for Enhanced Protection

Are you a Rocky Linux user looking to track the latest Rocky Linux security advisories to maintain an updated, secure system? Then we have great news for you- LinuxSecurity.com has now added Rocky Linux to its Advisories database ! . Why Is Tracking Advisories Critical for Robust Security? Security vulnerabilities are a favorite among malicious actors, as exploiting these bugs is relatively easy compared to zero-day vulnerabilities for which no patches are available. By tracking the security advisories issued by your distro, you can apply updates as soon as they become available to mitigate the risk that known vulnerabilities pose to the security of your systems. Is Rocky Linux Secure? Rocky Linux has earned the reputation of being a secure, stable distro suitable for the enterprise. The recent release of Rocky Linux 9 has introduced several notable security features: Since the cryptographic hash functions generated by SHA-1 are no longer regarded as secure, the use of SHA-1 message digests for cryptographic purposes has been discouraged. OpenSSL has significant enhancements in version 3.0.1, including support for additional protocols, formats, algorithms, and more. Other changes include a provider concept, a new versioning system, an enhanced HTTP(S) client, and more. The most significant change in OpenSSH 8.7p1 is the substitution of the SFTP protocol for the SCP/RCP protocol, which provides more predictable filename processing. Major improvements have been made to SELinux speed, memory overhead, load time, and other factors. It is safe to say thay Rocky Linux will remain secure into the future given that it heavily relies on released security package updates from RHEL. Why LinuxSecurity.com Should Be Your Go-To Resource for Tracking Advisories LinuxSecurity.com makes staying informed of the latest updates available for the open-source programs and applications you use daily simple and convenient by tracking the latest security advisories for 15 popular distrosand offering the ability to create a user profile and customize your advisories based on the distro(s) you use. We’ve recently begun tracking advisories for Oracle Linux and Rocky Linux, as these two popular distros have emerged as excellent alternatives to CentOS Linux 8, which reached end of life earlier this year and is no longer supported. By subscribing to our weekly Linux Advisory Watch Newsletter , you’ll be informed via email when your distro(s) has released an update for a vulnerable program or application highlighted in that week’s newsletter. In addition to providing a comprehensive, strategic way for admins to ensure that they receive the updates and guidance they need to keep their systems secure, LinuxSecurity.com offers extensive training and documentation to help them troubleshoot issues and expand their skill set. Be sure to check out our recent Official Guide on Rocky Linux & How To Install It to learn about the pros and cons of Rocky Linux, how it compares to CentOS, and how to install Rocky Linux. Next Steps If you haven’t registered as a LinuxSecurity user and customized your advisories, what are you waiting for? Do yourself a favor and make your life as a Linux admin easier and more secure. Join the LinuxSecurity Community Now! Connect with LinuxSecurity on social media: Twitter | Facebook | LinkedIn . Monitoring Ubuntu security updates guarantees that system patches counteract potential threats and uphold safety.. Rocky Linux Security, Security Advisories, Advisory Tracking, System Protection. . Brittany Day

Calendar 2 Oct 03, 2022 User Avatar Brittany Day
102
19.Laptop Bed Esm H240
Price Tag 1security practiceskernel securitysystem protection

How to Secure Your Linux System Against Kernel Threats and Attacks

The Linux kernel is the core component of the Linux operating system, maintaining complete control over everything in the system. It is the interface between applications and data processing at the hardware level, connecting the system hardware to the application software. The kernel manages input/output requests from software, memory, processes, peripherals and security, among other hefty responsibilities. Needless to say, the Linux kernel is pretty important. . However, with power comes great responsibility, and the Linux kernel is no exception to this rule. Kernel security is critical: it determines the security of the Linux operating system as a whole, as well as the security of every individual system that runs on Linux. Vulnerabilities in the kernel can have serious implications for Linux users, and it is extremely important that users stay up-to-date on news and advisories pertaining to kernel security. In this article, LinuxSecurity examines how kernel security has evolved in recent years and how to mitigate your risk as a Linux user. A Brief History of the Linux Kernel The Linux kernel was created in 1991 by Linus Torvalds for his personal computer. Torvalds had no cross-platform intentions for the kernel; however, over the past two decades the Linux kernel has expanded and evolved to support a wider array of computer architectures than any other kernel or operating system. Not long after its conception, Linux began to attract developers, contributors and users worldwide and was rapidly adopted as the kernel for many free software projects, including the GNU Operating System . Intro to Linux Kernel Security Kernel security is a hot topic in the Linux community due to the fact that a large portion of kernel bugs present potential security flaws. For instance, vulnerabilities in the Linux kernel may allow for privilege escalation or create denial-of-service attack vectors. Many of the more severe vulnerabilities discovered in the Linuxkernel result in attacks that can be carried out remotely without any actions taken by the victim. These attacks present a bigger threat than those that require hackers to have a local account. In general, Linux is an exceptionally secure operating system, which can be attributed to the principles of transparency and collaboration upon which the OS was founded. However, as with any OS, security bugs are inevitable. Thanks to a supportive, passionate and active community, a large portion of the vulnerabilities that exist in the Linux kernel are identified and fixed before they become a significant problem. Others slip through the cracks and cause more grief before they are recognized and addressed. While there have been many more security vulnerabilities that have been found and fixed in the Linux kernel than the ones listed below, some of the most notorious bugs that have been discovered and remedied over the years include: CVE-2017-18017: This critical vulnerability, which exists in the netfilter tcpmss_mangle_packet function, is extremely dangerous because of the important role that it plays in filtering network communications by defining the maximum segment size that is allowed for accepting TCP headers. Without these controls in place, users are susceptible to overflow issues and DoS attacks. The flaw impacts versions before 4.11. CVE-2016-10229: This udp.c bug, also affecting versions prior to 4.5, allows remote attackers to execute arbitrary code via UDP traffic, triggering an unsafe second checksum during the execution of a recv system call with the MSG_PEEK flag. CVE-2016-10150: This use-after-free vulnerability affecting Linux kernel versions prior to 4.8.13 allows users to cause a DoS attack. This flaw could also be exploited by hackers to gain privileges. CVE-2015-8812: This severe vulnerability impacting versions prior to 4.5, which was discovered in the drivers of the Linux kernel, enables remote attackersto execute arbitrary code or cause a DoS (use-after-free) via crafted packets. CVE-2014-2523: This serious netfilter vulnerability, which impacts versions through 3.13.6, can be attributed to the incorrect use of a DCCP header pointer. The flaw allows remote attackers to cause a DoS (system crash) or to execute arbitrary code via a DCCP packet that triggers a call to either the dccp_new, dccp_packet, or dccp_error function. Balancing the Risks of Public Bug Disclosure When a kernel vulnerability is identified, members of the Linux community collectively work to fix it. While this collaboration leads to rapid innovation and effective patches, the publication of patch proposals before their inclusion in the mainstream kernel branch does carry some degree of risk. Threat actors could potentially reverse-engineer a zero-day bug using patch proposals shared on the public mailing list. The community does have guidelines in place to mitigate this risk and keep patch proposals in the right hands until a patch is ready. A private mailing list exists for communicating with individual Linux distribution vendors, giving them time to prepare kernel patches in advance of public disclosure. However, the code for a patch eventually has to make it onto the public repositories that contain the source code for the Linux kernel. Greg Kroah-Hartman , a Fellow at the Linux Foundation responsible for the Linux kernel stable releases, explains: “There is no way to ‘hide’ our work or patches as everything we do is released publicly in our trees. So yes, if you really wanted to see what is ‘broken’ in Linux, you ‘just’ watch everything that is merged into the kernel tree as it has hundreds of fixes for problems every week.” This would be a difficult job, but by no means should be written off as impossible for a determined hacker, especially if he or she were to use ‘-next trees’, which collect likely patches for the next mainline mergewindow. Kernel Security in 2019: Current Issues and New Security Features 2019 has been an eventful year for the Linux kernel. While kernel security is never stagnant, some notorious security issues continue to plague the kernel. One example is Intel’s persistent CPU problems , which have led to Meltdown and Spectre security issues . Zombieland v2 , a security hole which allows hackers to gain read access to your data or to hang your system and can also be used against all recent Intel processors including Cascade Lake, is the latest of these problems. Greg Kroah-Hartman, the stable Linux kernel maintainer, recently commented on Intel’s notorious CPU issues, “These problems are going to be with us for a very long time, they're not going away. They're all CPU bugs, in some ways they're all the same problem, but each has to be solved in its own way. MDS, RDDL, Fallout, Zombieland : They're all variants of the same basic problem.” And securing your OS against these attacks as they appear is a tedious process which could result in a significant performance hit. For instance, disabling hyper-threading to protect systems against Zombieload attacks has been shown to decrease performance for certain workloads by 30% to 40% . In the words of a Chinese developer who recently spoke with Kroah-Hartman, “This is a sad talk.” On a brighter note, this past month Linus Torvalds finally approved a new security feature, the Linux Security Module (LSM) , nicknamed “lockdown”, to be included in version 5.4 of the kernel. The purpose of the feature is to restrict various aspects of kernel functionality, prevent modification of kernel code, and lockdown hardware that could potentially generate direct memory addressing, among other security benefits. The feature, which has been in the works since 2010, was engineered by Mathew Garrett as a way to prevent users with elevated privileges from modifying the Linux kernel code. Torvalds was initially opposed tothe idea, stating that it was “nothing more than a means of getting Linux to boot on what would be Windows-only hardware”. However, with the lockdown feature now in place, Torvalds admits that it “gets us much closer to not requiring external patches”. Another key security feature that is currently in the works is Kernel Address Space Isolation . Its implementation could potentially reduce the risk of leaking sensitive data in attacks like L1 Terminal Fault (L1TF), MDS, hyper threading and other vulnerabilities. Kernel Address Space Isolation would, however, increase the complexity of the kernel code and the impact that this would have on performance has not yet been evaluated. How to Protect Your Linux System from Kernel Vulnerabilities: Tips and Best Practices for Administrators and Users While kernel vulnerabilities are often identified and patched fairly rapidly, it is up to users to take responsibility for maintaining a secure Linux system. Some best practices for protecting your system include: Track security advisories Seek out and apply software patches as soon as they are released Update your system frequently - use automatic updates when possible - and don’t forget to reboot your system once the kernel is updated! (Note: Automatic updates are available for Linux and are often easier to set up and run than those available for Windows or MacOS users) When using a stable version, plan ahead and upgrade to the next version before official support is ended Implement proper firewall filtering policies Harden your server against SYN flood attacks Disable direct memory access (DMA) to prevent DMA attacks Create regular backups Set up system monitoring tools to avoid downtime LinuxSecurity.com is a great resource for information on how to secure and harden your Linux system against kernel vulnerabilities. LinuxSecurity also tracks security advisories for thirteenpopular Linux distributions, and has an RSS feed specifically devoted to advisories. Have additional questions about kernel security or how to secure your system that haven’t been addressed in this article? Do not hesitate to contact us . We would love to continue the discussion! . Learn the methods to harden your Linux kernel and safeguard it against significant risks and contemporary exploits.. Linux Kernel Security, Protecting Linux Systems, Kernel Vulnerabilities, Security Best Practices, Linux Security Tips. . Brittany Day

Calendar 2 Nov 19, 2019 User Avatar Brittany Day
Banner 1 1028x280 1708121660 1771599717
102
General Esm H240
Price Tag 1intrusion detectionkernel securitysystem protection

Steps to Create a Robust and Secure Linux Environment Using LIDS

LIDS (Linux Intrusion Detection System) is a Linux kernel patch to enhance the Linux kernel. In this article, we will talk about LIDS, including what it can do and how to use it to build a secure linux system.. Xie Huagang ( This email address is being protected from spambots. You need JavaScript enabled to view it., ) With additions by Nick DeClario ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) 1. Why LIDS. With increasing popularity of Linux on Internet, more and more security holes are found in the current GNU/Linux system. You may hear from the Internet that - There are bugs found in Linux, which will cause the system tobe easily compromised by a hacker. Since Linux is an art of the open source community, security holes can befound easily and can also be patched quickly. But when the hole is disclosed to the public and the administrator is too lazy to patch the hole, it is very easy to break into the current system and it is worse than that, the hacker can get the root shell. With the current GNU/linux system, he can do whatever he wants. Now, you may ask, what is the problem and what can we do? What's wrong with the current GNU/Linux system. superuser (root) may abuse the rights. Being root, he can do whatever he wants. Even the capability existing in the current the system can be easily altered as root. Many system files can be changed easily. There are many important files, such as /bin/login, in the system. If the hacker came in, he can upload a changed login program to replace /bin/login , so he can re-login without any login name or password. But the files do not need to change frequently, unless you want to upgrade the system. Modules are easily used to intercept the kernel. Modules are a good design for the linux kernel to make the linux kernel more modulized and more felixible. But after the modules are inserted into the kernel, it will be part of the kernel and can do what the original kernel can do. Therefore some unfriendly code could be written as a module and inserted into to the kernel. The code can even redirect the system calls and actlike a virus. Processes are unprotected. Certain processes, such as a web server daemon, which are vulnerable to the attack of hackers. With the above description about Linux insecurity, how can we build a secure system? We must have a secure kernel and then build our secure system on top of it. This is what LIDS does. 2. Features about LIDS. The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it is in installed, chosen files access, every system/network administration operations, any capability use, rawdevice, mem, and I/O access can be made impossible even for root. Ituses and extends the system capabilities bounding set to control the whole system and adds some network and filesystem security features in kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more. In short, LIDS provides Protection, Detection and Response to the intrusion in the Linux kernel. Protection. LIDS can protect important files on your hard disk no matter what filesystem type they reside on, anybody including root can not change the files. LIDS can also protect the important processes from being killed. LIDS can prevent RAW IO operations from an unauthoritized program. It can also protect your hard DISK, include MBR protection, etc. Detection. When someone scans your host, LIDS can detect it and inform the administrator. LIDS can also notice any activity on the system which violates the rules. Response. When someone violates the rules, LIDS can log a detailed message about the violated action to the system log file which has been protected by LIDS. LIDS can also send the log message to your mailbox. In this case, LIDS can also shutdown the user's session at once. 3. Build a security linux system with LIDS With the LIDS features, let's go and see how to build a security system with LIDS step by step. 3.1 Download LIDS patch andcoresponsive official Linux kernel You can download LIDS patch from LIDS Home and LIDS Ftp Home and other mirror of LIDS around the world, check LIDS Mirror for the nearby mirror site. The patch name will be lids-x.xx-y.y.y.tar.gz, x.xx represents the lids version and the y.y.y represents the Linux kernel version. You should download the corresponding kernel version. For example, if you download the lids-0.9pre4-2.2.14.tar.gz, you should download the linux kernel 2.2.14 source code. You can download the kernel source from Kernel FTP Site or other mirror site of it. 1. uncompress the linux kernel source code tree. # cd linux_install_path # bzip2 -cd linux-2.2.14.tar.bz2 | tar -xvf - 2. uncompress the lids source code. # cd lids_install_path # tar -zxvf lids-0.9pre4-2.2.14.tar.gz 3.2 Patch LIDS to official linux kernel After downloading the kernel source and LIDS, uncompress the source and lids.For example, if you download the lids-0.9pre4-2.2.14.tar.gz and linux-2.2.14.tar.bz2, then, 3. patch the lids to the Linux kernel source code. # cd linux_install_path # patch -p0 < /lids_install_path/lids-0.9pre4-2.2.14.patch 4. configure Linux kernel to use LIDS Turn the following options on: [x] Prompt for development and/or incomplete code/drivers [x] Sysctl support Turning these on will add a series of options for LIDS. Note: There are many kernel options for LIDS. Please check the lids-howto for detailed information about configuring these options. # cd linux # make menuconfig or make xconfig 5. compile the Linux kernel # cd linux # make dep clean # make bzImage # make modules # make modules_install 6. copy the bzImage to /boot/ and edit the /etc/lilo.conf 7. Run /sbin/lilo to install the new kernel. # /sbin/lilo 3.3 Compile the lidsadm program lidsadm in the administration utility for LIDS. It is required to install this before rebooting your system with your new kernel but it does not require the new kernel or patch to compile. Itwill compile and install with your original kernel. # cd lids_install_path/lidsadm-0.9pre4 # make or make VIEW=1 (use VIEW=1 to see exact LIDS state) # make install Read the README included in the LIDS package for details on compiling and running lidsadm. 3.4 Initialize the LIDS system Now before you reboot, you must configure your LIDS system to meet your security needs. You can define protected files, protected process, etc.. In the next chapter, we will show you the details about this topic. 3.5 Reboot the system After your system is configured, reboot the system. When lilo appears, select the LIDS enable kernel to load. After then, you enter the wonderful world of LIDS. 3.6 Sealing the kernel. After your system boots up, do not forget to seal the kernel with lidsadm. You can put the command in the last line of /etc/rc.local. # /sbin/lidsadm -I -- -CAP_SYS_RAWIO -CAP_NET_ADMIN You can check the LIDS-HOWTO for a detailed list of all the options for lidsadm. 3.7 Online administration After you seal the kernel, your system is now protected by LIDS. You can run some tests on it. If you want to change a configuration, such as modify the capability option, you can change your LIDS security level online by providing a password. # /sbin/lidsadm -S -- -LIDS 4. Configuring LIDS In this chapter, we will show you how to configure LIDS. 4.1 Protect your files. First, you must determine which files you will protect. In most cases, you may protect the system binary files and system configuration files, such as /usr/, /sbin/, /etc/, /var/log/. Second, you must decide the way to protect the files. LIDS provide 3 protection type: Read Only Files. The files marked with Read Only means that nobody can change the files. We can think that the following files are in this catalog, /etc/passwd, /bin/passwd, etc. USAGE: lidsadm -A -r filename_to_protect Example: 1. to protect the whole /sbin/ as read-only. # /sbin/lidsadm -A -r /sbin/ 2. toprotect /etc/passwd as read-only # /sbin/lidsadm -A -r /etc/passwd Append Only Files. Most of the append only files are system log files, such as /var/log/message, /var/log/secure. The files can only open with append mode and can not truncate or modify its previous contents. USAGE: lidsadm -A -a filename_to_protect Example: 1. to protect the system log files # /sbin/lidsadm -A -a /var/log/message # /sbin/lidsadm -A -a /var/log/secure 2. to protect the apache httpd log files # /sbin/lidsadm -A -a /etc/httpd/logs/ # /sbin/lidsadm -A -a /var/log/httpd/ Here is the example from LIDS-HOWTO by Philippe Biond, lidsadm -Z lidsadm -A -r /boot lidsadm -A -r /vmlinuz lidsadm -A -r /lib lidsadm -A -r /root lidsadm -A -r /etc lidsadm -A -r /sbin lidsadm -A -r /usr/sbin lidsadm -A -r /bin lidsadm -A -r /usr/bin lidsadm -A -r /usr/lib lidsadm -A -a /var/log Note: If you protect /etc/lids.conf as read-only you can not change any attributes to any files unlessyou reboot the system with a non LIDS kernel. Either protect this file last after you got everything setup the way you like it or protect it with append. To control where the 'lids.conf' file is placed you can edit this line in 'lidsadm.c' to your likeing #DEFINE LIDS_CONF "/etc/lids.conf" Then just recompile it. 4.2 Protect your process. LIDS can protect the process whose parent is init(pid=1). You must seal the kernel with a specified option as below. # lidsadm -I -- +INIT_CHILDREN_LOCK 4.3 Protect with capability. Capabilities are like privileges you can give a process. A root process has all the capabilities. But there exists a capabilities bounding set. In a normal kernel, when you remove a capability from the bounding set, nobody can ever use it again, until next reboot. (see https://www.earthlink.net/internet/ for the normal use). LIDS modifies this behavior to enable you to switch these on and off, whenever you want. An access to the /proc/sys/kernel/cap_bset is trapped and raise a security alert.lidsadm performs the whole job. You can list all the capabilities in LIDS by running lidsadm, and you can see what the exact meaning of each capability is. We here discuss two of them, CAP_SYS_RAWIO With this capability on, we can allow ioperm/iopl and /dev/port access, allow /dev/mem and /dev/kmem acess and allow raw block devices (/dev/[sh]d??) acess When we disable this capability, we can deny all processes on the system rights to the raw device, such as running lilo. But some processes may want this capability to run, such as XF86_SVGA. In this case, we can put the program in the exception list when we compile the kernel. CAP_NET_ADMIN This capability has the following abilities, interface configuration administration of IP firewall, masquerading and accounting setting debug option on sockets modification of routing tables setting arbitrary process / process group ownership on sockets binding to any address for transparent proxying setting TOS (type of service) setting promiscuous mode clearing driver statistics multicasting read/write of device-specific registers For security reasons, we should disable this to disallow network configuration changes. When it's disallowed, the firewall rules will not allow any changes. Choosing the capability and sealing the kernel You should choose what capability you want to disallow when sealing the kernel. Here we give an example. You may put it in a rc script (rc.local, /etc/init.d/lids, /etc/rc.d/init.d/lids, etc.) depending upon your distribution and the way you administrate your system. The command is, for example : lidsadm -I -- -CAP_SYS_MODULE -CAP_SYS_RAWIO -CAP_SYS_ADMIN \ -CAP_SYS_PTRACE -CAP_NET_ADMIN \ +LOCK_INIT_CHILDREN 4.4 Network Security. LIDS provides some network security enhancements. network security with capability With each capability, we can enhance the network security. Such as anti-snifferring, can not bind to the port lower than 1024 and cannot change the firewall and routing rules. So, what I suggest is to view each capability defenition carefully. Scanner detector in kernel LIDS provide a scanner detector in kernel in order to detect who has scanned your system. The scanner can detect half-open scans, normal scans etc.. Using tools like nmap, satan can be detected by the detector. It is useful when raw sockets are disabled. In this casoes not use any socket, it will be more secure than a user space detector. If you want this feature, you should select it on when you compile the kernel. 4.5 Intrusion Responsive system. When LIDS detects a violation in the defined rules, it can respond to the action by the following method. Logging the message When someone violates a rule, lids_security_log will log a message the klogd. The logging also has the ability to anti_logging_flood. You can set it when compiling the kernel. Logging the message via mail server Now, LIDS has a new feature to mail the message to your mail account. You can define the mail server IP, the out-coming mail address,etc, when compiling the kernel. Shutdown the console When a user violates a rule, the console will shutdown that user's console. 5. Thanks. First of all, I want to thank my friend, Kate lee, who always encouraged me to write document like this. This document is dedicated to her. I also want to thank Philippe Biond and Christophe Long who largely contributed to the project. Without them, the project could never have developed so well. Many thanks must also go to all the LIDS users. Without their contributions and discussions, LIDS could not have had so many great ideas. . Xie Huagang (This email address is being protected from spambots. You need JavaScript enabled to vie. linux, kernel, (linux, intrusion, detection, system), patch, enhance. . Brittany Day

Calendar 2 May 16, 2000 User Avatar Brittany Day
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":548,"type":"x","order":1,"pct":78.51,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.3,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.87,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.32,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200

Search Topics

Your message here