Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 3 articles for you...
83
security practicesmalwarecyber threatEbury Malware Analysis: Key Risks for 400K Linux Servers
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect our systems. Security researchers have identified a massive botnet comprising over 400,000 compromised Linux servers, reinforcing the need to stay alert and implement robust security measures. Let's examine the significance of this discovery and what we can learn from it to protect against future attacks. . Why Is the Ebury Malware So Significant? What Can We Learn from This Threat? According to researchers, the botnet has been active since at least 2009, demonstrating the tenacity and persistence of the threat group behind the Ebury malware . The botnet has evolved significantly over the past decade, employing various techniques to propagate the malware and expand its reach. For example, the Ebury gang has leveraged access to hosting companies’ infrastructure to install Ebury on all hosted servers, intercepted and redirected SSH traffic inside data centers to capture credentials, and automatically steals crypto wallets when victims log in. Of particular concern is the botnet's use for illicit financial gain, such as stealing financial data from transactional websites and cryptojacking to mine cryptocurrency on infected systems. Research also reveals the latest update to the Ebury malware family, version 1.8, which includes new ways to hide information, a new domain generation algorithm (DGA), and better userland rootkits that Ebury uses to hide from system admins. Linux admins must recognize the implications of these findings and take proactive steps to prevent compromise from the evolving Ebury threat. Maintaining patched systems and robust credential policies is critical, along with monitoring for indicators of compromise and implementing security best practices such as firewall configurations and regular software updates . Perhaps most importantly, we must remain vigilant and continue educating ourselves and others about the evolvingthreat landscape, ensuring we stay up-to-date with the latest security trends and techniques. Our Final Thoughts on the Ebury Malware The recent discovery of a massive botnet comprised of over 400,000 compromised Linux servers highlights the ongoing need for strong cybersecurity measures and constant vigilance. It is essential to recognize the evolving threat landscape and take proactive steps to prevent compromise, stay informed about the latest security trends, and educate others about the importance of security best practices. Failure to take such measures could have severe long-term consequences that could put sensitive financial and other data at risk. . The Ebury malware poses a major risk to Linux security, exploiting its botnet capabilities and increasing Linux-targeted attacks, emphasizing the need for better defenses. Ebury Botnet, Linux Malware, Cyber Threats, Cryptojacking, Server Security. . Brittany Day
Jun 03, 2024
•
Hacks/Cracks
77
malwaresecurity measurebotnetNoaBot: SSH Brute-Force Attack on Linux Servers - Cryptomining Risk
Over the last year, a new botnet slowly grew by brute-forcing SSH passwords and installing cryptomining malware onto Linux servers. The main client of the botnet is based on an old Mirai virus whose source code was available for many years. However, researchers have seen that the same group has also used the more recent P2PInfect malware, which exploits Redis instances. . According to security researchers, the botnet began in January 2023. However, it has grown significantly since then, reaching its peak last month. More than 800 unique IPs from around the globe that showed signs of NoaBot infection were recorded, with 10% of those being based in China. The researchers said that the malware uses a simple SSH credential dictionary attack to move laterally. Restricting internet SSH access greatly reduces the risk of infection. The use of strong passwords (not the default or randomly generated ones) also helps to secure your network since malware is able to guess passwords from a list. Modified Mirai Scanner Targets SSH Mirai is a self-propagating DDoS Botnet that first appeared in 2016. It was designed to infect embedded network devices using Telnet dictionary attacks and vulnerability exploits. The botnet was known for being the source of some of the biggest DDoS attacks on the internet. In recent years, the Mirai codebase, which includes a scanning module to propagate, an attack module, and persistence code used to hide botnet processes, has inspired many other Linux self-propagating botnets. Some focused on DDoS , while others were cryptomining. NoaBot was developed by NoaBot creators, who took Mirai's source code and made some significant changes. They replaced the Telnet scan with an SSH scan. It makes sense because embedded devices that still use Telnet for command-line debugging and administration are not good targets for cryptomining. This is due to the limited computing power of these devices. Linux servers, on the other hand, are good targets and more likely to beSSH-enabled. SSH dictionary attacks, where an attacker tests predefined usernames and passwords, are not new. They are easy to defend against if you follow best security practices, such as using SSH key-based authentication and disabling password authentication. The servers that were compromised by NoaBot would be considered low-hanging fruits from a security standpoint. It wouldn't surprise us if the servers had already been infected with malware. NoaBot SSH scan has a clear signature because the botnet client will send the message "hi" when an address accepts an SSH. This isn't a valid SSH Command, and there isn't a practical reason to send this. Therefore, it can be used as a firewall signature. NoaBot has also been modified by changing its compiler from GCC (to uClib) to significantly alter the binary code, allowing it to be detected differently than Mirai. It also added command-line arguments to enable various functionalities. The bot, for example, can include an attacker-controlled SSH key to ensure persistence, even if password authentication is disabled. It also acts as a backup by downloading and adding additional binaries, and it adds an entry in crontab to ensure that it starts up after reboot. This persistence mechanism's command-line flag is "noa," which inspired the name of the Botnet. Researchers found signatures for "noa" in antivirus engines, which indicates that it is a common prefix. Cryptominer Modification and P2PInfect Connection The cryptomining component of the NoaBot is XMRig. This is an open-source, widely used cryptocurrency miner that is popular among attackers. Akamai researchers claim that the NoaBot creators modified the XMRig program code to conceal and encrypt the configuration. This included the IP address of the mining pool, where the attackers collect their cryptocurrency. "We believe the threat actors have chosen to run their private pool rather than a public pool. This eliminates the need to specify the wallet (their pool and theirrules! Researchers said. The researchers said, "In our samples, we noticed that the miner's sites were no longer resolvable with Google's DNS. We can't prove our theory or collect more data because the domains are unresolved." There haven't been any recent incidents that drop the miner. It could be that the threat actor decided to leave for "greener pastures." Researchers are confident that the same authors also use a customized version. This self-replicating virus appeared in July, and it is written in Rust. The NoaBot code also included some P2PInfect samples that contained inside jokes and text. P2PInfect uses a Lua flaw to compromise Redis instances, which is an in-memory system. variants may also contain an SSH scan. This group of attackers is not sure why they switched from Mirai, which was a more customized creation, to P2PInfect. Or if they're using both at the same time. Researchers said that custom code was more difficult to reverse-engineer than repurposed codes because it has been modified. Second, since the threat actors are tech-savvy, they may try to develop malware out of boredom or curiosity. P2PInfect is a tool that targets Redis servers. It could be different tools being used for different purposes. How Can I Secure My Servers Against This Threat? To protect against this threat and enhance the security of your servers, SSH access should be restricted to trusted IP addresses, and key-based authentication is recommended as part of SSH hardening. Have additional questions about securing your Linux servers? Please reach out to us on X @lnxsec - we're here to help! Stay safe out there, fellow Linux users! . Digital threat WatchDog focuses on Linux servers through SSH brute-force intrusions, signaling analysts about the potential for illicit cryptomining activities.. NoaBot Threat, SSH Attack Prevention, Cryptomining Botnet, Linux Security Practices, Mirai Malware. . LinuxSecurity.com Team
Jan 10, 2024
•
Server Security
209
security threatsransomwareIT infrastructureRansomware Threats Surge on Linux: 75% Increase in Attacks
There's been a big rise in ransomware attacks targeting Linux as cyber criminals look to expand their options and exploit an operating system that is often overlooked when businesses think about security. . According to analysis by cybersecurity researchers at Trend Micro , Linux servers are "increasingly coming under fire" from ransomware attacks , with detections up by 75% over the course of the last year as cyber criminals look to expand their attacks beyond Windows operating systems. Linux powers important enterprise IT infrastructure including servers, which makes it an attractive target for ransomware gangs – particularly when a perceived lack of threat to Linux systems compared with Windows means that cybersecurity teams might choose to focus on defending Windows networks against cybercrime. . Incidents of ransomware on Linux systems have escalated by 75%, highlighting vulnerabilities as malicious actors refine their targeting strategies.. Ransomware Attacks, Linux Servers, Cybersecurity Threats, IT Infrastructure, Attack Trends. . Brittany Day
Sep 02, 2022
•
Security Trends
79
malwaresecurity researchthreat assessmentUnderstanding Linux Malware Through VirusTotal Insights and Assessments
The rise of malware designed to infect Linux servers' distributed denial-of-service attacks has earned greater attention from VirusTotal, the Google-owned go-to tool for malware hunters. For security researchers that need to stay on top of emerging malware threats, the VirusTotal malware database has become an integral tool.. Anyone can upload a suspicious file to the web tool to check whether the dozen or so antivirus engines, such as Kaspersky, McAfee, Symantec, and other equivalents, detect it as malware. The tool is meant for good guys, but as one researcher found last year, black hat hackers were also using the service to test their malware against antivirus products prior to releasing it in the wild - despite the tool's shortcomings for comparative analysis. The link for this article located at ZDNet Blogs is no longer available. . Explore the ways in which ThreatTracker supports analysts in tackling new Linux malware challenges and scrutinizing server infiltration pathways.. Linux Malware, VirusTotal Detection, Server Security Insights. . LinuxSecurity.com Team
Nov 12, 2014
•
Security Projects
77
security best practicesauthentication methodssecure configurationFive Essential Steps for Securing SSH Access on Linux Systems
Since it. The link for this article located at Think Hole is no longer available. . Implement crucial measures to bolster the security of your SSH connections and safeguard your Linux servers against unauthorized intrusion.. SSH Security Best Practices, Enhanced SSH Access Control, Secure Linux Servers. . LinuxSecurity.com Team
Nov 01, 2006
•
Server Security
77
identity managementsingle sign-onlinux serversImplementing Active Directory SSO For Linux Desktops And Servers
I am an advocate of centralized identity management and I think Active Directory makes a great repository for user account information. Interoperability can be a challenge, though. For example, you may work in a mixed environment of Linux/Unix and Windows and want users to take advantage of their Windows accounts when logging on at a Linux/Unix machine. This provides single sign-on for users who otherwise would need to maintain two different sets of passwords. . With this in mind, I set out to accomplish what I considered to be a fairly straightforward goal: Configure the Linux desktops and servers in my office to accept logins using accounts stored in AD. My metrics for success were relatively modest. I wanted to sit down at a Linux desktop, enter a set of Windows credentials, and get a KDE or Gnome desktop with a home directory that has appropriate access permissions. The link for this article located at MCPMag.com is no longer available. . Implementing single sign-on (SSO) in Linux with Active Directory enhances user experience and streamlines administration while ensuring security and efficiency. Linux Single Sign-On, Active Directory Integration, Identity Management. . LinuxSecurity.com Team
Jun 23, 2005
•
Server Security
74
red hatcost efficiencylinux serversColumbitech Enhances Wireless VPN Compatibility For Red Hat Linux Systems
Secure wireless software developer Columbitech of Stockholm and New York, whose wireless VPN technology powers Symbol's AirBEAM brand of products, is supporting Linux servers in its latest version. This move is key for the company because it helps customers save . . . . Secure wireless software developer Columbitech of Stockholm and New York, whose wireless VPN technology powers Symbol's AirBEAM brand of products, is supporting Linux servers in its latest version. This move is key for the company because it helps customers save money. "Linux lets people do cost effective implementations. You don't have to license from Microsoft and the functionality is stripped to just what you need," says Pontus Bergdahl, CEO at Columbitech. The support is specifically for Linux Red Hat servers. Previously Columbitech's Wireless Suite supported Windows NT/2000 servers. Eventually they hope to expand to having embedded Linux clients and Unix servers. The link for this article located at 802.11Planet is no longer available. . Columbitech unveils new wireless VPN compatibility for Linux systems, boosting affordability for users.. Wireless VPN, Columbitech, Red Hat Servers, Secure Software, Cost Efficiency. . Anthony Pell
Apr 17, 2003
•
Network Security
83
security advisoryincident reportdos attackInvestigation Reveals 250 Linux Servers Targeted By DOS Attacks
Some 250 Linux servers were found to have been infected with a hacking program used in denial of service (DOS) attacks, raising serious security concerns with the popular open source code servers. The Ministry of Information and Communication (MIC) said yesterday . . . . Some 250 Linux servers were found to have been infected with a hacking program used in denial of service (DOS) attacks, raising serious security concerns with the popular open source code servers. The Ministry of Information and Communication (MIC) said yesterday that SECUi.COM, a local communication security firm detected a hacking program used in DOS attacks during a routine check on one of its clients last Tuesday. The company was able to trace the origin to a Linux server in a PC room in Kangnung, Kangwon Province. SECUi.COM then reported the incident to the National Police Agency (NPA) and the Korea Information Security Agency (KISA) and the consequent investigation by the NPA discovered that the hacking program had been installed in about 250 servers. The link for this article located at Lexis-Nexis is no longer available. . Some 250 Linux servers were found to have been infected with a hacking program used in denial of ser. linux, servers, found, infected, hacking, program, denial. . LinuxSecurity.com Team
Aug 04, 2000
•
Hacks/Cracks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More