Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found -2 articles for you...
79
security advisorykey managementmemory protectionLinux Kernel 6.14: Critical Security Fixes and Networking Updates
Linux kernel version 6.14 has been released with essential updates that Linux security admins won't want to miss. This version, unveiled on March 24, 2025, brings crucial optimizations and security improvements to provide a smoother and more secure computing experience. With a focus on key vulnerability patches, such as those addressing use-after-free issues in the key management system, every system admin's role in maintaining secure, reliable environments just got a little easier. . Moreover, this release brings significant enhancements in networking security, including critical fixes for Bluetooth connections and IPv6 stability, ensuring that network operations remain resilient against potential threats. Alongside these network improvements, memory management and protection have been boosted with better initialization processes. These advancements not only enhance the stability of the kernel but also shore up defenses against unauthorized memory access, making this release a must-adopt for security-conscious admins. Let's examine some key highlights of the Linux kernel 5.14 release and their impact on your security and productivity. Improved Key Management Systems One of the standout features of this release is the critical fix addressing a vulnerability in the kernel's key management system. The patch , expertly developed by David Howells, targets a Use After Free (UAF) condition in the key_put() function. This vulnerability posed a serious security risk as it could allow an attacker to exploit freed memory, leading to unpredictable behavior or even the execution of malicious code. This fix enhances the security handling of key management systems by ensuring that keys are managed more safely and effectively, preventing inappropriate memory access. For system administrators, this means a more robust defense against potential exploits arising from improper handling of cryptographic keys. By safeguarding this kernel aspect, version 6.14 ensures more reliable and secure key operations,a critical component of any security strategy. Strengthened Networking Security Linux kernel 6.14 brings several crucial updates that significantly enhance network security and stability. One of the noteworthy fixes addresses a Bluetooth security issue. Before this release, there was a persistent problem concerning the connection between Low Energy (LE) and non-LE Bluetooth adapters. Arkadiusz Bokowy's patch resolves this issue, ensuring smooth and secure communication between Bluetooth devices. This improvement is significant for environments that rely on Bluetooth technology for secure communication and data transfer, fortifying the reliability and safety of Bluetooth interactions by addressing potential connection vulnerabilities. Another significant networking enhancement involves IPv6 improvements. Implemented by Felix Fietkau, the fix addresses a critical issue around TCP General Segmentation Offload (GSO) in Network Address Translation (NAT) environments. This improvement is pivotal for ensuring stable and secure network operations, particularly in systems where efficient packet processing is crucial. By fixing the segmentation handling in NAT environments, this update ensures that network performance is optimized and secure against potential exploits that could arise from improper packet segmentation. Advanced Memory Management and Protection The Linux kernel 6.14 also introduces significant advancements in memory management and protection, vital for maintaining system stability and security. Kirill A. Shutemov's patch addresses a noteworthy issue in memory allocation processes. His fix ensures that memory is initialized correctly before the system's watermarks are set, preventing the kernel from accepting memory in an uninitialized state. This enhancement is crucial for preventing unauthorized memory access and ensuring the safe initialization of memory. Proper memory management is a cornerstone of system security, and this fix contributes to a more robust kernel that canbetter protect against memory-related vulnerabilities. This means an added layer of protection and reliability, ensuring our systems operate smoothly without the risk of unexpected memory-related issues. A Holistic Approach to Kernel Security The updates in Linux kernel 6.14 reflect a holistic approach to security, addressing key areas that could be exploited. The attention to detail in key management, networking security, and memory management highlights the ongoing commitment of the Linux kernel development community to provide a secure and stable platform for users and administrators. By addressing and patching known vulnerabilities, the kernel developers ensure that Linux systems are equipped to handle persistent and emerging security threats. This is a testament to the strength of the open-source community, where collaborative efforts lead to robust solutions that benefit all users. Practical Implications for System Administrators The practical implications of these updates are profound for system administrators. The enhanced key management system allows for more secure cryptographic operations, essential for protecting sensitive data and ensuring secure communications. The improved networking security features, including the Bluetooth and IPv6 enhancements, ensure that networked environments remain safe and reliable, reducing the risk of exploits that target network vulnerabilities. Advances in memory management and protection offer peace of mind, knowing that the kernel is better equipped to handle memory allocation securely. This reduces the likelihood of unauthorized memory access and potential system instability. These updates empower administrators to maintain safe, efficient, and stable systems. Embracing the New Kernel As with any new kernel release, administrators must thoroughly test these updates in a controlled environment before deploying them across production systems. This ensures compatibility with existing configurations and allows for identifying any potentialissues that may arise from the new kernel. In addition to testing, admins should stay informed about the latest patches and updates from the kernel development community. Regularly applying security updates and staying abreast of new developments is essential for maintaining a secure and reliable Linux environment. Our Final Thoughts on the Linux Kernel 6.14 Release Linux kernel version 6.14 brings important updates that significantly enhance security and performance. The key management system improvements, networking security fixes, and advanced memory management enhancements highlight the ongoing efforts to provide a robust and secure kernel. For security-conscious administrators, this release offers vital tools and improvements essential for maintaining a safe and stable Linux environment. By embracing these updates and integrating them into our systems, we can ensure that our systems continue to operate securely and efficiently in the face of evolving security challenges. . Linux kernel 6.14 rolls out essential security enhancements, boosting access control, network protocols, and memory safeguards.. Linux Kernel Updates, Security Fixes, Network Security Enhancements, Key Management Enhancements. . Brittany Day
Mar 26, 2025
•
Security Projects
74
network securityproc filesystemsysctl settingsNetwork Security: Tuning /proc/sys/net/ipv4 Settings for Linux
David Lechnyr submitted a paper he wrote on how to use /proc to tune network security settings. "In additional to firewall rulesets, the /proc filesystem offers some significant enhancements to your network security settings. Unfortunately, most of us are unaware of anything beyond the vague rumors and advice we've heard about this beast. In this article, we'll review some of the basic essentials of the /proc/sys/net/ipv4 filesystem necessary to add to the overall network security of your Linux server. ". . . . David Lechnyr submitted a paper he wrote on how to use /proc to tune network security settings. "In additional to firewall rulesets, the /proc filesystem offers some significant enhancements to your network security settings. Unfortunately, most of us are unaware of anything beyond the vague rumors and advice we've heard about this beast. In this article, we'll review some of the basic essentials of the /proc/sys/net/ipv4 filesystem necessary to add to the overall network security of your Linux server. " Network Security with /proc/sys/net/ipv4 In additional to firewall rulesets, the /proc filesystem offers some significant enhancements to your network security settings. Unfortunately, most of us are unaware of anything beyond the vague rumors and advice we've heard about this beast. In this article, we'll review some of the basic essentials of the /proc/sys/net/ipv4 filesystem necessary to add to the overall network security of your Linux server. /proc/sys/net/ipv4 Perhaps one of the more frequently neglected areas of firewall configuration involves the /proc filesystem. The pseudo file structure within proc allows you to interface with the internal data structures in the kernel, either obtaining information about the system or changing specific settings. Some of the parts of /proc are read-only, while others can be modified. It is often referred to as a virtual filesystem in that it doesn't take up any actual hard drive space; files are created only on demand when you access them.In this article, we will be focusing specifically on /proc/sys/net/ipv4. In order to benefit from the use of the /proc filesystem, you'll need to enable two settings when building your kernel. CONFIG_PROC_FS is the setting that allows you to access and view the /proc filesystem, and CONFIG_SYSCTL is the bit that actually allows you to modify /proc entries without requiring a reboot of the system or a recompile of the kernel. Settings are only available at boot time after the /proc file system has been mounted. ICMP Specific Settings Ping scanning is typically used to determine which hosts on a network are up. Typically this is done by sending ICMP ECHO request packets to the target host. This is seemingly innocent behavior, however often network administrators will block such traffic to increase their obscurity. The choices involve blocking ICMP ECHO requests to broadcast/multicast addresses and directly to the host itself. To enable protection against both types of ICMP ECHO requests, use the following commands: echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all ICMP redirect messages can also be a pain. If your box is not acting as a router, you'll probably want to disable them: echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects Sometimes you will come across routers that send out invalid responses to broadcast frames. This is a violation of RFC 1122, "Requirements for Internet Hosts -- Communication Layers". As a result, these events are logged by the kernel. To avoid filling up your logfile with unnecessary clutter, you can tell the kernel not to issue these warnings: echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses IP Specific Settings Ironically, IP forwarding of packets between interfaces is enabled by default on many systems in their startup scripts. If you're not intending for your box to forward traffic between interfaces, or if you only have a single interface, it would probablybe a good idea to disable forwarding. Note that altering this value resets all configuration parameters to their default values; specifically, RFC1122 for hosts and RFC1812 for routers. As a result, you'll want to modify this one before all other /proc settings. if [ -r /proc/sys/net/ipv4/ip_forward ]; then echo "Disabling IP forwarding" echo "0" > /proc/sys/net/ipv4/ip_forward fi If instead you decide to enable forwarding, you will also be able to modify the rp_filter setting; something which is often misunderstood by network administrators. The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing. Turning this on, however, has its consequences: If your host has several IP addresses on different interfaces, or if your single interface has multiple IP addresses on it, you'll find that your kernel may end up rejecting valid traffic. It's also important to note that even if you do not enable the rp_filter, protection against broadcast spoofing is always on. Also, the protection it provides is only against spoofed internal addresses; external addresses can still be spoofed.. By default, it is disabled. To enable it, run the following: if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo "Enabling rp_filter" echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter fi You may have also noticed the "all" subdirectory in this last example. In /proc/sys/net/ipv4/conf there is one subdirectory for each interface on your system along with one directory called "all". Changing specific interface directories only affects that specific interface, while changes made to the "all" directory affects all interfaces on the system. If you have compiled your kernel with CONFIG_SYNCOOKIES, you will be able to optionally turn on or off protection against SYN flood attacks. Note the emphasis, as compiling the kernel with this value does not enable it by default. It works by sending out 'syncookies' whenthe syn backlog queue of a socket overflows. What is often misunderstood is that socket backlogging is not supported in newer operating systems, which means that your error messages may not be correctly received by the offending system. Also, if you see synflood warnings in your logs, make sure they are not the result of a heavily loaded server before enabling this setting. They can also cause connection problems for other hosts attempting to reach you. However, if you do want to enable this setting, perform the following: if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then echo "Enabling tcp_syncookies" echo "1" > /proc/sys/net/ipv4/tcp_syncookies fi Normally, a host has no control over the route any particular packet takes beyond its first hop. It is up to the other hosts on the network to complete the delivery. IP Source Routing (SRR) is a method of specifying the exact path that a packet should take among the other hosts to get to its destination. This is generally a bad idea for the security conscious, as someone could direct packets to you through a trusted interface and effectively bypass your security in some cases. A good example is traffic, such as SSH or telnet, that is blocked on one interface might arrive on another of your host's interfaces if source routing is used, which you might not have anticipated in your firewall settings. You'll probably want to disable this setting with: if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo "Disabling source routing" echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route fi Packets that have source addresses with no known route are referred to as "martians". For example, if you have two different subnets plugged into the same hub, the routers on each end will see each other as martians. To log such packets to the kernel log, which should never show up in the first place, you'll need to issue: if [ -r /proc/sys/net/ipv4/conf/all/log_martians ]; then echo "Enabling logging of martians" echo "1" > /proc/sys/net/ipv4/conf/all/log_martians fi Additional Resources For more information regarding the /proc filesystem, you may want to refer to the documentation that comes with the Linux kernel source. Of specific help is Documentation/filesystems/proc.txt by Bowden, Bauer & Nerin. Additionally, you can refer to Documentation/networking/ip-sysctl.txt by Kuznetsov & Savola. About the Author David Lechnyr is a Network Administrator at the Human Resources department of the University of Oregon. He holds a Master's Degree in Social Work along with his MCSE+I, CNE, and CCNA certifications. He has been working with Linux for the past five years, with an emphasis on systems security, network troubleshooting, PHP scripting, and web/SQL integration. © 2002 by David Lechnyr,
Nov 09, 2023
•
Network Security
74
WPAnetwork enhancementshotspot securityBoingo Wireless Launches Enhanced 802.1x and WPA Security for Hotspots
Boingo Wireless said Wednesday that it has added 802.1x and WPA security support to its network of hotspots. Specifically, the hotspot vendor said it has released new end user client software that incorporates support for 802.1x and WPA security measures. . . .. Boingo Wireless said Wednesday that it has added 802.1x and WPA security support to its network of hotspots. Specifically, the hotspot vendor said it has released new end user client software that incorporates support for 802.1x and WPA security measures. The support is in conjunction with Windows XP Service Pack 2, which simplifies use of those measures. The link for this article located at Mobile Pipeline News is no longer available. . Boingo Wireless enhances hotspot protection by incorporating 802.1x along with WPA capabilities into its client application for more secure link-ups.. 802.1x Security,WPA Authentication,Wireless Networking,Client Software,Hotspot Protection. . Anthony Pell
Sep 08, 2004
•
Network Security
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More