Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 0 articles for you...
79
security advisoryLinux kernelperformance optimizationAMD Zen 5 ERAPS: Enhancing Security and Performance in Linux Configurations
AMD's Zen 5 architecture has earned wide praise for its robust performance capabilities since introducing the Ryzen 9000 series and EPYC 9005 "Turin" processors. A recent addition is Enhanced Return Address Prediction Security (ERAPS) . Although not explicitly covered during initial launch events or official documentation from AMD, posts to Linux kernel mailing lists have begun shedding light on ERAPS' significance. . ERAPS was developed to mitigate some lingering performance impacts caused by security mitigations necessitated by speculative execution vulnerabilities like those in the Spectre class, specifically Return Stack Buffer poisoning attacks. It targets and counteracts specific classes of these attacks. In this article, I'll explore the security implications of ERAPS, its positive performance impact on Zen 5 systems, and how you can patch your Linux kernel to benefit from this feature. Understanding the Security Implications of ERAPS As part of understanding the vulnerabilities caused by speculative execution, various mitigations were implemented that inadvertently reduced CPU performance. ERAPS seeks to restore some of this lost performance through hardware-based RSB flushing during context switches and VMEXITs. AMD's ERAPS is an innovative defense mechanism to mitigate speculative attacks. By marking host and guest return addresses and eliminating explicit RSB flushing requirements, this hardware update reduces software mitigations while safeguarding against speculation outside RSBs through BTC_NO feature RET predictions from outside RSBs. These updates decrease the security burden while improving security and performance on Zen 5 systems. Examining Positive Performance Consequences for Zen 5 Systems Preliminary benchmarks demonstrate that ERAPS can benefit significantly in situations with frequent kernel interaction and context-switching workloads. Performance tests using patches rebased on Linux 6.12 have shown improvement across various applications. Databaseapplications like RocksDB , which feature manipulative I/O operations and frequent context switching, showed significant performance gains when running with ERAPS-enabled kernels. Virtualization contexts also saw improvements since explicit RET stuffing/filling operations during VMEXIT operations no longer had to be performed explicitly. Servers equipped with Zen 5 processors, particularly EPYC 9655s, showed positive performance modifications when enabled, signaling their viability in data-center environments. While minor, these performance gains remained consistent over time and indicated opportunities for further optimization as ERAPS evolved. How to Patch Your Kernel to Benefit from ERAPS Source: Phoronix Administrators who want to reap the performance advantages of ERAPS can prepare by applying patches to their Linux kernels. These patches have been tested with Linux 6.12, showing compatibility and potential integration into future releases such as 6.14. To patch your kernel, first, observe updates to the Linux kernel mailing list containing x86/CPU branch updates before testing any ERAPS patches in a non-production environment to assess their impact on specific workloads. Once satisfied with your patches, obtain and apply the latest kernel source code with ERAPS-specific patches, then compile and compile again, ensuring all dependencies and configurations suit your hardware. When deploying this compiled kernel into production environments, be cautious: conduct performance tests first to ensure it provides the expected benefits without creating new issues. As with any modification, it should not cause system instability or lead to further problems. Admins should track performance variations across workloads to identify areas where ERAPS offers significant benefits. Furthermore, they should consult security professionals to ensure ERAPS complies with their security policies. Please get in touch with us on X @lnxsec - we are happy to help! Our Final Thoughts on AMD ERAPSPerformance & Security Implications With the launch of ERAPS, AMD has provided an attractive boost to performance and security in their Zen 5 processors. While official documentation and integration within mainstream Linux distributions are yet to be available, administrators can begin preparing and experimenting with this feature, which delivers optimal security and efficiency benefits while keeping their systems safe from attacks. As AMD develops this feature and aligns it with future Linux kernel releases, more people should benefit from this nuanced advancement in processor technology. . Explore how ERAPS has enhanced AMD's Zen 5 architecture, focusing on its role in mitigating the risks linked to speculative execution vulnerabilities and improving performance. AMD Zen 5, ERAPS feature, performance security, speculative execution, Linux enhancements. . Brittany Day
Nov 19, 2024
•
Security Projects
79
malware protectionsoftware vulnerabilitiesLinux developmentExplore FBAC-LSM Security: New Protection Against Malware Risks
Cliffe Schreuders wrote, " Today FBAC-LSM, a new security mechanism for Linux, has been released. FBAC-LSM restricts programs based on the features each application provides. You specify high level goals such as "Web Browser", some application-specific information (which can usually be automated), and then FBAC-LSM stops the programs from misbehaving. This limits the damage which can be done by malicious code due to malware or software vulnerabilities. . FBAC-LSM was developed by Z. Cliffe Schreuders for his PhD research. This initial development version of FBAC-LSM is functional, but is unstable and is not ready for use in production environments. Cliffe is currently looking for people interested in contributing to the project. The link for this article located at Cliffe Schreuders is no longer available. . FBAC-LSM represents a novel mechanism of functionality-centric isolation tailored for Linux, aimed at bolstering the safety of applications.. FBAC-LSM, Linux Application Confinement, Security Mechanism. . LinuxSecurity.com Team
Dec 11, 2009
•
Security Projects
74
encryption methodsecurity mechanismdouble authenticationEnhancing Security: Double Authentication and Fingerprint Technology
Double authentication -- like adding passwords to fingerprint scanners -- can significantly increase safety. Some music fans have discovered that they can evade Sony's CD copyright-protection system by blackening the edge of the disk with a felt-tipped pen. In Japan, . . . . Double authentication -- like adding passwords to fingerprint scanners -- can significantly increase safety. Some music fans have discovered that they can evade Sony's CD copyright-protection system by blackening the edge of the disk with a felt-tipped pen. In Japan, a Yokohama National University professor Tsutomo Matsumoto made gelatin molds bearing fingerprints that were able to fool several high-tech fingerprint scanners about 80% of the time. First reported by cryptographer Bruce Schneier in his bimonthly Cryptogram newsletter, the whole process takes 10 minutes or so, from pressing the finger into soft plastic to pouring in warm gelatin for the mold. Ah, the simplicity of innovation. These examples underscore two technology rules that anyone with half a brain understands. Rule No. 1: Usually, where there's a will, there's a way. Rule No. 2: Most technology has dual uses -- for good or evil. Nuclear fission can be used either to light or to level cities. Orbiting satellites can be used to track the weather or spy on unsuspecting citizens. Cryptographic software can be used by hospitals to guard patient data or by organized crime to scramble the contents of hard drives and elude law-enforcement authorities. The link for this article located at Business Week is no longer available. . Adopting multi-faceted security measures, such as dual verification, significantly improves the overall safeguarding and defense.. Double Authentication, Fingerprint Technology, Safety Mechanism. . Anthony Pell
Jun 07, 2002
•
Network Security
77
networkingopen sourceDNSEnhancing DNS Security Using TSIG in BIND 9 for Better Protection
Like most Internet protocols, the Domain Name System (DNS) began its life without many built-in security mechanisms. DNS is, after all, a global, public naming service, so you don't normally care who queries your name server for data in the zones that you are responsible for maintaining.. . .. Like most Internet protocols, the Domain Name System (DNS) began its life without many built-in security mechanisms. DNS is, after all, a global, public naming service, so you don't normally care who queries your name server for data in the zones that you are responsible for maintaining. The Unix world (including Linux) generally used BIND, the Berkeley Internet Name Domain software, to handle the resolution of domain names to IP addresses (and vice versa). Microsoft has its own implementation of a domain name server, first included in Windows NT 4.0 and now shipped in Windows 2000. While neither BIND nor the Microsoft DNS Server were particularly secure, BIND was open source and evolved quickly to include new security mechanisms for countering the malicious attacks that became more prevalent when DNS's vulnerabilities were realized. One of those security mechanisms, first introduced in BIND 8.2, was TSIG (Transaction Signatures). Later, Microsoft released Windows 2000, which uses a dialect of TSIG to secure dynamic updates between Windows 2000 clients and name servers. (Unfortunately, this isn't a dialect spoken by BIND yet, and it's not clear which version will support it. For more information on running BIND in a mixed environment, see the article "The Ties That BIND" () in the March 2001 issue of Linux Magazine.) BIND 9 supports TSIG even more completely, allowing administrators to secure almost any communication between two name servers. The techniques in this article counter a variety of attacks that could render a DNS server unable to do its job. Be sure to read our interview with Paul Vixie and David Conrad on BINDv9 and Internet Security. The link for this article located atLinux Magazine is no longer available. . BIND 9 enhances DNS security with Transaction Signature (TSIG) technology, authenticating DNS messages and mitigating attacks like spoofing and man-in-the-middle. DNS Security, BIND 9, Open Source Networking, Transaction Signatures. . LinuxSecurity.com Team
Feb 19, 2002
•
Server Security
77
access controlapacheweb securityImplementing DAC and MAC for Apache Security Best Practices
This article discusses the various security mechanisms for apache. "... But what's all this noise about 'discretionary' and 'mandatory,' you ask? Put simply, discretionary control (DAC) mechanisms check the validity of the credentials given them at the discretion of the . . . . This article discusses the various security mechanisms for apache. "... But what's all this noise about 'discretionary' and 'mandatory,' you ask? Put simply, discretionary control (DAC) mechanisms check the validity of the credentials given them at the discretion of the user, and mandatory access controls (MAC) validate aspects that the user cannot control. For instance, anyone can tell you its username and password and you can then log in with them; which username and password you supply is at your discretion, and the system can't tell you apart from the real owner. Your DNA is something you can't change, though, and a control system that only allowed access to your pattern would never work for anyone else -- and you couldn't pretend to be someone else, either. This makes such a system a mandatory (also called non-discretionary) access control system." The link for this article located at ApacheToday is no longer available. . Investigate access control methods such as DAC and MAC within the Apache environment to enhance the security and protection of your web content comprehensively and reliably.. Apache Configuration, Web Security, Access Control. . LinuxSecurity.com Team
Jun 29, 2000
•
Server Security
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More