Linux çekirdeği resmi sitesi: https://www.kernel.org
Uzun süreli destek sürümü:
3.16.51 2017-11-26
Değişiklik listesi…
Archive | GNU/Linux
Kernel’in 3.2.96 uzun süreli destek sürümü duyuruldu
Linux çekirdeği resmi sitesi: https://www.kernel.org
Uzun süreli destek sürümü:
3.2.96 2017-11-26
Değişiklik listesi…
NuTyX 9.92 duyuruldu
Bir Fransız GNU/Linux dağıtımı olan ve “cards” adlı özel bir paket yöneticisi ile kullanıma sunulan ve Linux From Scratch‘ten türetilen NuTyX‘in çeşitli güncelleştirmeler ve yenilikler içeren 9.92 sürümü duyuruldu. 4.14.2 Linux çekirdeği üzerine yapılandırılan sistemin cards 2.3.103 ile geldiği belirtilirken, kullanıcıya KDE plasma 5.11.3, gnome 3.24.2, mate 1.18.2, xfce4 4.12.4 masaüstü ortamlarını kullanma olanağı sunulduğu ifade ediliyor. Sistem; KDE Framework 5.40.0, KDE Applications 17.08.3, glibc 2.26, gcc 7.2.0, binutils 2.29.1, python 3.6.0, xorg-server 1.19.5, qt 5.9.3, firefox 57.0 gibi güncel yazılımlarla geliyor. NuTyX 9.92 hakkında ayrıntılı bilgi edinmek için projenin haberler sayfasını inceleyebilirsiniz.
NuTyX 9.92 edinmek için aşağıdaki linklerden yararlanabilirsiniz.
- İndirme sayfası
- NuTyX_x86_64-9.92.iso (261MB, SHA256)
- NuTyX_x86_64-9.92-xorg.iso (542MB, SHA256)
Useful Linux Security Tricks to Harden Your System
In the previous post, we talked about Linux network commands and we saw some useful examples used to troubleshoot your network, today we will talk about some Linux security commands that you will need to harden your system. New vulnerabilities are discovered a lot these days, exploits are immediately built on those vulnerabilities after being discovered. Maybe you are updating your system periodically, but this is not enough, you need to harden your system to protect your assets as much as possible. You can secure your console by limiting the root to use particular terminals. You can do this by specifying the terminals that the root will use in /etc/securetty file. It’s preferred but not required to allow root login from one terminal only and leave other terminals for other users.
Change Your Password Always
Strong password is a must these days, but to add another layer of security, you should change your password from time to time.
You may forget to change it yourself, so there must be something that reminds you about your password age and when to modify it.
There are two ways to achieve that, the first way is by command line using the change command like this:
- Using chage command.
- Set defaults in /etc/login.defs.
$ chage -M 20 likegeeks
We use the -M option is used to set the expiration days for your password.
You can type chage without options and it will ask you about the value.
$ chage likegeeks
Or you can set your default rules in /etc/login.defs file.
You can change these values according to your needs.
PASS_MAX_DAYS 10
PASS_MIN_DAYS 0
PASS_WARN_AGE 3
Keep in mind that, you should force users to use strong password using pam_cracklib.
Once you’ve installed it, you can go to /etc/pam.d/system-auth and type something like this:
password required pam_cracklib.so minlen=12 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1
sudo Notification
sudo command makes life easier and also can lead to Linux Security issues that can ruin your life.
All sudo configurations in the /etc/sudoers file.
You can prevent users from running the commands you want as root.
You can make sudo send an email when it is used by adding the following line to the file:
mailto [email protected]
And set mail_always to on.
mail_always on
Securing SSH
If we will talk about Linux security, we need to talk about SSH service. SSH is an important service to your system, it enables you to connect easily to your system, and sometimes it is the only way to make your system survive when things go bad, so tuning SSH is a must.
Since we use CentOS 7 in our posts, so the SSH configuration file is in:
/etc/ssh/sshd_config
The scanners or bots that the attackers use try to connect to SSH on port 22 which is the default.
It is common to change your SSH port to another unused port, let’s say 5555. You can change the SSH port by typing the Port number in the configuration file like this:
Port 5555
You can also restrict the root login by updating the value of PermitRootLogin to no:
PermitRootLogin no
And surely disable tunneled clear passwords and use public-private key login instead:
PasswordAuthentication no
PermitEmptyPasswords no
Regarding SSH timeouts. This traditional problem can be handled by configuring the following settings.
For example, the following settings imply that a packet will be sent every 60 seconds:
ServerAliveInterval 15
ServerAliveCountMax 3
TCPKeepAlive yes
By adjusting these values, you can provide a longer connection:
ClientAliveInterval 30
ClientAliveCountMax 5
You can specify the allowed users for using SSH service:
AllowUsers user1 user2
Or you can make it per group:
AllowGroup group1 group2
Securing SSH Using Google Authenticator
Further to this, you can use two-factor authentication for SSH like google authenticator.
$ yum install google-authenticator
Then run it to verify the installation.
$ google-authenticator
You should have Google authenticator application installed on your Mobile phone.
Edit /etc/pam.d/sshd file and add this:
auth required pam_google_authenticator.so
And the last thing to do is to tell SSH about this by adding the following line to /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
Now restart you SSH.
$ systemctl restart sshd
And when you log in using SSH, it will ask about verification code, so your SSH is secured and more solid now.
Intrusion Detection with Tripwire (Monitoring Filesystem)
Tripwire is one of the great tools in Linux security. It’s an intrusion detection system (HIDS).
Tripwire job is to monitor the filesystem, who changed the files, and when that change happened.
In order to get tripwire, you need access to EPEL repository. You can add it easily:
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm
$ rpm -ivh epel-release-7-9.noarch.rpm
Once you’ve installed EPEL repo, you can install tripwire.
$ sudo yum install tripwire
First, create keyfiles like this:
$ tripwire-setup-keyfiles
It will prompt you to enter a passphrase for keyfiles. Tripwire will tell you to use a strong password.
Now you can customize Tripwire by making changes to this file:
/etc/tripwire/twpol.txt
This file is very easy to read and modify since every line has a comment that describes it well.
When Tripwire is completed, you should initialize it like this:
$ tripwire --init
It will take some time scanning the system depends on your file sizes.
Any modifications to the filesystem are considered to be system intrusion, the administrator will be notified and he will need to restore the system with files that can be trusted.
For this reason, any system changes should be validated through Tripwire. To do this, use the following command:
$ tripwire --check
One last thing about tripwire, I would recommend that you secure both the twpol.txt and twcfg.txt files as another step of security.
Tripwire has a lot of options and settings; you can check them with man tripwire
Using Firewalld
Firewalld is a replacement for iptables, it improves the management of Linux security. Firewalld can enable configuration changes without stopping the current connections.
Firewalld runs as a service that allows for rules to be added and changed immediately and it uses network zones.
To know if Firewalld is currently running or not, type this command:
$ firewall-cmd --state
You can list the predefined zones like this:
$ firewall-cmd --get-zones
Each zone of these has a trust level.
The value can be updated like this:
$ firewall-cmd --set-default-zone=
You can get all the relevant information about any particular zone like this:
$ firewall-cmd --zone= --list-all
You can list all supported services like this:
$ firewall-cmd --get-services
Then you can add additional services or remove them within a zone:
$ firewall-cmd --zone= --add-service=
$ firewall-cmd --zone= --remove-service=
You can list all ports open in any particular zone:
$ firewall-cmd --zone= --list-ports
You can add ports to a zone like this:
$ firewall-cmd --zone= --add-port=<port-number/protocol>
$ firewall-cmd --zone= --remove-port=<port-number/protocol>
You can add or remove port forwarding like this:
$ firewall-cmd --zone= --add-forward-port=
$ firewall-cmd --zone= --remove-forward-port=
Firewalld is very comprehensive and the best thing about Firewalld is that you can manage firewall architecture without restarting or stopping service unlike iptables, where you should reload or restart the service.
Returning to Iptables
Some people prefer iptables firewall over Firewalld, you can return to iptables easily.
First, disable Firewalld:
$ systemctl disable firewalld
$ systemctl stop firewalld
Then install iptables:
$ yum install iptables-services
$ touch /etc/sysconfig/iptables
$ touch /etc/sysconfig/ip6tables
Now you can start iptables service:
$ systemctl start iptables
$ systemctl start ip6tables
$ systemctl enable iptables
$ systemctl enable ip6tables
Finally, reboot your system.
Restricting the Compilers
The attacker might compile the exploits on his machine and upload it to the victim server without the need to the compilers, but anyway, it’s preferable to restrict the compilers if you don’t use them in production as most modern hosting panels do.
First, get a list of all binaries from packages, then set the permission for them.
$ rpm -q --filesbypkg gcc | grep 'bin'
Create a new group:
$ groupadd compilerGroup
Then change the group of the compiler binaries like this:
$ chown root:compilerGroup /usr/bin/gcc
And one last important thing is to change the permission of this binary to be only the compilers group.
$ chmod 0750 /usr/bin/gcc
Now, any user tries to use gcc will see permission denied message.
Awesome Immutable Files (Prevent File Modification)
Immutable files cannot be overwritten by any user, even root. He can’t modify it or delete it unless he removes the immutable bit from it and root user only can do this.
You can say that this feature protects you as root from any mistakes that can damage or harm your system. Awesome!!
You can protect configuration files or any file you want.
To make any file immutable, use the chattr command.
$ chattr +i /myscript
You can remove immutable attribute like this:
$ chattr -i /myscript
You can protect any files in your system the same way, but keep in mind that, if you do this to the system binaries, you can’t update them unless you remove the immutable bit.
I will leave the rest of the examples about using immutable files to your imagination.
Managing SELinux with aureport
It is a common thing if you are using hosting control panels, you will find SELinux disabled.
Disabling SELinux will leave the system exposed. I agree, but SELinux has some complexity, but you can make your life easier if you manage it using aureport.
The aureport utility is developed to create tabular reports for audit log files.
$ aureport --avc
You can create a list of executable files like this:
$ aureport -x
You can use aureport to generate a full authentication report.
$ aureport -au -i
Or you can list the failed authentication events.
$ aureport -au --summary -i --failed
Or maybe a summary of successful authentication events.
Awesome!!
aureport tool makes working with SELinux pretty easy.
Using sealert Tool
In addition to aureport tool, you can use a good Linux security tool called sealert, you can install it with this command:
$ yum install setools
Now we have a tool that will actively return announcements from /var/log/audit/audit.log file and gives us something readable about SELinux problems.
You can use it like this:
$ sealert -a /var/log/audit/audit.log
The best thing about the generated report is at the end of each alert if found, you will find how to resolve the problem.
In this post we’ve covered just some of the Linux security tricks that can help you harden your system, However, there are a lot of Linux security tricks for many running services that need hardening.
I hope you found the post useful and interesting.
Thank you.
Secure Linux Server Using Hardening Best Practices
In the previous post we talked about some Linux security tricks and as I said, we can’t cover everything about Linux hardening in one post, but we are exploring some tricks to secure Linux server instead of searching for ready Linux hardening scripts to do the job without understanding what’s going on, However, the checklist is so long so let’s get started. This is important if you are not securing your server physically. If you are using Systems prior to CentOS 7, all you have to do is to comment out the following line in /etc/inittab file.
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Otherwise, if you are using CentOS 7 use the following command:
$ ln -s /dev/null /etc/systemd/system/ctrl-alt-del.target
Secure Mounted Filesystems
Each of your Linux file systems is mounted so you can the files inside it. You can mount your file systems using different options.
You can type these options in the /etc/fstab file.
LABEL=/ / ext4 defaults 1 1
The first column is just a label for your device.
The second column is the location of the mounted filesystem.
The third column is the file system type like ext4.
The fourth column contains security options which are the most important one for us.
The last two columns control the options for the dump and fsck commands.
There are many different ways to control how file systems are mounted and the following list shows some of them:
auto It will be mounted automatically at boot time.
noauto It will not be mounted automatically at boot time.
exec You can execute binaries on this file system.
noexec You can’t execute binaries on this file system.
suid setuid bits are permitted.
nosuid No setuid bits.
user non-root users can mount this device.
nouser No user except root can mount this device.
owner Only owner can mount the device.
ro Mount device read-only.
rw Mount device read-write.
defaults Make your file system’s options: rw, suid, exec, auto, nouser.
The exec and noexec options enable you to control whether binary execution is allowed or not.
You can mount /home securely with noexec like this:
/dev/hda1 /home ext4 noexec 0 2
Keep in mind that this line will prevent the execution of binaries on /home, so if you have any executables, you should take care of that.
You can mount /tmp with noexec option as a step of hardening, but keep in mind that some programs might not work properly because they use /tmp to execute. So you can test your software with this mount option, if it goes well then it’s OK.
If you have binaries that have the setuid and setgid bits, and you set the nosuid option, the setuid and setgid bits will be neglected.
Only root users can mount file systems, but if you want other users to do that, you can set the user, nouser options. If you set the user option, then any user can mount or unmount file systems.
Any user other than root shouldn’t be allowed to mount file systems.
By setting ro and rw options, you can set your filesystem as read-only or writable.
You can mount any file system as read-only like this:
/dev/hda2 /usr ext4 ro,nodev 0 2
You can mount /boot as read-only using the same way, but keep in mind that if any kernel update arrives, you have to remount it as rw to apply the update like this:
$ mount -o remount,rw /boot
You know mount options and you should be wise enough to take the decision about which directory needs which option to mount with.
Protect /etc/services File
The /etc/services file translates service names to port numbers.
This file is writable by root only, but you may make a mistake without intention.
Well, you can use the immutable attribute to avoid any mistakes.
Also, that prevents accidental deleting or overwriting of such a vital file.
$ chattr +i /etc/services
Remove Unused Accounts
These vendor accounts are preinstalled on your system for some Linux system activity.
If you don’t need those accounts, it’s preferred to remove them using the userdel command, and these are some of the unused users for me.
$ userdel adm
$ userdel games
$ userdel halt
$ userdel lp
$ userdel shutdown
Also, you will need to remove the groups belongs to those accounts if exist using groupdel command
If you check /etc/passwd file, you’ll see that the users are deleted.
If you run your own VPS or server you can set the immutable bit on /etc/passwd and /etc/shadow to prevent any unwanted changes.
$ chattr +i /etc/passwd
$ chattr +i /etc/shadow
If you need to add new users to the system or install a program that will add users, consider removing the immutable flag first.
Hardening Cron Scripts
Some scripts under /etc/cron.d doesn’t have the secured permissions, they are readable to normal users.
Consider fixing the permission for the scripts that are responsible for executing scheduled job on our server so root only can read it.
$ chmod 0700 /etc/cron.daily/*
Normal users don’t need to look at those scripts.
Keep in mind that if you update a program that provides a cron file on your system, consider updating the permission, or you can make a shell script that does the job for you instead.
And the same for the other cron directories like:
/etc/cron.weekly
/etc cron.monthly/
/etc cron.hourly/
Securing SUID Programs
SUID (Set User ID) is a special type of file permissions given to a file. When you want to use a tool like passwd command which writes on files belong to root such as /etc/passwd and /etc/shadow, the passwd command must have this SUID permission to enable normal users to use that command.
You may take a look at all programs that have this permission and consider removing that permission from unnecessary programs that you think that normal users won’t need it.
$ find / -type f -user root -perm -4000 -print
All these programs have SUID bit and normal users can run them as root. To remove that permission, you can use this command:
$ chmod a-s /bin/mount
Keep in mind that some programs need that permission to work so be careful when doing that.
Risky World-Writable Files and Directories
World-writable directories and files can lead to serious problems if the attacker gains access to them.
He will be allowed to modify or delete any file, and this is a serious problem.
To get all writable files in your web folder, use this command:
$ find /home/*/public_html -type f -writable -exec ls -la {} \;
And writable directories:
$ find /home/*/public_html -type d -writable -exec ls -ld {} \;
You may find writable directories and files in some locations like /var/mail which has no problem, but on web folders, you have to be careful about that much.
You can use some integrity check tool like tripwire.
This tool will scan the system for any public writable files and directors and warn you, so you can take action about them.
Risky Symlinks
Symlinks or symbolic links are useful if they used for a good purpose to simplify your work, but the attacker in some cases uses any scripting language on your server to build a symlink to travel between directories and see your files, steal passwords and gain access to all websites on the server, so it’s very important to keep any eye on that.
The following command searches for any symlink and deletes it.
$ find -L /home/*/public_html -type l –delete
You can change the path based on your server paths, you may also create a shell script to find those symlinks and send to your email so you can investigate how it was created.
#!/bin/bash
find /home/*/public_html/ -type l >> /root/symlinks
cat /root/symlinks | cut -d"/" -f3 | uniq >> /root/out
echo "Symlinks:"|mail -s "Symlinks in $(hostname)" [email protected] < /root/out > /root/symlinks > /root/out
There are many ways to stop symlink creation, if you are using PHP, you can disable some serious functions, and apply Symlinks only if owner matches for your server if you are using apache.
This trick is very useful, especially when dealing with compromised systems.
There is a lot to talk about securing PHP; maybe we should make another post about that, but let’s keep simple for now.
Securing Log Files
Your last line of defense is the log files. Log files for each running service tell you everything about that service, so you can keep track of everything happened on your system.
In worst scenarios (like gaining root access), the attacker might delete those log files and left you without any evidence of what had happened.
Consider copying your log files to a different place or schedule a regular backup of log files to somewhere else that shouldn’t be accessible to the attacker if he gains access to your system.
Securing Linux Resources
Securing Linux Resources is a must because users can jeopardize the stability of your server if they left to use server resources without limits.
You can allocate how much memory for each user, how many processes and other server resources.
Under /etc/security, there is a file called limits.conf, in this file you can specify the limits for your users like this:
* hard rss 500000
* hard nproc 50
The first line says for all users, limit the memory usage to 500 MB.
The second line says for all users, limit the number of processes to 50 processes.
All these restriction rules applied to all users expect root user.
The asterisk on both lines means all users, and some systems have users running services like www or mysql users and these service users are used by all users on the system and if we apply our restriction rules for them too, that can lead to problems.
A good solution for this problem is to add a special group and add our users to that group and apply our restriction rules to that group.
In this case, the rules will be applied for every user in this group and not to the whole users of the group.
@myusers hard rss 500000
@myusers hard nproc 50
Hardening /proc Directory
The /proc directory or as they call it (process information pseudo-file system) gives you hints about the currently running processes. Linux is installed by default to allow normal users to see that information. You can see what processes belong to root and all other user’s processes.
Before you use this trick, as you can see that normal user can see all processes even root processes:
The hidepid mount option allows you to hide process IDs. It takes a value of 0, 1, 2.
$ mount -o remount,rw,hidepid=2 /proc
And you can write it to /etc/fstab to make it permanent so after reboot, the process IDs remains hidden.
proc /proc proc defaults,hidepid=2 0 0
After that command, you are only allowed to see your processes. Only root users can see all processes for all users.
$ ps -ef
Another mount option is gid which allows users in a specific group to see /proc directory.
If the group you want to assign the permission to has ID of 100, you can write it like this:
$ mount -o remount,rw,gid=100 /proc
Also, you can write it in /etc/fstab file:
proc /proc proc defaults,gid=100 0 0
The last advice for you is to keep your system and software updated always, that will protect you from many threats.
I hope you find these hardening tricks useful. Keep coming back.
Thank you.
Linux Mint 18.3 çıktı
Kod adı “Sylvia” olarak belirlenen Linux Mint 18.3’ün final sürümü, test sürecinin ardından çıktı ve indirilmek üzere yansılarda yerini aldı. Henüz resmi duyrusu yapılamamış olan sürüm; İngilizce, Almanca, İspanyolca, Fransızca, İtalyanca, Portekizce ve Rusça için yazım denetimi ve eşanlamlı sözcük desteğini daha iyi bir şekilde sunuyor. Redshift’in artık varsayılan olarak yüklü geldiği belirtilirken, sürücü yöneticisinin artık CPU’yu daha iyi algılayacağı ve mikrokod paketlerinin daha düzgün bir şekilde sunulacağı ifade edildi. Ubuntu 16.04 paket sistemine dayalı olarak üretilen sistem, bir uzun süreli destek sürümü olarak sunuluyor ve 2021’e dek destekleneceği belirtiliyor. 2018 yılına kadar, yeni bir temel üzerinde çalışmaya başlamayacak olan geliştirme ekibinin bu sürüme odaklanacağı ifade ediliyor. 4.10.0-38 Linux çekirdeği üzerine yapılandırılan sistem, linux-firmware 1.157.13 içeriyor.
Linux Mint 18.3 edinmek için aşağıdaki linklerden yararlanabilirsiniz.
Resmi duyurusu yapıldıktan sonra:
BlackArch Linux 2017.11.24 duyuruldu
Penetrasyon testleri ve güvenlik araştırmacıları için tasarlanmış Arch Linux tabanlı bir dağıtım olan BlackArch Linux’un 2017.11.24 sürümü duyuruldu. 50’den fazla yeni aracın eklendiği sistemde, tüm sistem paketleri ve tüm pencere yöneticisi (awesome, fluxbox, openbox) menüleri güncellenmiş bulunuyor. 4.13.12 Linux çekirdeği üzerine yapılandırılan sistemde, BlackArch yükleyicisi 0.6 sürümüne güncellendi. BlackArch araç ve paketleri de güncellenen sistemde, tüm pencere yöneticisi menülerinin güncellenmesi öneriliyor. Tüm BlackArch kullanıcılarına ve destekçilerine teşekkür edildiği ifade ediliyor. BlackArch Linux 2017.11.24 hakkında ayrıntılı bilgi edinmek için projenin sürüm duyurusunu inceleyebilirsiniz.
BlackArch Linux 2017.11.24 edinmek için aşağıdaki linklerden yararlanabilirsiniz.