Posts

Linux vulnerability could lead to DDoS attacks

A Linux kernel vulnerability affecting version 4.9 and up could allow an attacker to carry out denial-of-service attacks on a system with an available open port, according to an Aug 6 security advisory from the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute.

“Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service,” the report states. “An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions.”

Malicious actors could maintain the attack by using a continuous two-way TCP session to a reachable open port. Researchers noted that because of this, the attacks can’t be performed using spoofed IP addresses.

Patches for the vulnerability have been released, and users are recommended to update their systems as soon as possible.

 

source: https://www.scmagazine.com/linux-vulnerability-could-lead-to-ddos-attacks/article/786713/

/by
Hamidreza Talebi, linux

rsyslog and syslog in linux

Today we will be looking into how to setup a centralized log management for Linux servers, this will help the Linux admin to have a multiple server logs into one single place. The Linux admin not required to login in to each servers for checking the logs, he can just login into the centralized server and start do the logs monitoring.

Linux labels (auth, cron, ftp, lpr, authpriv, news, mail, syslog, etc ,..) the log messages to indicate the type of software that generated the messages with severity (Alert, critical, Warning, Notice, info, etc ,..).

You can find more information on Message Labels and Severity Levels

Make sure you have the following to setup log server.

Two Linux servers ( server and client).

server.itzgeek.com 192.168.12.131

client.itzgeek.com 192.168.12.132

Server setup:

Install syslog package, if you do not have it installed.

[root@server ~]# yum -y install rsyslog

Edit /etc/rsyslog.conf

[root@server ~]# vi /etc/rsyslog.conf

Un comment the following to enable the syslog server to listen on the tcp and udp port.
From

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
 
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

To

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
 
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Restart the syslog service

[root@server ~]# systemctl restart rsyslog.service

Verify the syslog server listening.

[root@server ~]# netstat -antup | grep 514
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      759/rsyslogd        
tcp6       0      0 :::514                  :::*                    LISTEN      759/rsyslogd        
udp        0      0 0.0.0.0:514             0.0.0.0:*                           759/rsyslogd        
udp6       0      0 :::514                  :::*                                759/rsyslogd

Client setup:

Install syslog package, if you do not have it installed. Edit /etc/rsyslog.conf

[root@client ~]# vi /etc/rsyslog.conf

At the end of file place the following line to point the client message log to the server

*.info;mail.none;authpriv.none;cron.none   @192.168.12.131

You can either mention @hostname or @ip address.

Restart the syslog service

[root@client ~]# systemctl restart rsyslog.service

Now all the message logs are sent to the central server and also it keeps the copy locally.

Firewall Port opening (Optional):

Mostly all the production environment are protected by hardware firewall, ask them to open the TCP & UDP 514.
If you have IP tables enabled, run the following command on server in order to accept incoming traffic on UDP / TCP port 514.

[root@server ~]#firewall-cmd --permanent --zone=public --add-port=514/tcp
[root@server ~]#firewall-cmd --permanent --zone=public --add-port=514/udp
[root@server ~]#firewall-cmd --reload

You can verify the port opening by issuing the following command from the client.

[root@client ~]# telnet 192.168.12.131 514
 
Trying 192.168.12.131...
Connected to 192.168.12.131.
Escape character is '^]'.

If it didn’t give any reply, disable firewall on both client and server.

Test:

Monitor the activity from the log server, open the message log.

[root@server ~]# tailf /var/log/messages

I have installed and started vsftpd on client machine, you can see both are recorded in syslog server.

Oct  5 06:03:53 client yum[2425]: Installed: vsftpd-3.0.2-9.el7.x86_64
Oct  5 06:04:13 client systemd: Starting Vsftpd ftp daemon...
Oct  5 06:04:13 client systemd: Started Vsftpd ftp daemon.

By this way you can monitor the other logs such as secure, mail, cron logs etc.

also we have these main categories for syslog’s facility:

Hamidreza Taleb

 

source: http://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-syslog-server-on-centos-7-rhel-7.html

/by
Hamidreza Talebi, linux

Basic Linux Command

tty= teletypewriter

Ctrl+Alt + F1 =tty1
Ctrl+Alt + F2 =tty2
.
.

Ctrl+Alt+F7= graphic

Description of Command
$apropos file

See manual
$ man file

where we are?
$ which ls

what is in root
$ ls /

show files in list
$ls -l

show the content of directory
$ls -lR

. current directory
.. parent directory
~ user’s home folder

Editors
nano , vim ,vi
$ nano FileName
$ vi FileName
exit : escape :q

To create file
$ touch filename

To see inside file
$ cat filename

To copy
$ cp sourceDirectory Destination
$ cp myfile2 myfile3 Documents // copy to two destinations

To remove file
$ rm myfile

Give list of the files starts with a
$ ls a*

 

give list of the files starts with three character
$ls ???

link files together
ln users.txt Document/list.txt

find a file larger than 10M
$ find +size +10M

write some text in file
$echo “more information” > output.txt
$ ls > homedir.txt

Use Pipe
$ cat homedir.txt | wc
// count file text

compare files
$diff -y text1.txt text2.txt

$ diff -u text1.txt text2.txt

compare binaries files
$ cmp text1.txt text2.txt

Archives and Compression
$tar -cf doc.tar listoffiles
$tar -tf doc.tar //read
$tar -xf doc.tar extractdistination

 

Zip file1 file2 …
unzip myfiles.zip -d unzip //create foldername unzip to extract

 

Find with grep
$ cat users.txt | grep -E “[A-M][m-z]”

change permission
$ chmod 600 myfile
$ chmod ugo+rwx myfile

Hamidreza Talebi- Linux

change currnet user to root user
$sudo -s
#

SSH
$sudo apt install openssh-server

to connect from another system: ssh user@ip

SFTP
$ get file3
$ put file3

SCP
Secure Copy Protocol
remote component user@host:path-to-file
$scp file4 hrt@192.168.3.10:/Documents

Packages update
sudo apt-get update
sudo apt-get upgrade

Enable Firewall
ufw enable
ufw allow 22/tcp

Disable Firewall
ufw disable

dd if=source of=destination // copy large – cloning
ps //show process
ps aux | grep “evol”
ifconfig
apt-get install ….

ip address add 192.168.99.37/24 dev eth0

 

/by