nixCraft » Security http://www.cyberciti.biz/tips This is a Linux sys admin journal by Vivek about sys admin work, Linux tips & tricks, hacks, news and more. Wed, 24 Apr 2013 18:50:55 +0000 en-US hourly 1 http://wordpress.org/?v=3.5.1 Linux / FreeBSD: PDFCrack A Command Line Password Recovery Tool For PDF Fileshttp://www.cyberciti.biz/tips/linux-howto-crack-recover-pdf-file-password.html http://www.cyberciti.biz/tips/linux-howto-crack-recover-pdf-file-password.html#comments Wed, 06 Jun 2012 07:33:50 +0000 nixCraft http://www.cyberciti.biz/tips/?p=8994 I already written about howto remove a password from all PDF files under Ubuntu or any other Linux distribution in a batch mode. However, many user want a simple command to recover password from pdf files. This is useful if you forgotten your password for pdf file. It is also useful for data-archaeologists, computer forensics professionals, people who want to test their password-strength (pdf files generated by webpass) and many more.]]> http://www.cyberciti.biz/tips/linux-howto-crack-recover-pdf-file-password.html/feed 2 Linux: 25 PHP Security Best Practices For Sys Adminshttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comments Wed, 23 Nov 2011 05:48:07 +0000 nixCraft http://www.cyberciti.biz/tips/?p=8173 PHP is an open-source server-side scripting language and it is a widely used. The Apache web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.]]> http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html/feed 51 Top 20 Nginx WebServer Best Security Practiceshttp://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html#comments Sat, 06 Mar 2010 10:20:45 +0000 nixCraft http://www.cyberciti.biz/tips/?p=6449 Nginx is a lightweight, high performance web server/reverse proxy and e-mail (IMAP/POP3) proxy. It runs on UNIX, GNU/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows. According to Netcraft, 6% of all domains on the Internet use nginx webserver. Nginx is one of a handful of servers written to address the C10K problem. Unlike traditional servers, Nginx doesn't rely on threads to handle requests. Instead it uses a much more scalable event-driven (asynchronous) architecture. Nginx powers several high traffic web sites, such as WordPress, Hulu, Github, and SourceForge. This page collects hints how to improve the security of nginx web servers running on Linux or UNIX like operating systems.]]> http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html/feed 36 20 Linux Server Hardening Security Tipshttp://www.cyberciti.biz/tips/linux-security.html http://www.cyberciti.biz/tips/linux-security.html#comments Fri, 30 Oct 2009 07:52:11 +0000 nixCraft http://www.cyberciti.biz/tips/?p=5687 Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system.]]> http://www.cyberciti.biz/tips/linux-security.html/feed 116 Use a Linux LiveCD to Avoid Windows Malware For Netbankinghttp://www.cyberciti.biz/tips/use-linux-live-cd-usb-for-online-banking.html http://www.cyberciti.biz/tips/use-linux-live-cd-usb-for-online-banking.html#comments Thu, 15 Oct 2009 12:53:55 +0000 nixCraft http://www.cyberciti.biz/tips/?p=5791 Internet has revolutionized the way online users can shop and avail banking services like internet Banking from anywhere, anytime without visiting bank. But, how safe is your money with online net-banking which allows to carry out money transfer? Companies and in some case individuals lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. The cyber crooks are targeting innocent MS-Windows user. If you are concerned about how best to protect yourself from this type of fraud, use Linux LiveCD for online banking and avoid Microsoft Windows at all cost.]]> http://www.cyberciti.biz/tips/use-linux-live-cd-usb-for-online-banking.html/feed 6 Top 5 Email Client For Linux, Mac OS X, and Windows Usershttp://www.cyberciti.biz/tips/download-email-client-for-linux-mac-osx-windows.html http://www.cyberciti.biz/tips/download-email-client-for-linux-mac-osx-windows.html#comments Sat, 08 Aug 2009 08:41:12 +0000 nixCraft http://www.cyberciti.biz/tips/?p=5590 Linux comes with various GUI based email client to stay in touch with your friends and family, and share information in newsgroups with other users. The following software is similar to Outlook Express or Windows Live Mail and is used by both home and office user.
Webmail interfaces allow users to access their mail with any standard web browser, from any computer, rather than relying on an e-mail client. However, e-mail client remains extremely popular in a large corporate environment, small business, home and power users. An e-mail client (also mail user agent (MUA)) is a frontend computer program used to manage e-mail. Mail can be stored on the client, on the server side, or in both places. Standard formats for mailboxes include Maildir and mbox.
The following are top five amazing piece of cross-platform software from various projects to make your life easy with wide variety of plug-ins / add-ons.]]> http://www.cyberciti.biz/tips/download-email-client-for-linux-mac-osx-windows.html/feed 122 BIND 9 Dynamic Update DoS Security Updatehttp://www.cyberciti.biz/tips/bind-dynamic-update-dos.html http://www.cyberciti.biz/tips/bind-dynamic-update-dos.html#comments Wed, 29 Jul 2009 15:47:12 +0000 nixCraft http://www.cyberciti.biz/tips/?p=5570 BIND 9 is an implementation of the Domain Name System (DNS) protocols. named daemon is an Internet Domain Name Server for UNIX like operating systems. Dynamic update messages may be used to update records in a master zone on a nameserver. When named receives a specially crafted dynamic update message an internal assertion check is triggered which causes named to exit. An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. configuring named to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. This exploit is public. Please upgrade immediately.]]> http://www.cyberciti.biz/tips/bind-dynamic-update-dos.html/feed 7 Top 20 OpenSSH Server Best Security Practiceshttp://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html#comments Fri, 24 Jul 2009 21:49:43 +0000 nixCraft http://www.cyberciti.biz/tips/?p=5489 Don't tell anyone that I'm free OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.]]> http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html/feed 134 20 Linux System Monitoring Tools Every SysAdmin Should Knowhttp://www.cyberciti.biz/tips/top-linux-monitoring-tools.html http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html#comments Sat, 27 Jun 2009 02:26:39 +0000 nixCraft http://www.cyberciti.biz/tips/?p=4934 Need to monitor Linux server performance? Try these built-in command and a few add-on tools. Most Linux distributions are equipped with tons of monitoring. These tools provide metrics which can be used to get information about system activities. You can use these tools to find the possible causes of a performance problem. The commands discussed below are some of the most basic commands when it comes to system analysis and debugging server issues such as:
  1. Finding out bottlenecks.
  2. Disk (storage) bottlenecks.
  3. CPU and memory bottlenecks.
  4. Network bottlenecks.
]]> http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html/feed 316 Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit)http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html#comments Sun, 21 Jun 2009 00:02:13 +0000 nixCraft http://www.cyberciti.biz/tips/?p=5148 If you do not control or throttle end users, your server may run out of resources. Spammers, abuser and badly written bots can eat up all your bandwidth. A webserver must keep an eye on connections and limit connections per second. This is serving 101. The default is no limit. Lighttpd can limit the throughput for each single connection (per IP) or for all connections. You also need to a use firewall to limit connections per second. In this article I will cover firewall and lighttpd web server settings to throttle end users. The firewall settings can be applied to other web servers such as Apache / Nginx and IIS server behind PF / netfilter based firewall.]]> http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html/feed 15 Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html#comments Wed, 27 May 2009 22:29:17 +0000 nixCraft http://www.cyberciti.biz/tips/?p=4903 Linux kernel is the central component of Linux operating systems. It is responsible for managing the system's resources, the communication between hardware and software and security. Kernel play a critical role in supporting security at higher levels. Unfortunately, stock kernel is not secured out of box. There are some important Linux kernel patches to secure your box. They differ significantly in how they are administered and how they integrate into the system. They also allow for easy control of access between processes and objects, processes and other processes, and objects and other objects. The following pros and cons list is based upon my personal experience. ]]> http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html/feed 18 Red Hat / CentOS VSFTPD FTP Server Configurationhttp://www.cyberciti.biz/tips/rhel-fedora-centos-vsftpd-installation.html http://www.cyberciti.biz/tips/rhel-fedora-centos-vsftpd-installation.html#comments Thu, 21 May 2009 18:06:12 +0000 nixCraft http://www.cyberciti.biz/tips/?p=4788 vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.

In this guide you will learn:
  1. Setup vsftpd to Provide FTP Service.
  2. Configure vsftpd.
  3. Configure Firewalls to Protect the FTP Server.
  4. Configure vsftpd with SSL/TLS.
  5. Setup vsftpd as Download Only Anonymous Internet Server.
  6. Setup vsftpd With Virtual Users and Much More.


Read CentOS / RHEL FTP Server Series:]]> http://www.cyberciti.biz/tips/rhel-fedora-centos-vsftpd-installation.html/feed 42 HowTo: Creating Firewall and Cluster Objects In Firewall Builderhttp://www.cyberciti.biz/tips/creating-firewall-cluster-objects-in-firewall-builder.html http://www.cyberciti.biz/tips/creating-firewall-cluster-objects-in-firewall-builder.html#comments Wed, 25 Mar 2009 19:44:25 +0000 nixCraft http://www.cyberciti.biz/tips/?p=6521 "Firewall Object" and "Cluster Object" of the Firewall Builder Users Guide.]]> http://www.cyberciti.biz/tips/creating-firewall-cluster-objects-in-firewall-builder.html/feed 0 Firewall Builder: Generate The Web Server Firewall Cluster Running Linux or OpenBSDhttp://www.cyberciti.biz/tips/firewall-builder4-webserver-cluster-tutorial.html http://www.cyberciti.biz/tips/firewall-builder4-webserver-cluster-tutorial.html#comments Wed, 25 Mar 2009 19:42:48 +0000 nixCraft http://www.cyberciti.biz/tips/?p=6506 Firewall Builder Logo This article continues mini-series started with the post Introduction to Firewall Builder 4.0. This article is also available as a section in the "Firewall Builder Cookbook" chapter of Firewall Builder Users Guide 4.0. Firewall Builder 4.0 is currently in beta testing phase. If you find it interesting after reading this post, please download and try it out. Source code archives, binary deb and rpm packages for popular Linux distributions and commercially distributed Windows and Mac OS X packages are available for download here. In this post I demonstrate how Firewall Builder can be used to generate firewall configuration for a clustered web server with multiple virtual IP addresses. The firewall is running on each web server in the cluster. This example assumes the cluster is built with heartbeat using "old" style configuration files, but which high availability software is used to build the cluster is not really essential. I start with the setup that consists of two identical servers running Linux but in the end of the article I am going to demonstrate how this configuration can be converted to OpenBSD with CARP.

This entry is part 1 of 4 in the series Linux Firewall Cluster Configuration with Firewall Builder v4.:
]]> http://www.cyberciti.biz/tips/firewall-builder4-webserver-cluster-tutorial.html/feed 7 Firewall Builder: Convert Linux Iptables Configuration to OpenBSD and PFhttp://www.cyberciti.biz/tips/openbsd-pf-firewall-builder-configuration.html http://www.cyberciti.biz/tips/openbsd-pf-firewall-builder-configuration.html#comments Wed, 25 Mar 2009 19:28:34 +0000 nixCraft http://www.cyberciti.biz/tips/?p=6570 http://www.cyberciti.biz/tips/openbsd-pf-firewall-builder-configuration.html/feed 2 Linux Building Rules For The Cluster With Firewall Builderhttp://www.cyberciti.biz/tips/linux-cluster-building-firewall-rules.html http://www.cyberciti.biz/tips/linux-cluster-building-firewall-rules.html#comments Wed, 25 Mar 2009 19:28:10 +0000 nixCraft http://www.cyberciti.biz/tips/?p=6553 http://www.cyberciti.biz/tips/linux-cluster-building-firewall-rules.html/feed 0 Introduction to Firewall Builder 4.0http://www.cyberciti.biz/tips/introduction-to-firewall-builder-4-0.html http://www.cyberciti.biz/tips/introduction-to-firewall-builder-4-0.html#comments Mon, 16 Mar 2009 07:01:09 +0000 nixCraft http://www.cyberciti.biz/tips/?p=6486 This is the first article in the mini-series of two articles about Firewall Builder.

Systems administrators have a choice of modern Open Source and commercial firewall platforms at their disposal. They could use netfilter/iptables on Linux, PF, ipfilter, ipfw on OpenBSD and FreeBSD, Cisco ASA (PIX) and other commercial solutions. All these are powerful implementations with rich feature set and good performance. Unfortunately, managing security policy manually with all of these remains non-trivial task for several reasons. Even though the configuration language can be complex and overwhelming with its multitude of features and options, this is not the most difficult problem in my opinion. Administrator who manages netfilter/iptables, PF or Cisco firewall all the time quickly becomes an expert in their platform of choice. To do the job right, they need to understand internal path of the packet inside Linux or BSD kernel and its interaction with different parts of packet filtering engine. Things get significantly more difficult in the installations using different OS and platforms where the administrator needs to switch from netfilter/iptables to PF to Cisco routers and ASA to implement coordinated changes across multiple devices. This is where making changes get complicated and probability of human error increases. Unfortunately typos and more significant errors in firewall or router access list configurations lead to either service downtime or security problems, both expensive in terms of damage and time required to fix.]]> http://www.cyberciti.biz/tips/introduction-to-firewall-builder-4-0.html/feed 11 Do You Blame Users For IT Security?http://www.cyberciti.biz/tips/it-security-blaming-the-victim.html http://www.cyberciti.biz/tips/it-security-blaming-the-victim.html#comments Thu, 12 Mar 2009 19:31:24 +0000 nixCraft http://www.cyberciti.biz/tips/?p=4512 An interesting article published by security guru Bruce Schneier:
Blaming the victim is common in IT: users are to blame because they don't patch their systems, choose lousy passwords, fall for phishing attacks, and so on. But, while users are, and will continue to be, a major source of security problems, focusing on them is an unhelpful way to think.

=> Blaming the user is easy – but it's better to bypass them altogether]]> http://www.cyberciti.biz/tips/it-security-blaming-the-victim.html/feed 7 Uninstall IE8 Under Windows 7http://www.cyberciti.biz/tips/uninstall-internet-explore-under-windows-7.html http://www.cyberciti.biz/tips/uninstall-internet-explore-under-windows-7.html#comments Thu, 05 Mar 2009 02:07:39 +0000 nixCraft http://www.cyberciti.biz/tips/?p=4483 IE (Internet explore) was first released as part of the add-on package Plus! for Windows 95 in 1995. IE is fully integrated into MS operating system. IE has been subjected to many security vulnerabilities such as spyware, adware, and computer viruses. Removing Internet Explorer does have a number of consequences. Applications that depend on libraries installed by IE will fail to function, or have unexpected behaviors. A just-leaked build of Windows 7 lets users remove Internet Explorer (IE), the first time that Microsoft has offered the option since it integrated the browser with Windows in 1997.]]> http://www.cyberciti.biz/tips/uninstall-internet-explore-under-windows-7.html/feed 12 Security Through Obscurity: MAC Address Filtering ( Layer 2 Filtering )http://www.cyberciti.biz/tips/linux-unix-bsd-mac-filtering.html http://www.cyberciti.biz/tips/linux-unix-bsd-mac-filtering.html#comments Tue, 17 Feb 2009 18:37:21 +0000 nixCraft http://www.cyberciti.biz/tips/?p=4452 MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or wireless network / devices. Is this technique effective? ]]> http://www.cyberciti.biz/tips/linux-unix-bsd-mac-filtering.html/feed 14