Exim is a free and open source message transfer agent (MTA) developed at the University of Cambridge. It is famous on Unix and Linux systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. There is a buffer overflow in base64d() of Exim MTA that allows an attacker to run code remotely. ALL versions of Exim MTA affected by overflow vulnerability i.e. CVE-2018-6789.
Continue reading “400K+ Exim MTA affected by overflow vulnerability on Linux/Unix”
OpenSSH needs no introduction. OpenSSH is a free and open source suite of security-related software based on the SSH protocol. OpenSSH provides secure network communication and tunneling capabilities. OpenSSH gives peace of mind when communicating with Linux or Unix-like server over the Internet on the insecure network.
SSH is essential for both sysadmins and developers. The book “SSH Mastery” (2nd ed) talks about OpenSSH server, clients, encryption, public/private keys, VPNs and other security-related network-level utilities based on the Secure Shell SSH protocol.
FreeBSD includes software from the OpenSSL Project for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. OpenSSL has multiple vulnerabilities on a FreeBSD. Currently, no workaround is available. You need to update OpenSSL on FreeBSD version 10.x and 11.x.
I recently setup a small server which is running Debian 9. The purpose of this machine is to run OpenVPN server on port 443 to bypass censorship. It runs the following services and nothing else:
- Squid on private IP belongs to VPN pool (10.8.0.1:3128)
- SSH on private IP belongs to VPN pool (10.8.0.1:22)
- DNS resolver on private IP belongs to VPN pool (10.8.0.1:53)
- OpneVPN on public IP port 443 (server_public_ip_address:443)
There is a serious vulnerability in sudo command that grants root access to anyone with a shell account. It works on SELinux enabled systems such as CentOS/RHEL and others too. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. Patch your system as soon as possible.
HandBrake is an open-source and free transcoder for digital video files. It makes ripping a film from a DVD to a data storage device such as NAS boxes easier. HandBrake works Linux, macOS, and Windows. A Recent version of Handbrake for Mac and possibly other downloads at the same site infected with malware. If you have downloaded HandBrake on Mac between 2/May/2017 and 06/May/2017, you need to delete the file ASAP. HandBrake infected with a new variant of OSX.PROTON malware.
The SSH (“Secure Shell”) protocol is a method for secure remote login from one system to another. Sysadmins and users use a secure channel over an unsecured network in a client-server architecture format for connecting an SSH client with an SSH server. Security ssh server is an important task. There is a tool called ssh_scan from Mozilla which act as a prototype SSH configuration and policy scanner for your SSHD.
For some weird reason, I can not get my OpenVPN server to come up at boot time using systemd on an Ubuntu Linux 16.04 LTS server. I have tried a few settings but failed so far.
Entropy is nothing but the measure of “randomness” in a sequence of bits. The PRNG ( pseudorandom number generator ) is a special device (e.g. /dev/random on Linux) to create randomness from server hardware activities. It uses interrupts generated from the keyboard, hard disk, mouse, network and other sources. The random number generator gathers environmental noise from device drivers and other sources into an entropy pool. The randomness usually used for security purposes like creating TLS/SSL keys and the quality source of random bits is critical. For example, OpenSSL APIs can use quality randomness to make your program cryptographically secure. However, a poor source of randomness could result in loss of security. In this post, I will cover haveged and rng-utils/rng-tools to generate random numbers and feed linux random device for your virtual or dedicated Linux server.