Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Hacking Team’s Leak Helped Researchers Hunt Down a Zero-Day

    The vulnerability, which Microsoft called “critical” in a patch released to customers on Tuesday, would allow an attacker to infect your system after getting you to visit a malicious website where the exploit resides—usually through a phishing email that tricks you into clicking on a malicious link. The attack works with all of the top browsers except Chrome—but only because Google removed support for the Silverlight plug-in in its Chrome browser in 2014.

    [...]

    In July 2015, a hacker known only as “Phineas Fisher” targeted the Italian surveillance firm Hacking Team and stole some 400 GB of the company’s data, including internal emails, which he dumped online. The hack exposed the company’s business practices, but it also revealed the business of zero-day sellers who were trying to market their exploits to Hacking Team. The controversial surveillance firm, which sells its software to law enforcement and intelligence agencies around the world—including to oppressive regimes like Sudan, Bahrain, and Saudi Arabia—uses zero-day exploits to help sneak its surveillance tools onto targeted systems.

  • Flexible, secure SSH with DNSSEC

    With version 6.2 of OpenSSH came a feature that allows the remote host to retrieve a public key in a customised way, instead of the typical authorized_keys file in the ~/.ssh/ directory. For example, you can gather the keys of a group of users that require access to a number of machines on a single server (for example, an LDAP server), and have all the hosts query that server when they need the public key of the user attempting to log in. This saves a lot of editing of authorized_keys files on each and every host. The downside is that it's necessary to trust the source these hosts retrieve public keys from. An LDAP server on a private network is probably trustworthy (when looked after properly) but for hosts running in the cloud, that’s not really practical.

More in Tux Machines

Back End/Databases: AgensGraph, Apache AGE, and Apache Kafka

  • PostgreSQL: Announcing the release of AgensGraph 2.5

    The AgensGraph Development Team are pleased to announce the release of AgensGraph v2.5. AgensGraph is a new generation multi-model graph database for the modern complex data environment. AgensGraph is a multi-model database, which supports the relational and graph data model at the same time that enables developers to integrate the legacy relational data model and the flexible graph data model in one database. AgensGraph supports ANSI-SQL and openCypher (http://www.opencypher.org). SQL queries and Cypher queries can be integrated into a single query in AgensGraph. AgensGraph is based on the powerful PostgreSQL RDBMS, and is very robust, fully-featured and ready for enterprise use. AgensGraph is optimized for handling complex connected graph data and provides plenty of powerful database features essential to the enterprise database environment including ACID transactions, multi-version concurrency control, stored procedure, triggers, constraints, sophisticated monitoring and a flexible data model (JSON). Moreover, AgensGraph leverages the rich eco-systems of PostgreSQL and can be extended with many outstanding external modules, like PostGIS. For more details please see the release notes.

  • PostgreSQL: Announcing the release of Apache AGE(incubating) 0.6.0

    Apache AGE(incubating) is a PostgreSQL extension that provides graph database functionality. AGE is an acronym for A Graph Extension, and is inspired by Bitnine's fork of PostgreSQL 10, AgensGraph, which is a multi-model database. The goal of the project is to create single storage that can handle both relational and graph model data so that users can use standard ANSI SQL along with openCypher, the Graph query language.

  • Apache Kafka 3.1 opens up data streaming for analytics

    Apache Kafka is continuing to build out its event data streaming technology platform as the open source project moves forward. Apache Kafka 3.1 became generally available on Jan. 24, providing users of the open source event streaming technology with a series of new features. Organizations use Kafka to enable real-time data streams that can be used for operations, business intelligence and data analytics. Kafka is a developed by an open source community of developers that includes Confluent, an event streaming vendor that provides a commercial platform for Kafka, as well as Red Hat, which has a managed Kafka service. Gartner analyst Merv Adrian said he looks at Kafka as a data source that feeds a database. "More uses and users are moving upstream to engage with data in motion, before it comes to rest, and Kafka and its adjacent technologies are moving to capture share of that business," Adrian said.

OPNsense 22.1 released

For more than 7 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

22.1, nicknamed "Observant Owl", features the upgrade to FreeBSD 13,
switch to logging supporting RFC 5424 with severity filtering, improved
tunable sysctl value integration, faster boot sequence and interface
initiation and dynamic IPv6 host alias support amongst others.

On the flip side major operating system changes bear risk for regression
and feature removal, e.g. no longer supporting insecure cryptography in
the kernel for IPsec and switching the Realtek vendor driver back to its
FreeBSD counterpart which does not yet support the newer 2.5G models.
Circular logging support has also been removed.  Make sure to read the
known issues and limitations below before attempting to upgrade.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.
Read more

today's howtos

  • How to configure Pure-FTPD on Ubuntu/Debian with Self Signed Certificate

    In this post, you will learn how to configure Pure-FTPD. Pure-FTPD is a free FTP server which mainly focuses on security. It can be setup really easily within five minutes and it does not take much time or effort to setup. Pure-FTPD offers many features like limiting simultaneous users, Limiting bandwidth on each user to avoid saturation of the network speed, hiding files through permissions and moderating new uploads and content. In this tutorial we will see how to easily configure Pure-FTPD server with Self Signed Certificate File Transfer Protocol (FTP) is a way to receive or transfer data from one server to another. It is a standard communication protocol that enables the transfer or receiving of data over network. For in our case, We can use SFTP protocol for linux servers to transfer files, but if we have to create a FTP server we can use Pure-FTPD

  • How to create and use a Red Hat Satellite manifest

    In this multi-part tutorial, we cover how to provision RHEL VMs to a vSphere environment from Red Hat Satellite. Learn how to prepare the Satellite environment in this post.

  • How to install Redmine on Ubuntu 20.04 – NextGenTips

    In this tutorial, we are going to learn how to install Redmine on Ubuntu 20.04. Redmine is a free and open-source, web-based project management and issue tracking tool. It allows users to manage multiple projects and associated subprojects. It has project wikis and forums, time tracking, and role-based project controls.

  • How to Install Grafana on Rocky Linux

    Grafana is free and open-source analytics and visualization tool. It's a multi-platform web-based application that provides customizable charts, graphs, and alerts for supported data sources. By default, Grafana supports multiple data sources like Prometheus, Graphite, InfluxDB, Elasticsearc, MySQL, PostgreSQL, Zabbix, etc. It allows you to create an interactive and beautiful dashboard for your application monitoring system. This tutorial will show you how to install Grafana with Nginx as a Reverse Proxy on the Rocky Linux system.

  • How to Install Lighttpd Web server on CentOS 8

    In this post, you will learn how to Install Lighttpd on CentOS 8 Lighttpd is an open-source, secure, fast, flexible, and more optimized web server designed for speed-critical environments with less memory utilization as compared to other web servers. It can handle up to 10,000 parallel connections in one server with effective CPU-load management. Also, It comes with an advanced feature set such as FastCGI, SCGI, Auth, Output-Compression, URL-Rewriting and many more. Lighttpd is an excellent solution for every Linux server, due to its high-speed io-infrastructure that allows us to scale several times better performance with the same hardware than with other alternative web-servers. In this article we will learn how to Install Lighttpd Web server on CentOS 8.

  • How to install flameshot on RHEL/CentOS using Snapcraft

    In this post, you will learn how to install Flameshot on RHEL / CentOS Flameshot is a powerful open source screenshot and annotation tool for Linux, Flameshot has a varied set of markup tools available, which include Freehand drawing, Lines, Arrows, Boxes, Circles, Highlighting, Blur. Additionally, you can customize the color, size and/or thickness of many of these image annotation tools. Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system.

  • How to Convert Ubuntu 20.04 In Zentyal Firewall

    Greeting for the day! We are going to convert Ubuntu 20.04 in Zentyal today. The Server is a very popular OS among Linux admins across the planet. Though Zentyal community edition comes as dedicated os too, I was just testing what if we convert running Ubuntu Machine to the server? The verdict was clear that Servers get ready much quicker in comparison to installing dedicated OS instead. Thought to create a write-up for the same. We have categorized the article into three parts. First, a brief introduction of the server and its features. Second, how to convert Ubuntu into the Server. The third part will be having a conclusion and other views regarding the scenario.

  • 5 ways to make your Ansible modules work faster | Enable Sysadmin

    Ansible is a powerful open source tool that helps you automate many of your IT infrastructure operations, from the smallest of tasks to the largest. Ansible has hundreds of modules to help you accomplish your configuration needs, both official and community-developed. When it comes to complex and lengthy workflows, though, you need to consider how to optimize the way you use these modules so you can speed up your playbooks. Previously, I wrote about making your Ansible playbooks run faster. Here are five ways I make my Ansible modules work faster for me.

  • 1 DNS server container Podman dirty easy

    Linux distributions. So, what is a DNS? A DNS server is a service that helps resolve a fully qualified domain name (FQDN) into an IP address and performs a reverse translation of an IP address to a user-friendly domain name. Why is name resolution important? Computers locate services on servers using IP. However, IPs are not as user-friendly as domain names. It would be a big headache to remember each IP address associated with every domain name. So instead, a DNS server steps in and helps resolve these domain names to computer IP addresses. The DNS system is a hierarchy of replicated database servers worldwide that begin with the “root servers” for the top-level domains (.com, .net, .org, etc.). The root servers point to the “authoritative” servers located in ISPs and large companies that turn the names into IP addresses. The process is known as “name resolution.” Using our www.business.com example, COM is the domain name, and WWW is the hostname. The domain name is the organization’s identity on the Web, and the hostname is the name of the Web server within that domain. Debian DNS server setup can be found the link.

  • Deploy a Kubernetes Cluster based on Calico and openSUSE Kubic – Hollow Man’s Blog

    openSUSE Kubic is a certified Kubernetes Distribution based on openSUSE MicroOS. Calico is an open-source project that can be used by Kubernetes to deploy a pod network to the cluster. In this blog, I will show you how to deploy a Kubernetes Cluster based on Calico and openSUSE Kubic by a Virtual Machine. We are going to deploy a cluster that has a master and a worker. I was intended to use Oracle VM VirtualBox. However, it turned out that on my machine, when I tried to run kubeadm at openSUSE Kubic in VirtualBox, it always stuck at watchdog: BUG: soft lockup - CPU#? stuck for xxs! with CPU usage around 100%. As a result, I switched to VMware Workstation Pro and the issue got solved. Guess it’s caused by some bugs of VirtualBox.

  • Qemu backup on Debian Bullseye – Michael Ablassmeier – ..

    In my last article i showed how to use the new features included in Debian Bullseye to easily create backups of your libvirt managed domains. A few years ago as this topic came to my interest, i also implemented a rather small utility (POC) to create full and incremental backups from standalone qemu processes: qmpbackup The workflow for this is a little bit different from the approach i have taken with virtnbdbackup. While with libvirt managed virtual machines, the libvirt API provides all necessary API calls to create backups, a running qemu process only provides the QMP protocol socket to get things going.

Security Leftovers

  • Apple Releases Security Updates for Multiple Products

    An attacker could exploit some of these vulnerabilities to take control of an affected system.

  • Why Security in Kubernetes Isn't the Same as in Linux: Part 1 | MarketScreener

    The risks of a Kubernetes (K8s) deployment are actually the same as in traditional Linux servers.

  • Do you need pkexec and polkit on a WM? NO! CVE-2021-4034

    Thanks to Somewhat Reticent for being always on alert and contributing: Do you need pkexec and polkit on a WM? NO! CVE-2021-4034 Not unless you want some automated menu and icons to click on and use various user/root rights to execute a gui! Otherwise you are “safe“. Don’t think because RH is reporting this the only affected parties are RHEL users, anyone who uses their systemd elogind and polkit derivatives are equally affected. But gksu/gksudo was insecure and had to be erased from nearly every distro that is an IBM “client”.

  • Bug bounties: finding and fixing security holes with European Commission funds - The Document Foundation Blog

    Free and open source software (FOSS) is about much more than driving costs down, in some cases even down to zero – it’s about giving control back to users, developers and even nations. With FOSS, everyone gains the freedom to study, improve and share the software – and to use it whenever and wherever they want, without being restricted by vendor lock-in strategies. FOSS has been widely used amongst government bodies and public services, so thanks to the coordination of their recently formed Open Source Programme Office (OSPO), the European Commission has started a series of hackathon and “bug bounty” programmes to help selected projects find (and potentially fix) security issues.