The Stack Clash
As anticipated in public comments, the Linux Foundation is already beginning a campaign to rewrite history and mislead Linux users. Their latest PR release can be found at: https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features, which I encourage you to read so you can see the spin and misleading (and just plain factually incorrect) information presented. If you've read any of our blog posts before or are familiar with our work, you'll know we always say "the details matter" and are very careful not to exaggerate claims about features beyond their realistic security expectations (see for instance our discussion of access control systems in the grsecurity wiki). In a few weeks I will be keynoting at the SSTIC conference in France, where a theme of my keynote involves how little critical thinking occurs in this industry and how that results in companies and users making poor security decisions. So let's take a critical eye to this latest PR spin and actually educate about the "security improvements" to Linux 4.6.
Part of the iproute2 command suite, ip neighbor provides a command line interface to display the neighbor table (ARP cache), insert permanent entries, remove specific entries and remove a large number of entries. For peculiarities and commonalities of the iproute2 tools, refer to Section H.2, “Some general remarks about iproute2 tools”.
The more commonly used analog to ip neighbor show, arp -n displays the ARP cache in a possibly more recognizable format.
Packet-journey (pktj) permet à des opérateurs réseau de monter des routeurs logiciels faciles à configurer et capables de monter en échelle. Pour ce faire, l'applicatif se base sur les bibliothèques et drivers de DPDK et utilise des fonctionnalités natives du noyau Linux, faisant le pont entre fast-forwarding et routage logiciel souple.
« I see security as being more of a nuisance for the upstream kernel
developers. It's understandable, if someone makes a mistake, it can be
embarrassing, particularly when it gets into the news or has some
important impact. It also lessens the image of Linux as being an
enterprise-ready OS if someone can write up an exploit to take over the
entire system in a matter of hours in some cases. »
Lire aussi :
Grsecurity Developer Spender's Feelings on the State of Linux Security
https://news.ycombinator.com/item?id=10518480
Kernel Self Protection Project
http://openwall.com/lists/kernel-hardening/2015/11/05/1
« I'm organizing a community of people to work on the various kernel
self-protection technologies (most of which are found in PaX and
Grsecurity). I'm building on the presentation I gave at Kernel Summit
where I sought to convince the other upstream Linux kernel developers
that security is more than fixing bugs, and that we need to bring in
proactive defenses:
http://lwn.net/Articles/662219/
This is especially highlighted by the Washington Post article today:
The kernel of the argument
Fast, flexible and free, Linux is taking over the online world. But there is growing unease about security weaknesses.
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
Between the companies that recognize the critical nature of this work,
and with Linux Foundation's Core Infrastructure Initiative happy to
start funding specific work in this area, I think we can really make a
dent.
Let's start the work. I've built some wiki pages around my slides,
where we can take notes, list examples, and coordinate:
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf
RouteFlow is an open source project to provide virtualized IP routing services over OpenFlow enabled hardware.
A typical RouteFlow use scenario is composed by an OpenFlow controller application (RFProxy), an independent RouteFlow server (RFServer), and a virtual network environment that reproduces the connectivity of a physical infrastructure and runs IP routing engines (e.g. Quagga).
The routing engines generate the forwarding information base (FIB) into the Linux routing tables according to the configured routing protocols (e.g., OSPF, BGP). In turn, the Linux IP and ARP tables are collected by RouteFlow client (RFClient) processes and then translated into OpenFlow tuples that are finally installed in the associated OpenFlow-enabled devices in the forwarding plane.
For over 5 years, and perhaps even longer, servers around the world running Linux and BSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. || ArsTechnica: http://arstechnica.com/security/2015/04/30/spam-blasting-malware-infects-thousands-of-linux-and-freebsd-servers/ || Whitepaper http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf
aujourd'hui, les logiciels libres sont une véritable alternative et permettent à n'importe quel jeune africain de prototyper son application SMS avec des technologies libres et sur une infrastructure délocalisée qu'il pourrait monter à son domicile.
As discussed in a previous post, multi-factor authentication really makes things more secure. Let’s see how we can secure services like SSH and the Gnome desktop with multi-factor authentication.
The Google Authenticator project provides a PAM module than can be integrated with your Linux server or desktop. This PAM module is designed for for home and other small environments. There is no central management of keys, and the configuration is saved in each users home folder. I’ve successfully deployed this on my home server (a Raspberry Pi) and on my work laptop.
C'est avec peine et regret que j'ai pris la décision de suspendre pour une durée indéterminée tous les liens de téléchargement de siproxd_orange, ainsi que l'accès à son dépôt BitBucket.
Je fais en effet l'objet de pressions de la part d'Orange visant à me faire cesser le développement et la diffusion de siproxd_orange. Après avoir consulté plusieurs personnes dont un avocat spécialisé en droit d'auteur, j'ai estimé plus prudent d'abandonner la diffusion de ce projet.
Je tiens d'abord à remercier toutes les personnes qui ont manifesté leur intérêt pour siproxd_orange, que ce soit en le téléchargeant, en postant des liens vers ce blog sur d'autres sites, en commentant sur les nombreux billets à ce sujet ou en rapportant des bugs. Mais je tiens aussi à ajouter que cela ne signifie aucunement la fin de l'aventure.
stresslinux is a minimal linux distribution running from a bootable cdrom, usb, vmware or via PXE (wip). stresslinux makes use of some utitlities available on the net like: stress, cpuburn, hddtemp, lm_sensors ... stresslinux is dedicated to users who want to test their system(s) entirely on high load and monitoring the health.
100Gb network adapters are coming, said Jesper Brouer in his talk at the LCA 2015 kernel miniconference (slides [PDF]). Driving such adapters at their full wire speed is going to be a significant challenge for the Linux kernel; meeting that challenge is the subject of his current and future work. The good news is that Linux networking has gotten quite a bit faster as a result — even if there are still problems to be solved.
We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
Awk is a tiny programming language and a command line tool. It's particularly appropriate for log parsing on servers, mostly because Awk will operate on files, usually structured in lines of human-readable text.
I say it's useful on servers because log files, dump files, or whatever text format servers end up dumping to disk will tend to grow large, and you'll have many of them per server. If you ever get into the situation where you have to analyze gigabytes of files from 50 different servers without tools like Splunk or its equivalents, it would feel fairly bad to have and download all these files locally to then drive some forensics on them.
This personally happens to me when some Erlang nodes tend to die and leave a crash dump of 700MB to 4GB behind, or on smaller individual servers (say a VPS) where I need to quickly go through logs, looking for a common pattern.
In any case, Awk does more than finding data (otherwise, grep or ack would be enough) — it also lets you process the data and transform it.
At the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported by the MalwareMustDie! group. The post mentioned the initial intrusion of SSH connection, static properties of related Linux executable and encryption methods used. Later, we realized that the installation process is customized to a victim’s Linux environment for the sake of running an additional rootkit component. In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.
So, are you curious about how the system call interface works in Linux? Do you want to learn how to trace system calls and what useful things you can do by tracing them? Are you curious which system calls are worth watching and why? || cheatsheet http://www.digilife.be/quickreferences/qrc/linux%20system%20call%20quick%20reference.pdf
The USB Armory is full-blown computer (800MHz ARM® processor, 512MB RAM) in a tiny form factor (65mm x 19mm x 6mm USB stick) designed from the ground up with information security applications in mind. Not only does the USB Armory have native support for many Linux distributions, it also has a completely open hardware design and a breakout prototyping header, making it a great platform on which to build other hardware.
-
Who are you?!
We are Veteran Unix Admins and we are concerned about what is happening to Debian GNU/Linux to the point of considering a fork of the project. -
And why would you do that?
Some of us are upstream developers, some professional sysadmins: we are all concerned peers interacting with Debian and derivatives on a daily basis.
We don't want to be forced to use systemd in substitution to the traditional UNIX sysvinit init, because systemd betrays the UNIX philosophy.
We contemplate adopting more recent alternatives to sysvinit, but not those undermining the basic design principles of "do one thing and do it well" with a complex collection of dozens of tightly coupled binaries and opaque logs.
So, there was a lot of fuzz about a recent talk by Karsten Nohl et al. at BlackHat about the the unsecurity of current USB implementations (on the computer side) which happily load drivers for all kinds of devices as soon as a (potentially malicious) USB stick is connected.
https://www.kernel.org/doc/Documentation/usb/authorization.txt
https://www.kernel.org/doc/Documentation/ABI/stable/sysfs-bus-usb
VPNDemon monitors your VPN connection and kills a target program upon disconnect. It's the safest and easiest way to help prevent DNS leaks and enhance your security while connected over a VPN.