This article describes an easy way to block YouTube and facebook on a Mikrotik router Continue reading How to block Facebook and Youtube on your Mikrotik Router
The RoS developers have already announced changes to the bridges for a long time, and have included this new functionality in the RC branch, now they’ve made it in current. Continue reading Mikrotik Router OS 6.41: Changes in Bridging and VLAN
In order to improve the security of the system, you can protect console access to it, limiting the root user to the use of certain terminals. You can do this by specifying the terminals that the superuser can use in the
It is recommended, although it is not necessary, to allow the superuser to log in from only one terminal, leaving the rest for other users.
Password reminder reminders
Today, a complex password is an absolutely necessary thing. However, it’s even better when passwords are changed regularly. It’s easy to forget about that, so it’s good to use some kind of system reminders about the age of the password, and about when it needs to be changed.
We offer you two ways to organize such reminders. The first is to use the
change command, the second is to set the default values in
change command looks like this:
$ chage -M 20 likegeeks
Here we use the
-M to set the expiry date for the password in days.
You can use this command without keys, then she herself will propose to enter the necessary value:
$ chage likegeeks
The second way is to modify the
/etc/login.defs file. Here is an example of how the values of interest to us might look. You can change them to the ones you need:
PASS_MAX_DAYS 10 PASS_MIN_DAYS 0 PASS_WARN_AGE 3
Remember that if you are playing the role of administrator, you should encourage users to use complex passwords. You can do this with pam_cracklib .
After installing this program, you can go to
/etc/pam.d/system-auth and enter something like this:
password required pam_cracklib.so minlen=12 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1
sudo team, on the one hand, makes life easier, and on the other, can cause problems with Linux security, which can lead to irreparable consequences. The
sudo settings are stored in the
/etc/sudoers file. With this file, you can prevent ordinary users from running some commands on behalf of the superuser. In addition, you can make sure that the
sudo sends an email when it is used, adding the following to the above file:
You also need to set the
mail_always property to
If we are talking about Linux security, then we should remember about the SSH service. SSH is an important system service, it allows you to remotely connect to the system, and sometimes this is the only way to save the situation when something goes wrong, so we are not talking about disabling SSH here.
Here we use CentOS 7, so the SSH configuration file can be found at
etc/ssh/sshd_config . Scanners or bots used by attackers try to connect to SSH using the default port 22.
It is common practice to change the standard SSH port to another, unused port, for example, to
5555 . The SSH port can be changed by specifying the desired port number in the configuration file. For example, this:
In addition, you can limit the SSH login for the root user by changing the value of the
And, of course, it is necessary to disable authentication using a password and use public and private keys instead:
PasswordAuthentication no PermitEmptyPasswords no
Now let’s talk about timeouts for SSH. The problem of time-outs can be solved by setting some parameters.For example, the following settings assume that packets that support a connection will be sent automatically after a specified number of seconds:
ServerAliveInterval 15 ServerAliveCountMax 3 TCPKeepAlive yes
Having adjusted these parameters, you can increase the connection time:
ClientAliveInterval 30 ClientAliveCountMax 5
You can specify which users are allowed to use SSH:
AllowUsers user1 user2
Permissions can also be assigned at the group level:
AllowGroup group1 group2
Secure SSH using Google Authenticator
For even more reliable protection of SSH, you can use two-factor authentication, for example, using Google Authenticator. To do this, you first need to install the appropriate program:
$ yum install google-authenticator
Then run it to test the installation:
It also requires that the Google Authenticator application is installed on your phone.
auth required pam_google_authenticator.so
Now all that’s left is to report all this to SSH by adding the following line to the
Now restart SSH:
$ systemctl restart sshd
When you try to log in using SSH, you will be asked to enter a verification code. As a result, now SSH-access to your system is much better protected than before.
Monitoring the file system with Tripwire
Tripwire is a great tool for improving Linux security. This is an intrusion detection system (HIDS).
The task of Tripwire is to monitor actions with the file system, monitor who changes files, and when these changes occur.
In order to install Tripwire, you need access to the EPEL repository. This task is not difficult, you can solve it by the following commands:
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm $ rpm -ivh epel-release-7-9.noarch.rpm
After installing the EPEL repository, you can also install Tripwire:
$ sudo yum install tripwire
Now create a key file:
You will be asked to enter a complicated password for the key file. After that, you can configure Tripwire, making changes to the file
/etc/tripwire/twpol.txt . It is not difficult to work with this file, because each line is equipped with a meaningful comment.
When the program setup is complete, initialize it:
$ tripwire --init
The initialization, during which the system is scanned, will take some time, depending on the size of your files.
Any modification of the protected files is regarded as an intrusion, the administrator will be notified about this and he will need to restore the system using files in the origin of which he does not doubt.
For this reason, the necessary changes to the system must be confirmed with Tripwire. To do this, use the following command:
$ tripwire --check
And here’s another recommendation regarding Tripwire. Protect the files
twcfg.txt . This will increase the security of the system.
Tripwire has many parameters and settings. To see the help on it it is possible so:
Firewalld is a replacement for
iptables , this program improves Linux network security. Firewalld allows you to make changes to settings without stopping current connections. The firewall works as a service that allows you to add and change rules without restarting and uses network zones.
In order to find out if
firewalld is currently running, enter the following command:
$ firewall-cmd --state
You can view predefined network zones as follows:
$ firewall-cmd --get-zones
Each of these zones has a certain level of trust.
You can update this value as follows:
$ firewall-cmd --set-default-zone=<new-name>
You can get detailed information about a specific zone as follows:
$ firewall-cmd --zone=<zone-name> --list-all
To see a list of all supported services, use the following command:
$ firewall-cmd --get-services
Then you can add new services to the zone or remove existing ones:
$ firewall-cmd --zone=<zone-name> --add-service=<service-name> $ firewall-cmd --zone=<zone-name> --remove-service=<service-name>
You can display information about all open ports in any zone:
$ firewall-cmd --zone=<zone-name> --list-ports
Add ports to the zone and remove them from it like this:
$ firewall-cmd --zone=<zone-name> --add-port=<port-number/protocol> $ firewall-cmd --zone=<zone-name> --remove-port=<port-number/protocol>
You can configure and redirect ports:
$ firewall-cmd --zone=<zone-name> --add-forward-port=<port-number> $ firewall-cmd --zone=<zone-name> --remove-forward-port=<port-number>
Firewalld is a very advanced tool. The most remarkable thing about it is that it can work normally, for example, when making changes to settings, without restarts or service stops. This distinguishes it from the
iptablestool, which requires you to restart the service in similar situations.
Switching from firewalld to iptables
Some prefer the firewall
firewalld . If you use
firewalld , but want to go back to
iptables , it’s pretty simple.
$ systemctl disable firewalld $ systemctl stop firewalld
$ yum install iptables-services $ touch /etc/sysconfig/iptables $ touch /etc/sysconfig/ip6tables
Now you can start the
$ systemctl start iptables $ systemctl start ip6tables $ systemctl enable iptables $ systemctl enable ip6tables
After all this, restart the computer.
Restriction of compilers
The attacker can compile an exploit on his computer and upload it to the server of interest. Naturally, with this approach, the presence of compilers on the server does not play a role. However, it is better to limit compilers if you do not use them for work, as is the case with most modern server management systems.
First, list all the binary compiler files from the packages, and then set the permissions for them:
$ rpm -q --filesbypkg gcc | grep 'bin'
Create a new group:
$ groupadd compilerGroup
Then change the group of binary compiler files:
$ chown root:compilerGroup /usr/bin/gcc
And one more important thing. You need to change the permissions of these binary files:
$ chmod 0750 /usr/bin/gcc
Now any user who tries to use
gcc will receive an error message.
Preventing modification of files
Immutable files can not be overwritten by any user, even having root-rights. The user can not modify or delete such a file until the immunity flag is set, which can only be removed by the root user.
It’s easy to see that this feature protects you, as a superuser, from errors that can disrupt the system. Using this approach, you can protect configuration files or any other files you want.
In order to make any file immune, use the
$ chattr +i /myscript
The attribute of immunity can be deleted by such a command:
$ chattr -i /myscript
So you can protect any files, but remember that if you processed binary system files in this way, you will not be able to update them until you remove the immunity flag.
Managing SELinux with aureport
Often the system of forced access control SELinux turns out, by default, to be disabled. This does not affect the performance of the system, and it’s quite difficult to work with SELinux. However, for the sake of security, SELinux can be enabled, and it is possible to simplify the management of this mechanism using
aureport utility allows you to create reports based on audit log files .
$ aureport --avc
The list of executable files can be displayed with the following command:
$ aureport -x
You can use
aureport to create a full authentication report:
$ aureport -au -i
You can also display information about unsuccessful authentication attempts:
$ aureport -au --summary -i --failed
Or, perhaps, a summary of successful authentication attempts:
$ aureport -au --summary -i --success
aureport utility greatly simplifies the work with SELinux.
Using a sealert
In addition to
aureport you can use a good Linux security tool called
sealert . You can install it like this:
$ yum install setools
Now we have a tool that will issue alerts from the file
/var/log/audit/audit.log and give us more information about the problems detected by SELinux.
You can use it like this:
$ sealert -a /var/log/audit/audit.log
The most interesting thing here is that in alerts you can find tips on how to solve the relevant problems.
We hope that the tips given here help you make your Linux installation safer. However, if it is a question of information protection, it is impossible, using some measures, to consider that now nothing threatens you. Any security software should always be vigilant and careful.
Dear readers! Do you know any simple but not obvious ways to improve Linux security?
Best ways to block Microsoft Skype Software on your Mikrotik device
Developing software applications is hard enough even with good tools and technologies. Spring provides a light-weight solution for building enterprise-ready applications. Spring provides a consistent and transparent means to configure your application and integrate AOP into your software. Highlights of Spring’s functionality are providing declarative transaction management for your middle tier as well as a full-featured ASP.NET framework.
Continue reading The Spring.NET Framework Reference Manual
Download this High-quality free book “How The Internet Works” from MakeUseOf.com. This guide, by Taty Sena, explores the hardware, software and organizations that power the modern Internet. Youll learn about everything from the history of the Internet to the organizations that make it possible today.
Continue reading Free eBook: How The Internet Works
With just some knowledge of IoC, DI, and Unit Testing, begin using FakeItEasy to mock dependencies while unit testing. Author Mike McCarthy will guide readersfrom novices to expertsto getting the most out of mocking frameworks with FakeItEasy Succinctly.
Continue reading FakeItEasy Succinctly
The Data Journalism Handbook, published by O’Reilly Media and which is available free online, is an initiative of the European Journalism Centre and the Open Knowledge Foundation..
Continue reading The Data Journalism Handbook
This book is a tutorial on image processing. Each chapter explains basic concepts with words and figures, shows image processing results with photographs, and implements the operations in C. Explains the basic concepts of analyzing and enhancing digital images. Author has distilled image processing down to its essentials and clearly explains how to do it.
Continue reading Image Processing in C: Analyzing and Enhancing Digital Images
This online free Java book is divided into 4 parts. Part 1 is a brief introduction to what Java is, why it’s cool and what you need to use it. Part 2 is a tutorial introduction to Java. Part 3 covers the basics of writing applets in Java. Part 4 introduces you to objects and classes.
Continue reading Brewing Java: A Tutorial