
Linux and Security Blog
Thoughts from Time to Time on Linux and Security
I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.
They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).
December 2015
How My Phone Became My Door Key
Hotels are starting to use Bluetooth communication with your smart phone in place of keys. Here's my first experience with that, in a Hilton near BWI airport outside Baltimore.
Selecting anEncryption
Cipher
and Mode
Keeping Secrets: Select a Cipher Keeping Secrets: Setting a Cipher Mode
These two are more fully described here.
How Many Linux Systems Do You Use? Don't Answer Too Quickly
Linux is embedded in Blu-ray players, utility meters, cable and DSL modems, airline seatback entertainment systems, and many more systems you interact with daily.
November 2015
Software-Defined Networking Runs Large Data Centers
Fundamentals of Software-Defined Networking. The SDN controller is the heart of it. An orchestration engine communicates with it via what's called the northbound traffic, defining and modifying traffic flows. The controller then communicates over the southbound traffic with the Layer 2-4 switching infrastructure. OpenDaylight is the most obvious SDN controller project, Floodlight is another. OpenFlow is the open, vendor-neutral, standard protocol for the southbound control traffic. But SDN is very much a work in progress.
Virtualization for Compartmentalization
Management is usually interested in virtualization for purely economic reasons. But the range of virtualization choices provides a range of compartmentalization. With full system virtualization you have entirely separate PID space, UID/GID space, and file systems, and you are running a separate kernel. Crash or subvert the kernel within the VM and that's as far as you get.
Think very carefully about what compiler optimization really does: When you ask for optimization, the kernel transforms the source code you provided into something slightly different. It will unroll loops, convert if-then-else logic, attempt to optimize branch prediction, and make other changes. Some of these, especially the conversion of logical structure, bring risks. The Linux kernel, Postgres database, Chromium browser, Python interpreter, and other major software projects contain optimization-unstable code.
Here's Why You Never Ignore Root's Mail
Jobs scheduled through cron
send their output
to their owner.
If you don't look at this, you probably don't really know
whether your automated jobs are running correctly or not.
Are you really making backups?
Or are you generated carefully labeled blank media?
Here's how to get mail sent to root
sent
to a responsible human.
October 2015
Don't Fall Behind — Learn About UEFI
A surprising number of people don't realize that BIOS firmware was replaced by UEFI several years ago. Here's how to enable UEFI emulation in VMware so you can compare UEFI and Secure Boot to "BIOS compatability mode."
How to Set Up LVM Physical Volumes
A disk is a physical volume, while a physical volume can be an entire disk or a partition of a disk. Should you make one partition that spans the entire disk? That only seems to solve a very dangerous problem you shouldn't have in the first place!
What Does The Recent SHA-1 Attack Mean For You And Your Organization?
Some top cryptographers recently announced a significant step toward breaking the SHA-1 hash algorithm. They can discover freestart collisions in SHA-1 in 45–78 days and US$ 75,000–120,000 using Amazon's cloud service. Make sure your servers have no SHA-1 certificates, and configure your browsers not to trust them.
LVM and RAID are both storage systems distributed across several physical disks. But they provide very difference benefits and drawbacks! LVM actually makes reliability worse, and it doesn't guarantee any performance benefits. When Btrfs comes into production systems, LVM and software RAID will be unneeded.
September 2015
What Is Post-Quantum Cryptography And What Does It Mean For Us?
NSA released a surprising announcement telling government and industry to give up on transitioning to ECC (or Elliptic Curve Cryptography) and instead concentrate on what they call post-quantum cryptography or quantum-safe cryptography. What is that about?
More Unexpected Applications of grep
Quentin Tarantino said "I steal from everything.
Great artists steal, they don't do homages."
He stole that from Pablo Picasso, who said
"When there's anything to steal, I steal,"
and "Good artists copy, great artists steal."
Here's a very elegant use of the grep
command
that I learned by seeing it casually used in some blog's
comments.
Not all network services will be found by the very
versatile lsof
command, as it can only list
network sockets in use by processes.
Kernel sockets, as with NFS, won't show up.
Here's how to find them.
Avoid Fragmentation: Newer is Better
Storage I/O is almost certainly your performance bottleneck, unless you are doing large scientific computations. Here's how to improve performance with updated hardware and newer file system data structures. You may get a big improvement by simply backing up and restoring into a freshly created file system.
August 2015
LinuxVirtualization
Commands
Linux Virtualization Provides Many Powerful Choices Linux Virtualization Part 2: Package and Ship Your Linux Applications with Containers and Docker Linux Virtualization Part 3: Multiple Operating Systems, Foreign Hardware Linux Virtualization Part 4: Manage, Monitor, and Control Your Virtual Machines with libvirt
Linux virtualization, from chroot
through
LXC or Linux Containers, Docker, QEMU/KVM, and controlling
and monitoring it all with libvirt
command-line
and graphical tools.
July 2015
Linux Virtual Memory: Do We Need a Swap Area?
Habit and urban legends can get in the way. Virtual memory and swap area on Linux is a prime example. Your processes should fit into RAM, you take a huge performance hit when memory pages are moved from DRAM, some of the fastest components in the system, to rotating disks, the slowest.
Two Reasons the vim
Text Editor Really
Is vi
Improved!
You absolutely must be able to use the vi
editor
to do UNIX-family system administration work.
But vim
or "vi
improved" is the
version to use!
It highlights syntax, automatically completes file names,
and more.
It used to be that if you installed the appropriate package,
you got it when you simply typed "vi
".
No more, explicitly ask for vim
.
Can You Withstand a Distributed Denial-of-Service (DDOS) Attack?
Uh, no, not all of them. You can do some things to make a server more resilient, but floods of hundreds of gigabits per second will take down your network providers.
Red Hat's NetworkManager and Firewall Daemon — Nice Ideas, But Not For My Server
They came out of the Fedora project, and while they're
nice for portable personal systems, they don't make sense
for a server or really any system that stays plugged into
a stable network.
Do this:
# systemctl stop NetworkManager firewalld
# systemctl disable NetworkManager firewalld
June 2015
The Smorgasbord of Linux File Systems, Part One: The Extended Family
The Ext — Ext2 — Ext3 — Ext4 evolution, and the benefit of journaling.
Linux File Systems Part Two: The XFS File System
On to XFS, the default for many distributions starting in 2014.
Linux File Systems: Heading Toward Btrfs
The Btrfs file system is where Linux is headed, and it seems to me that Oracle is counting on it to replace ZFS. It includes RAID and LVM, and supports online defragmentation, consistency checking, and repair. Transparent compression is supported and encryption at the file system layer is under development. Snapshots allow for backups and checking with no downtime. And it has huge capacity and excellent performance.
Would Encryption Alone Have Prevented the U.S. Office of Personnel Management Hack?
A requested blog topic. Encryption alone would not have prevented the OPM hack, at least not according to what little we've been told so far. Encryption is very likely necessary for security (unless all employees are absolutely trusted and your system is not connected to the Internet). But it is not sufficient on its own.
May 2015
How ErsatzPasswords Hide the Real Passwords and Detect Attacks
Discussion of a technique to frustrate password cracking and detect attempted attacks. The researchers' page is here.
RHEL 7 Changes: Where Did My Network Interface Go? RHEL 7 New Features: Linux Network Commands With Iproute2 RHEL 7 Changes: Samba 4 Changes
RHEL / CentOS 6–7–8–9migration
These three topics are discussed in more detail on my RHEL/CentOS migration page.
April 2015
How to Highlight Data with grep
A simple, easy way to highlight patterns within files or command output.
How Can Linux Logical Volume Management (LVM) Help You?
LVM terminology and concepts, then why logical volumes make it easy to expand file systems and take snapshots for backup and consistency checking.
How To Use Linux Containers (LXC) With LVM
Logical volume management (or LVM) nicely supports Linux containers (or LXC). They're easy to grow, and you can use several logical volumes within one volume group to compartmentalize the data.
How to Prepare For The CompTIA Security+ Exam
CompTIA Security+Test Prep
A lightweight overview of what's detailed on my CompTIA Security+ Test Prep page.
March 2015
How to Log Events and Maintain Compliance with journald, the New Linux System Event Log — Part 1: Configuring the Daemon How to Log Events and Maintain Compliance with journald, the New Linux System Event Log — Part 2: How to Extract Journal Entries
How to set up the Linux journal daemon, and how to make queries. You can easily do things that would require complex processing with Rsyslog log files.
How to Transition from init
to systemd:
Getting Started
How to Transition from init
to systemd:
Controlling Services
These are overviews. For more details on systemd see How Linux Boots.
February 2015
How to Protect your GNU C Library from the Linux Ghost Bug
The GNU standard C/C++ library glibc had a bug added way back in the year 2000 which was only discovered recently. It wasn't seen as a security issue, so some major Linux distributions shipped with the vulnerable version. Here's how to tell if your server is susceptible, and if so, how to fix it.
How to Make the vi Editor Even More Powerful and Friendly
It's the standard editor for the UNIX family of operating
systems, you must be able to use vi
in order to
do system administration work.
Here's how to customize it to make it more friendly and useful.
How To Customize Your Linux Interface — Part 1 How To Customize Your Linux Interface — Part 2
Customize YourKeyboard and Mouse
Here's how to remap your keyboard and mouse buttons, These are short and simplified, see the detailed page for more on this, plus dealing with Synaptics touchpads and configuring the KDM display manager.
January 2015
How Does Linux Boot? There's More To It Than You Might Expect How Does Linux Boot? Part 2: UEFI Is The New Firmware How Does Linux Boot? Part 3: UEFI to Shim to the Next Link in the Chain How Does Linux Boot? Part 4: Rescuing a System with the Grand Unified Boot Loader How Does Linux Boot? Part 5: The Kernel Starts The First Process How Does Linux Boot? Part 6: Replacing init With systemd — What You Need to Know
How Linux BootsThese six blog essays are very lightweight samples of the content in my detailed page explaining How Linux Boots. See that page for the real story!
☚ Older blog entries Newer blog entries ☛