Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Stay Ahead With Linux Security News

Filter%20icon Refine news
X Clear Filters
X Clear Filters
View More
View More
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security news

We found 9,995 articles for you...
77

Running Proxies Safely on Linux: A Hardening Guide for System Administrators

Proxies are a standard component of a Linux administrator's toolbox. You can use them to see how services respond in various locations, to run route monitoring checks, and to retrieve public data for internal tooling. However, a proxy is an outbound tunnel with credentials attached, and on a multi-user server, it is a security risk that should be treated with the same caution as SSH or sudo. This post explains the practical measures that prevent a proxy setup from becoming a weak point in an otherwise hardened host. . Keep credentials clear of places where they frequently leak. Don't put your credentials where they can be seen by anyone. Most of the time, something simple goes wrong: proxy credentials get hardcoded into a script, a systemd unit, or a cron job . This means that every user on the box can read them, and they will always be there in shell history and backups. As if they were any other secret. Keep them in a secrets manager or, at the very least, a file that is owned by root and has tight permissions. Add them to the program at runtime using environment variables that are set to the service user's scope, and never commit them to a repository. For fixed servers, IP allowlisting is better if your service supports it because it removes the password from the connection and only lets requests come from addresses that you have registered. Choose a provider whose sourcing you can defend On Linux, you are used to knowing exactly what your software does. Extend that instinct to your proxy vendor. Residential proxy networks route traffic through real consumer connections, and the reputable ones source those exits from consenting participants and document where their pools operate. Reputable providers are transparent about how their residential IP pools are sourced, where they operate, and the options they offer. They should also provide clear documentation and guidance on secure residential proxy use , so you understand how to deploy the service responsibly Isolate the proxypath from everything else Do not let one credential and one route serve every purpose. Give each job its own scoped account so a leak or a runaway is contained. Where possible, run proxy-using tools under a dedicated unprivileged service user with no login shell, so a compromise of the tool does not hand an attacker a general foothold. If a job only needs HTTPS, do not provision a SOCKS credential that can tunnel arbitrary TCP out of your network, because that is precisely the capability an intruder would love to find lying around. Watch DNS and prevent leaks A classic mistake is routing HTTP through the proxy while DNS still resolves locally, which leaks your lookups and can defeat the geo-targeting you set up the proxy for in the first place. Confirm that name resolution follows the proxy path when it should, test it explicitly rather than assuming, and log egress at the host so you can see where traffic actually goes. A quick check comparing the exit address the provider reports against public geolocation confirms the route is behaving before you trust it in production. Log, alert, and assume the credential will eventually leak Instrument the proxy layer like any other service. Record request volume per credential and alert on spikes that signal a runaway job, and on traffic to countries you never target, which is the fingerprint of a stolen credential in someone else's hands. A proxy credential seen coming from an unfamiliar host at an odd hour deserves the same response as a leaked API key, because functionally that is what it is. Rotate on a schedule so that even an undetected leak has a limited lifespan. Maintain compliance with the regulations. Technical hardening does not excuse misuse. Maintain automatic fetching on public pages, follow robots directions, keep request rates low enough so that no target is burdened, and keep personal data out of everything you collect. An arrangement that is both technically tight and operationally restricted may be performed forever withoutcausing problems and explained to a security reviewer without hesitation. Anyone who administers Linux professionally is familiar with the through-line: least privilege , explicit configuration, true logging, and no secrets in the open. Apply similar practices to the proxy layer, and it will become just another well-managed component of the system, rather than the silent exception that undoes the rest of your hardening. . Learn effective strategies to manage proxies safely on Linux, ensuring secure configurations and better credential practices.. Linux Proxies Hardening Guide, Secure Proxy Management, System Administrator Practices, Credential Security, Outbound Traffic Best Practices. . Anthony Pell

Calendar%202 Jul 16, 2026 User Avatar Anthony Pell Server Security
210

Mak’s Weekly Security Roundup: Linux Updates You Shouldn't Ignore This Week

Before the week gets away from you, take a look at what's landed across the Linux ecosystem. The volume of security advisories hasn't slowed, and while not every update demands an emergency maintenance window, several deserve to move to the top of your patch queue. This week's updates span the kernel, remote desktop infrastructure, VPNs, containers, browsers, and the utilities Linux systems quietly depend on every day. Individually, these look routine. Together they show how quickly attackers can take advantage of organizations that let routine patches pile up. . Why This Week Matters One thing stood out as I worked through this week's advisories: nearly every layer of a modern Linux deployment received security attention. The operating system, remote administration tools, browsers, VPN software, container platforms, and the utilities Linux systems quietly depend on all received meaningful security updates. None of these vulnerabilities dominate the headlines on their own, but together they reinforce an important lesson: small, delayed patches have a habit of becoming much bigger security problems. Kernel Updates: Priority Kernel maintenance remains the most critical—and often most postponed—task. Ubuntu and Red Hat published multiple advisories covering networking, filesystems, and drivers. With several fixes addressing privilege escalation and container-escape scenarios—including several affecting privilege escalation and container-related components —these updates are essential. If you only have one reboot window this week, use it for the kernel. Hardening Remote Access and Orchestration FreeRDP 3.29 : This release addresses 22 vulnerabilities while introducing significant runtime hardening. Given its prevalence in enterprise environments, this update is a priority. OpenShift: Red Hat released security updates for 4.20 , 4.21 , and 4.22 . As the control plane for your infrastructure, securing the orchestration layer is paramount. VPNs: OpenVPN addressed multiple issues, including proxy and metadata handling. As internet-facing gateways, these should be prioritized. Browsers and Foundational Plumbing Browsers remain high-value targets. Firefox and Thunderbird updates are vital, particularly for administrator workstations. Additionally, ensure you address updates to Python Pillow and cifs-utils to maintain the integrity of your environment's "plumbing." Patching Priority Category Recommended Priority Linux Kernel Critical (Highest priority) Internet-Facing Services (OpenVPN) High Remote Access & Orchestration (FreeRDP, OpenShift) High Foundational Utilities (Wget, Python, GnuTLS) Medium/Ongoing End-User Apps (Firefox, Thunderbird) Medium/Ongoing Linux security isn't just about responding to the latest critical CVE; it’s about consistently reducing the attack surface. Consistent, disciplined patching remains your most effective defense against the cumulative risk of the modern threat landscape. . This week's roundup highlights crucial Linux security updates for your systems, emphasizing the urgency of timely patching.. Linux updates, security advisories, patch management, system vulnerabilities, open source software. . MaK Ulac

Calendar%202 Jul 15, 2026 User Avatar MaK Ulac Security Vulnerabilities
210

GhostLock Exposes an Uncomfortable Truth About Open Source Security

When researchers announced GhostLock, many people focused on the exploit. What stood out to me wasn't just what the vulnerability could do, but how long it had remained hidden. The flaw had lived in the Linux kernel for roughly 15 years before it was publicly identified by researchers. That means the flaw survived hundreds of kernel releases and years of upstream development before it was publicly documented. It raises an uncomfortable question about one of open source's oldest assumptions. One of the enduring arguments in favor of open source is that transparency improves security. If anyone can inspect the code, vulnerabilities should be easier to discover and fix. GhostLock doesn't disprove that idea, but it does force us to ask how well it scales when the Linux kernel contains tens of millions of lines of code. . Why the GhostLock Linux Kernel Vulnerability Is Different The Linux kernel vulnerability CVE-2026-43499 , or "GhostLock," was identified by Nebula Security Research in their ionstack analysis . Because the flaw originated in upstream code, it potentially affected numerous Linux distributions that incorporated the vulnerable kernel code until it was patched in the upstream Linux kernel in April 2026 . GhostLock stood out for several reasons: Legacy Impact: The bug existed since kernel 2.6.39, illustrating that even mature, stable code can harbor deep-seated flaws for years. High-Stakes Exploitation: Researchers demonstrated local privilege escalation to root and a container escape, making the vulnerability particularly significant for cloud and containerized environments. Professional Interest: The vulnerability was identified through Google’s kernelCTF program, earning a $92,337 bounty. The payout also reflects how difficult kernel memory-safety bugs have become to identify, even for experienced researchers. The real question isn't whether Linux is secure. It is whether the traditional "many eyes" argument still reflects how securityactually works in a codebase of this magnitude. When "Many Eyes" Meets Modern Reality One of the best-known ideas in open source security is the "many eyes" principle , often associated with Eric S. Raymond's Linus's Law : "Given enough eyeballs, all bugs are shallow." The idea is straightforward. Because the source code is publicly available, developers, researchers, and users can inspect it, increasing the likelihood that vulnerabilities will be identified and fixed more quickly than they might be in closed-source software. In practice, however, transparency makes review possible; it does not guarantee that every line of code will actually be examined by someone with the time, expertise, or reason to look at it. That distinction becomes increasingly important in a project as large and complex as the Linux kernel, where millions of lines of code are maintained by thousands of contributors across hundreds of subsystems. Several practical realities shape how security review works today: The Scale Problem: The Linux kernel receives thousands of changes during every development cycle. No single human can review the entire codebase. Subsystem Silos: Most reviewers specialize in one subsystem. If a vulnerability exists in an obscure or legacy corner of the kernel, it may sit outside the field of view of those most qualified to audit it. The "Old Code" Reality: Legacy code often changes less frequently than actively developed subsystems. That stability is valuable, but it can also mean certain execution paths receive less ongoing scrutiny than newer code undergoing active development. How Linux Kernel Security Research Has Changed GhostLock wasn't discovered because someone finally decided to manually audit that specific line of code. It was discovered because the methodology of Linux security research has fundamentally changed. Historically, kernel security depended largely on expert review and targeted testing. Today, that work is increasingly complemented bycoverage-guided fuzzing, sanitizers, and large-scale automated testing. Tools like syzkaller/syzbot and KASAN act as force multipliers, systematically probing kernel state transitions that would be impossible for a human to track mentally. Automated testing now routinely finds combinations of events that humans would never naturally think to test. Programs like kernelCTF have further professionalized this research, bringing top-tier talent to bear on the kernel’s deepest subsystems. GhostLock is a testament to the fact that modern security is no longer just about "eyes"—it’s about the sophistication of the tooling and the bounty programs that reward deep, specialized research. The Reboot Gap For administrators, GhostLock is a stark reminder of the "reboot gap." Most organizations have well-defined maintenance windows for web servers, databases, and application software. Kernel updates are different because they frequently require reboots, coordinated maintenance windows, or live-patching infrastructure that many organizations simply don't have. It's not uncommon for organizations to schedule kernel updates quarterly while patching user-space software weekly. GhostLock shows why that gap deserves another look. In a containerized world, many assume the host is "just plumbing." A container escape vulnerability proves that the host kernel is the single point of failure for everything running on top of it. Local privilege escalation vulnerabilities become especially important in these environments because the kernel remains the shared trust boundary. When a vulnerability allows for container escape, the kernel is effectively an application-level concern and must be treated with the same urgency as a critical web server flaw. Security Priorities Have Changed GhostLock also highlights how Linux kernel security priorities have shifted over the last decade. Memory safety is now one of the community's primary areas of investment. Maintainers continue to strengthen the kernel through hardeningfeatures, sanitizers, memory-safety improvements, Rust for new kernel components, and continuous automated testing. Rather than suggesting the ecosystem is stagnant, GhostLock illustrates why those investments have become increasingly important as the kernel continues to grow in size and complexity. GhostLock also demonstrates one of open source's greatest strengths. Once the vulnerability was publicly identified, researchers could independently analyze the root cause, distributions could verify the fix, and administrators had complete visibility into the patch itself. That level of transparency is difficult to match in proprietary software, where the source code and development process are generally not available for independent review. What GhostLock Says About the Future of Open Source Security If GhostLock could stay under the radar for 15 years, it makes you wonder: how many other bugs are still waiting to be found? We don't know for sure. But GhostLock also proves that the ecosystem for finding those bugs is much tougher today than it was ten years ago. Between continuous fuzzing, memory sanitizers, coordinated disclosure, and mature bug bounty programs, we are finding whole classes of vulnerabilities that would have been totally invisible in the past. GhostLock doesn't prove that open source security has failed; it proves that transparency alone isn't enough. The Linux kernel has outgrown the point where it can rely solely on volunteer code review to find every critical flaw. Today's security depends just as much on dedicated security teams, automated testing, and bounty programs that reward that deep, specialized research. This reminds us that those strengths still matter, but the scale of modern projects requires more than just visibility. Today's Linux kernel is secured not only by developers reviewing code, but also by continuous automated testing, specialized security researchers, and organizations willing to invest in uncovering vulnerabilities that traditional review alone maynever find. . GhostLock reveals the limitations of open source security, emphasizing the need for advanced tools and methodologies in Linux kernel maintenance.. Linux Kernel GhostLock, Open Source Security Flaws, Automated Security Testing. . MaK Ulac

Calendar%202 Jul 14, 2026 User Avatar MaK Ulac Security Vulnerabilities
74

Securing SSH in Production: Keys, Hardening, and Real Attack Patterns

Spin up a fresh Linux VPS with default settings and check /var/log/auth.log ninety seconds later. There will already be failed login attempts — not dozens, hundreds, sometimes before the deployment script has even finished running. . Automated bots scan the entire IPv4 address space non-stop, and port 22 with password authentication open is exactly what they're looking for. Most cloud providers have seen enough of this that a new instance gets its first probe within a minute of going live. Security research tracking exposed Linux endpoints found that 89% of Linux endpoint attack behaviors in 2025 involved brute force or credential stuffing against SSH. Eighty-nine percent. In early 2026, the SSHStalker botnet — discovered by Flare Systems via SSH honeypot — had already racked up nearly 7,000 compromised systems by the end of January, mostly cloud servers, not through any sophisticated exploit but through weak or default credentials. Once inside, the malware dropped an SSH key, then immediately started scanning for more victims on port 22. A DShield sensor from around the same period documented the full cycle at under four seconds: first connection to complete botnet enrollment. The attacks aren't sophisticated. Default configurations keep making sophistication unnecessary. Start With Keys — Everything Else Comes After Disabling password authentication is the change with the most immediate impact. Do it first, before touching anything else. Once it's in place, the entire brute-force and credential-stuffing attack surface disappears — bots can hammer port 22 as long as they want, and without the private key they're simply not getting in. For new key pairs, Ed25519 is the right choice. Faster than RSA, smaller, stronger at comparable performance: ssh-keygen -t ed25519 -C "production-server" -f ~/.ssh/id_ed25519 Copy the public key to the server, then — and this step matters more than it sounds — open a second terminal and confirm the key-based login works from thatsecond session before touching anything in the config. Don't close the existing session until you've confirmed a fresh connection succeeds. Locking yourself out of a remote server mid-hardening is the most common way this process goes sideways, and it's entirely avoidable: # /etc/ssh/sshd_config PasswordAuthentication no KbdInteractiveAuthentication no PubkeyAuthentication yes In environments where key management is taken seriously — and it should be — rotating keys every six months is worth the friction. It sounds excessive until a former employee still has valid credentials six months after leaving, or a key gets exfiltrated as part of a broader compromise nobody caught at the time. The sshd_config Settings That Actually Move the Needle A handful of changes, none of them complicated, collectively close off real attack surface. None should require debate. Disable direct root login. There's no legitimate operational need for it — log in as a regular user and escalate with sudo when needed. And it adds a layer: an attacker who gets a key still needs to figure out which account has elevated access: PermitRootLogin no Explicit allowlists for SSH access so that any system accounts created after this point don't automatically inherit login capability: AllowUsers deploy monitoring-user Default values for authentication attempts and connection grace periods are far too generous for anything internet-facing: MaxAuthTries 3 LoginGraceTime 20 MaxStartups 10:30:60 LoginGraceTime 20 drops connections that haven't authenticated in 20 seconds flat. MaxStartups 10:30:60 starts throttling unauthenticated connections at 10 pending and drops them aggressively past 60 — this directly limits parallel brute-force attempts trying to flood the authentication pipeline. Add idle session timeouts too, since forgotten open sessions are their own category of risk: ClientAliveInterval 300 ClientAliveCountMax 0 On the port change. Moving SSH off port 22 won't stop a targetedattacker — a basic port scan finds it immediately. But it does eliminate the overwhelming majority of automated scanning traffic, since most botnets only ever target port 22. Logs get dramatically cleaner, and on production systems where log analysis is part of the daily workflow, that reduction in noise has genuine operational value. Worth doing, as long as nobody confuses it with a security control: Port 2222 SSH Certificates for Larger Deployments Key pairs are fine when you've got five servers. At fifty, the model breaks. You're distributing public keys to every host, rotating them manually, and inevitably inheriting authorized_keys files full of entries from people who left six months ago — nobody owns the cleanup, and stale access just sits there. The fix is treating SSH like PKI: a central Certificate Authority signs user keys, and every server trusts the CA instead of tracking individual keys. One revocation point. No per-host cleanup: # Generate the CA key pair — store this offline or in a hardware security module ssh-keygen -t ed25519 -f ~/.ssh/ssh_ca -C "production-ca" # Sign a user's public key with a 24-hour validity window ssh-keygen -s ~/.ssh/ssh_ca -I " username@prod " -n deploy -V +24h ~/.ssh/id_ed25519.pub On each server, trust the CA — not individual keys: # /etc/ssh/sshd_config TrustedUserCAKeys /etc/ssh/ssh_ca.pub Issue certificates with short lifetimes — 24 hours works well — and a stolen key becomes useless overnight without touching a single host. The stale access problem that haunts larger fleets mostly disappears on its own. Bastion Hosts Exposing SSH directly on every server multiplies attack surface with every machine you add. The cleaner model: a single hardened bastion host — the only machine with port 22 reachable externally — with all other servers restricted to accepting connections only from the bastion's IP at the firewall level. All hardening effort concentrates on one machine. Internal servers can dropeverything that doesn't come from the bastion. And SSH's ProxyJump makes the setup seamless: # ~/.ssh/config Host internal-server HostName 10.0.1.50 User deploy ProxyJump bastion.example.com SSH internal-server tunnels through the bastion automatically. Every lateral connection gets logged there. Combined with SSH certificates, you get one enforcement point for the entire fleet. Fail2Ban Key-only authentication largely kills the brute-force problem. Fail2ban still earns its place — misconfigured clients, edge cases, environments where password auth genuinely can't be fully disabled for one reason or another. A baseline configuration that bans IPs for 24 hours after three failed attempts: # /etc/fail2ban/jail.local [DEFAULT] bantime = 86400 findtime = 600 maxretry = 3 [sshd] enabled = true port = 2222 logpath = /var/log/auth.log maxretry = 3 Adjust the port value to match whatever is set in sshd_config. After any configuration changes, restart and verify: sudo systemctl restart fail2ban sudo fail2ban-client status sshd For privileged access workstations or jump servers where a stolen key alone would be an unacceptable outcome, stack TOTP on top. Twenty minutes of setup, and a compromised private key by itself stops working: # /etc/ssh/sshd_config AuthenticationMethods publickey,keyboard-interactive Reading the Logs Getting the configuration right is one half of this. Actually reading the logs is the other — and it gets underestimated consistently. SSH authentication logs are genuinely informative when you read them with intent rather than just watching for volume spikes. Repeated failures from a single source followed by a success: credential stuffing, worth investigating regardless of the account. Authentication from an IP that's never appeared before on an account with established connection history: worth a second look. More telling than either: a privileged account suddenly connecting from somewhere it never hasbefore. Or a service account that's never had an interactive session showing up with one. Audits extend monitoring past what SSH logs capture: auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -k root_commands Every root command gets logged with a tag for easy filtering. Cross-reference with SSH auth events and you get a full timeline from initial login through command execution — which matters a lot during incident response when reconstruction is what you need. SSHStalker reinforced something worth keeping in mind: compromised hosts don't just become victims, they become attack infrastructure. A server generating high outbound connection volumes to port 22 on non-private IP ranges is almost certainly already part of a scanning relay. Behavioral monitoring that flags that specific pattern catches it faster than manual log review ever will. The DShield sensor data from early 2026: four seconds from first connection to fully enrolled botnet node on a default-credential system. Not a theoretical estimate — an actual observed result from a real internet-exposed VPS. The full hardening process here takes under an hour on a fresh server. Disable passwords, deploy a key, tighten the config, install fail2ban. The gap between a default SSH setup and a properly hardened one isn't a project. It's an afternoon. For the offensive perspective on SSH — how attackers enumerate configurations, harvest private keys from the filesystem, hijack agent sockets to move laterally without ever touching a key file, and use SSH tunneling to reach internal services, this SSH attack surface guide breaks down the techniques defenders need to understand. . Implement essential SSH security measures to prevent automated attacks through key management and system hardening strategies.. SSH Security, Hardening Practices, Key Management, Automated Attacks, Network Protection. . Andrew Kowal

Calendar%202 Jul 13, 2026 User Avatar Andrew Kowal Network Security
210

Critical Gitea Docker Authentication Bypass: An Open Door to Your Infrastructure

If you’re running Gitea in a container, stop what you’re doing and check your versioning right now. We’re looking at a critical vulnerability— CVE-2026-20896 —shipped directly in Gitea’s official Docker images. It’s a 9.8 CVSS-rated "open door" that lets any unauthenticated attacker stroll in and impersonate any user on your system, admin account included, without needing a password or a token. The reality? This isn't some complex, low-level kernel exploit. It’s a classic "secure-by-default" failure where one bad configuration template is quietly gutting your entire authentication model. . One Wildcard Default Broke the Trust Model Gitea has this reverse-proxy authentication feature built for enterprise setups where a front-end server—say, Nginx or Traefik —does the heavy lifting of verifying who you are. Once it knows you’re legit, it passes your username to Gitea via an X-WEBAUTH-USER header. It’s a standard, reliable pattern, provided you actually lock Gitea down to only accept that header from a proxy you trust. The security hole in the official Docker images is just one line in the app.ini template: REVERSE_PROXY_TRUSTED_PROXIES = * That wildcard tells Gitea: "I don't care where the request came from, I trust the identity header." By tossing out the safe default—which should’ve restricted trust to the local loopback interface ( 127.0.0.0/8 )—the Docker image leaves the door wide open. Any attacker who can hit your container’s HTTP port can just send a forged header and tell Gitea they’re the admin. No exploit chain, no credential theft, no memory corruption. Just one header, and they’re in. Why Git Platforms Are the New "Crown Jewels" It’s easy to think of a Git server as just a place to store code, but that’s a dangerous simplification. In today’s DevSecOps workflows, Gitea is the nervous system of your entire operation. Administrator access gives an attacker: The Full Repository Set: Public, private, and internalcode. Persistent Secrets: API keys, database credentials, and deploy tokens that developers accidentally committed and never scrubbed. Pipeline Control: The ability to alter CI/CD configurations to inject malicious code into your production builds before they’re even signed. Infrastructure Keys: SSH deploy keys and webhooks that connect your Git server directly to your live production systems. When an attacker gains admin access, they aren't just reading your repo—they’re using your own automation to move laterally into your CI/CD security stack. Which Gitea Deployments Are at Risk? The risk is concentrated in official Docker images through version 1.26.2 . If you are running these versions and have ENABLE_REVERSE_PROXY_AUTHENTICATION = true set, you are potentially exposed. If your container is reachable from the public internet—or even from an untrusted segment of your internal network—you are a high-priority target. Attackers are already using automated scanners to hunt for these ports. Take a minute to audit your Linux firewall rules; the only thing that should be talking to your Gitea container is your internal proxy. Staying Secure: Practical Defensive Steps Patching is the baseline here, but don't stop there. You need to verify your actual deployment state: Upgrade Immediately: Move to version 1.26.4 as soon as possible. Kill the Wildcard: Never leave REVERSE_PROXY_TRUSTED_PROXIES set to * in production. Hardcode the specific IP address of your authorized reverse proxy. Audit Container Exposure: Use Docker security best practices to ensure your management ports aren't just wide open to the world. Verify Your Network: If you’re managing Gitea in a larger environment, audit your Linux container security to ensure the service is isolated at the host level. The Bottom Line The Gitea Docker Authentication Bypass isn't exploiting a flaw in the Gitea source code; it’s exploiting the assumption that"default" settings are safe for production. The 13-day gap between public disclosure and the first in-the-wild scanning attempts from ProtonVPN exit nodes is a stark reminder of the speed at which today's attackers move. For those of us managing self-hosted infrastructure, this is a wake-up call. Verifying the configuration of your container templates is just as vital as keeping your kernel up to date. Before the next CVE hits, take the time to look under the hood—because if you haven't checked that wildcard, you’re currently hosting a free-for-all. As you tighten your Gitea deployment, how do you balance the need for ease-of-use in your internal configuration templates against the security risk of "convenient" defaults? . A critical Gitea Docker vulnerability could enable unauthenticated users to impersonate anyone without a password.. Gitea Vulnerability, Docker Security, Authentication Bypass. . MaK Ulac

Calendar%202 Jul 13, 2026 User Avatar MaK Ulac Security Vulnerabilities
215

Defending the Open Source Desktop: Advanced Cybersecurity Strategies for Linux

There was a time when Linux meant server rooms and hobbyist forums. These days it's on regular laptops, and a big part of that is people getting fed up with commercial operating systems scraping their data, shipping telemetry nobody asked for, and boxing them into hardware ecosystems they can't opt out of. . None of that makes Linux immune to trouble though. Yes, it dodges most of the mainstream malware that everyone else deals with. But the software running on top, and honestly the person sitting at the keyboard, are still very exploitable. Actual security isn't a box you check once during setup. It's ongoing and includes hardening the system, keeping an eye on the network, patching the apps you rely on every day, all of it. The Browser Is Where Most Trouble Starts Most of a person's screen time occurs in a browser. It's the door between your machine and everything else, and it's also carrying your bank sessions, your login tokens, and your personal DMs. That combination makes it the obvious target. People use extensions for one-off tasks and then just leave them there. Forgotten, still running, still able to touch things in the background. It’s worth building the habit of going through what's installed every so often and figuring out how to remove browser extensions that aren't earning their keep anymore. Fewer extensions means less surface area, and it means a single compromised update can't plant something on your machine. A lean browser is faster too, sure, but the real payoff is that there's less room for something to sit there unnoticed, shipping your data out the back door. What's Actually Driving People to Switch? The move to open source isn't a trend. It's people wanting their machine back. There are plenty of pieces out there on quitting Windows and trying Linux , and they all circle the same complaint, which includes forced updates and data terms nobody agreed to. Once you're on Linux, you're the one deciding what runs and what phones home, so to speak. Thatcontrol is the whole foundation of everything else you do to lock the system down. It's not free though. No one's patching behind your back or babysitting your firewall. That's on you now and includes permissions, updates, all the calls that used to be automatic. Keeping Tabs on Your Own Network Securing one machine only gets you halfway. You need some visibility into what's moving across the network too, because that's usually where things actually go wrong. Attackers don't usually go after the hardened box first. They'll find whatever's weakest, some IoT gadget or an old phone nobody's updated in ages, and use that as a stepping stone toward something worth taking. That's the argument for internal visibility tools. Running something like Suricata east-west traffic monitoring means you can actually watch what's passing between devices you'd otherwise just assume are fine. Catch the traffic that looks wrong early, and you can quarantine the problem before it spreads to anything that matters. Locking Down Remote Access Opening SSH to the outside world raises the stakes quite a bit. That port gets hammered by bots around the clock, all of them just guessing passwords and hoping for better outcomes. A good password isn't nothing, but it's not enough on its own either. Get in the habit of pulling your logs, and once you know how to understand failed authentication patterns in Linux logs , you can tell a typo from a script chewing through a password list. From there you can set up rules that ban the bad actors automatically, before they get anywhere close to getting in. The Job Never Really Finishes Honestly, there's no final state here. Threats change, the tricks that work now won't work forever, and Linux being what it is only gets you so far without the habits behind it. Staying on top of your extensions, watching the network, actually reading the logs- that's what turns a fine setup into a hard one to crack. It takes effort, but what you get back is real ownership ofthe machine and a lot less to lose sleep over. That's really the whole point of open source anyway. Not just a different way of doing things, but one where you're actually the one in charge. . Explore advanced strategies for enhancing security on Linux desktops, including browser management, network visibility, and SSH hardening.. Linux security strategies, open source desktop, browser extension management, network visibility tools, SSH access security. . Anthony Pell

Calendar%202 Jul 13, 2026 User Avatar Anthony Pell Desktop Security
74

Detecting Linux System Compromise Early: Behavioral Indicators and Log-Based Detection

There's a gap between what Linux systems log by default and what you actually need to detect a compromise. Most environments have logging active, which creates a sense of coverage that doesn't hold up under investigation. . When you start pulling logs after an incident, what you find is fragmented activity — a login here, a process there, but no clear narrative of how access was gained, what was executed, or how far the attacker moved. You piece together a timeline rather than reading one. That's not just a technical inconvenience. It's the reason dwell time on Linux systems averages over 10 days before detection. Attackers who understand what Linux logs by default — and what it doesn't — operate well within that window. This article covers what to actually monitor, how to configure auditd to close the most critical gaps, what behavioral indicators to look for at each phase of an attack, and where default logging leaves you exposed. Why Default Logging Leaves Gaps Linux systems generate a lot of log data. They just don't always generate the right log data for security purposes. /var/log/auth.log records authentication events but not what happened after authentication succeeded. /var/log/syslog captures service events but not process behavior. Application logs are application-specific and typically don't cross-reference with system activity. The result: you can often confirm that a login happened from an unusual IP. What you can't confirm from default logs alone is what commands were run, what files were accessed, whether a privilege escalation was attempted, or whether a cron job was modified. The "Copy Fail" problem (CVE-2026-31431) CVE-2026-31431 — the privilege escalation vulnerability affecting virtually every mainstream Linux kernel since 2017, added to CISA's KEV catalog in 2026 — operates entirely in memory. No files written to disk. No changes to the filesystem. The only log entry a compromised system might produce is routine kernel output: kernel: [142.341205] [Firmware Bug]: TSC frequency mismatch detected That's it. Logging is active. Monitoring is running. The attacker has root. Standard log analysis finds nothing because there's nothing standard log analysis is looking for. This is what makes behavioral detection essential — monitoring what processes do rather than what files they create. Log the syscall transitions. Log the process ancestry. Log the timing. Because the file artifacts won't be there. Phase 1: Detecting Initial Access SSH authentication anomalies Start here. SSH is the initial access vector in the majority of Linux server compromises. /var/log/auth.log is your primary source. # All successful SSH logins — baseline review grep "Accepted" /var/log/auth.log # Failed attempts followed by success from the same IP — credential stuffing pattern grep -E "Failed|Accepted" /var/log/auth.log | grep -v "invalid user" | awk '{print $1,$2,$3,$9,$11}' | sort # New IP addresses for existing users (compare against historical baseline) grep "Accepted" /var/log/auth.log | awk '{print $9, $11}' | sort | uniq -c | sort -rn Three login patterns that warrant immediate investigation: Successful authentication from a geographic location the account has never used Successful password authentication on an account that has only ever used key auth A service account — typically never interactive — showing an SSH session The second is particularly significant. If an account's authorized_keys file has valid entries but someone logs in with a password, either the account's credentials were compromised separately or something changed in the authentication configuration. Web application exploitation Web server logs are often the first indicator of initial access via vulnerable application: # Unusual HTTP methods or paths suggesting command injection attempts grep -E "eval|base64|wget|curl|bash|/etc/passwd|/proc/self" /var/log/nginx/access.log grep -E"\.php\?cmd=|exec\(|system\(" /var/log/apache2/access.log # Processes spawned by web server user (www-data, nginx, apache) ps aux | grep -E "www-data|nginx|apache" | grep -v "grep" A web server process spawning bash, curl, or wget is not normal activity. A web application process making outbound network connections to non-whitelisted destinations is a strong indicator of successful exploitation. Phase 2: Detecting Post-Exploitation Enumeration Attackers who land on a Linux box with a low-privilege shell immediately begin enumeration. Tools like LinPEAS automate this in under 60 seconds — scanning SUID binaries, sudo configurations, writable cron jobs, kernel version against known CVEs, credentials in config files, and dozens of other vectors. The behavioral fingerprint of automated Linux enumeration is distinctive and detectable: auditd rule for high-frequency find activity: auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/find -k enum_find After running for a few minutes, check: ausearch -k enum_find --start recent | awk '{print $NF}' | sort | uniq -c | sort -rn Baseline expectation on a normal system: fewer than 5 find executions per non-root process in any 30-second window. A spike to 100+ is anomalous by definition. The fact that LinPEAS is one script rather than a human running individual commands makes the timing compression particularly detectable — dozens of find calls from the same PID within seconds. Additional enumeration indicators: # Rapid sequential reads of sensitive files from same process auditctl -w /etc/sudoers -p r -k sudoers_read auditctl -w /etc/passwd -p r -k passwd_read auditctl -w /etc/shadow -p r -k shadow_read auditctl -w /etc/crontab -p r -k crontab_read # Correlate: same PID reading all of these within a short window = automated enumeration ausearch -k sudoers_read -k passwd_read -k shadow_read --start recent Phase 3: Detecting Privilege Escalation SUID abuse and setuidsyscalls When an attacker exploits a SUID binary for privilege escalation, the process transitions from the user's UID to root UID. The setuid syscall is the mechanism: # Detect UID transitions via setuid/setgid auditctl -a always,exit -F arch=b64 -S setuid -S setgid -k priv_escalation auditctl -a always,exit -F arch=b64 -S setreuid -S setregid -k priv_escalation Review: ausearch -k priv_escalation --start recent UID transitions are expected for legitimate binaries like sudo, su, passwd. Unexpected processes performing UID transitions — particularly web application processes, backup agents, or anything that doesn't normally interact with privilege boundaries — are worth investigating. Sudo command monitoring # Log all sudo invocations with the actual command auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k sudo_exec # Alert on: sudo bash, sudo sh, sudo -s (all shell drops) ausearch -k sudo_exec --start recent | grep -E "bash|sh -i|/bin/sh" apache2 → sudo → bash as a parent-child process chain is not a sysadmin running a command. It's a kill chain. sudoers and authorized_keys modifications auditctl -w /etc/sudoers -p wa -k sudoers_change auditctl -w /etc/sudoers.d/ -p wa -k sudoers_change auditctl -w /root/.ssh/authorized_keys -p wa -k ssh_persistence auditctl -w /home -p wa -k ssh_persistence Any write to authorized_keys files outside of a configuration management operation (Ansible, Puppet) warrants immediate investigation. Key injection is clean persistence — no binary on disk, no process running — and it's invisible without this specific monitoring. Phase 4: Detecting Persistence Mechanisms Cron job modification auditctl -w /etc/cron.d/ -p wa -k cron_change auditctl -w /etc/crontab -p wa -k cron_change auditctl -w /var/spool/cron/ -p wa -k cron_change # Also monitor the scripts cron executes # If a root cron job runs /opt/backup/backup.sh, watch it: auditctl -w /opt/backup/backup.sh -p wa -k cron_script_change Cron modifications outside of patch windows or change management processes are suspicious. A cron entry that suddenly runs a script in /tmp , /dev/shm , or any user-writable directory is an immediate indicator. SUID bit changes on filesystem # Real-time monitoring for SUID bit changes inotifywait -m -r -e attrib /usr/bin /usr/local/bin /usr/sbin 2> /dev/null | \ grep --line-buffered "ATTRIB" | while read line; do echo "[ALERT] Attribute change: $line" | logger -t suid_monitor done New SUID binaries outside of package manager operations are always worth examining. Developers occasionally set SUID during testing and deploy without removing it — and attackers who gain write access to an executable will set SUID as a persistence mechanism. systemd service persistence auditctl -w /etc/systemd/system/ -p wa -k systemd_change auditctl -w /lib/systemd/system/ -p wa -k systemd_change # Check recently modified systemd units find /etc/systemd/system /lib/systemd/system -newer /var/log/syslog -name "*.service" 2> /dev/null Persistence via new systemd services is a TTP documented in multiple ransomware groups, including RansomHub's campaigns using CVE-2024-1086 for post-compromise privilege escalation. New .service files created after a system's build date deserve scrutiny. Phase 5: Detecting Lateral Movement Outbound SSH connections (pivot indicator) A Linux server making high-volume outbound SSH connections to non-private IP addresses is a strong signal the box has been compromised and is being used as a scanning relay: # Monitor outbound connection attempts auditctl -a always,exit -F arch=b64 -S connect -k outbound_connect # Or via ss for real-time view ss -tnp | grep ESTABLISHED | grep -v "127.0.0.1\|10\.\|192\.168\.\|172\." # Count unique destination IPs from SSH processes netstat -tn | grep ":22" | awk '{print $5}' | cut -d: -f1 |sort | uniq -c | sort -rn A single sshd process connecting to dozens of unique external IPs is the SSHStalker pattern — compromised host immediately scanning for more victims after the initial compromise. /proc/*/net for covert channels # Check for unexpected listening ports ss -tlnp netstat -tlnp # /proc provides raw network data even if netstat is replaced by a rootkit cat /proc/net/tcp | awk '$4 == "0A" {print $2, $3}' # listening sockets in hex cat /proc/net/tcp6 | awk '$4 == "0A" {print $2, $3}' A covert C2 channel hiding as a legitimate service will show up in /proc/net/tcp even if a rootkitted version of netstat is installed. Cross-referencing the two is a quick sanity check. Severity Hierarchy: What to Alert On First Treat every auditd event as equal and you'll train your analysts to ignore alerts. It happens faster than you'd expect. A working detection strategy means explicitly deciding which signals are worth waking someone up for and which ones go into a dashboard nobody checks. Three tiers that actually hold up in practice: Signal Why it matters False positive rate www-data / nginx / apache2 spawning bash or sh Web app exploitation, nearly never legitimate Extremely low New authorized_keys entry outside change management window SSH persistence — clean and durable Low in orgs with CM setuid event on non-standard binary Attacker setting persistence or escalation path Low Root cron job script modified Direct path to persistent root execution Low auditd service stopped or rules cleared Attacker disabling detection — active response needed Very low High — suspicious, needs context: Signal Why it matters Common false positive New sudoers entry Privilegeescalation path or new admin access Legitimate admin change 50+ find calls from same PID in 30 seconds Automated enumeration (LinPEAS, etc.) Package manager operations Service account with interactive SSH session Unusual behavior for non-human account Automation with bad config New systemd service created Persistence mechanism Legitimate software install Outbound connection to non-private IP from sshd Compromised host scanning for victims Legitimate backup/monitoring Medium — monitor, establish baseline: Signal Why it matters Common false positive sudo invocation at unusual hours Off-hours admin activity Legitimate admin work across time zones New cron entry for existing user Could be persistence Legitimate scheduled task Read of /etc/shadow by non-root process Credential harvesting attempt Some PAM configurations How to Build a Baseline Before Alerting Deploy detection rules without knowing what normal looks like and you'll spend the first month tuning out false positives until the team stops paying attention to alerts altogether. That's a worse outcome than no rules. A development server, a CI/CD runner, and a production web server have completely different behavioral profiles. sudo running 200 times a day is normal on an Ansible control node. It's not normal on a web server. find executing constantly is expected behavior from a package manager mid-update. It's not expected behavior from a user account at 3am. Before enabling high-severity alerts on any host, collect two weeks of baseline data: # Daily sudo activity ausearch -k sudo_exec --start today | wc -l # Daily setuid events ausearch -k priv_escalation --start today | wc -l # Daily cronmodifications ausearch -k cron_change --start today | wc -l # Daily authorized_keys modifications ausearch -k ssh_persistence --start today | wc -l What you're building is a sense of what's routine for that specific host. A production web server that has never once modified authorized_key s in six months of baselining deserves an alert the moment it does. A configuration management server that updates keys daily as part of normal operations does not. Same event, completely different meaning depending on context. Alerts that trigger on deviations from established baseline catch real anomalies. Alerts that trigger on raw event volume catch noise. Signal Correlation: Why Single Events Are Often Misleading Individual events are weak signals. What matters is sequence. A sudo invocation on its own — legitimate. An outbound SSH connection — legitimate. A find command — also probably fine. The picture changes completely when those three things happen from the same user account within a five-minute window, in that order. Look at this sequence: 09:14 SSH login from new source IP 09:15 High-frequency find executions from same PID 09:16 Reads on /etc/sudoers and /etc/shadow 09:18 setuid transition on non-standard process 09:19 Write to /root/.ssh/authorized_keys None of those events alone is a confirmed compromise. Together, they map directly to: Initial Access → Enumeration → Privilege Escalation → Persistence That five-minute chain is LinPEAS running followed by a privilege escalation attempt and an SSH backdoor. It's not subtle — but it only becomes obvious when you're correlating events, not reviewing them one at a time. Build SIEM rules around timing windows and process ancestry. An event that's routine in isolation becomes high-confidence when it's correlated with two others in a short window involving the same PID or user. False Positive Handling in Practice The rules that matter most are also the ones mostlikely to fire legitimately in certain environments. Before deploying any rule in production, understand its false positive profile. sudo monitoring: In environments with many sysadmins or where sudo is used frequently as part of standard automation, volume alone isn't diagnostic. Filter for sudo bash, sudo sh, sudo -s, and sudo su — shell-drop patterns. These are rarely legitimate in automated workflows and almost always human or attacker activity. find high-frequency detection: Package managers (apt, yum, dnf) invoke find heavily during updates. Deploy/configuration management tools like Ansible do too. Exclude known-good parent processes and whitelist maintenance windows. Alert on spikes outside those contexts. authorized_keys changes: In environments using configuration management (Puppet, Ansible, Chef), authorized_keys is regularly synced from a central source. Whitelist the CM agent's process. Alert on all other writes. Cron modifications: Legitimate cron changes happen — but they should be traceable to a change ticket or deployment pipeline. If your environment has change management, any cron modification outside a documented change window is an escalation-worthy event. systemd service creation: Package installations create new .service files constantly. Alert on new services created outside of package manager operations, or services that point to binaries in /tmp, /dev/shm , or any user-writable path. SIEM Correlation Rules: From Raw Events to Actionable Alerts Individual auditd events are signals. Correlation turns signals into incidents. These are the highest-value correlation patterns for Linux compromise detection: Rule 1 — Web server spawning shell: IF process.parent.name IN ["apache2", "nginx", "httpd", "php-fpm"] AND process.name IN ["bash", "sh", "dash", "python", "perl", "ruby"] THEN ALERT: Critical — Web Application Exploitation Rule 2 — New device + authorized_keys change (AiTM to persistence chain): IF ssh_login.new_source_ip = TRUE AND authorized_keys.write_event WITHIN 30 minutes THEN ALERT: High — Possible AiTM Compromise with SSH Persistence Rule 3 — Privilege escalation chain: IF setuid_event.user != root AND file_write_event.path IN ["/etc/sudoers", "/root/.ssh/authorized_keys"] AND process.name = "bash" WITHIN 10 minutes THEN ALERT: Critical — Active Privilege Escalation Chain Rule 4 — Automated enumeration fingerprint: IF process.syscall = "execve" AND process.name = "find" AND count(events) > 50 WITHIN 30 seconds AND process.user != root AND process.parent.name NOT IN ["apt", "dpkg", "ansible"] THEN ALERT: High — Automated Enumeration Pattern Rule 5 — Outbound scanning from compromised host: IF network.direction = outbound AND network.dest_port = 22 AND count(unique_dest_ips) > 20 WITHIN 60 seconds AND process.name IN ["sshd", "ssh"] THEN ALERT: Critical — Host Used as SSH Scanning Relay Building a Practical Detection Stack You don't need a SIEM to start. The priority order for Linux compromise detection: 1. auditd — the foundation # Persistent rules in /etc/audit/rules.d/security.rules -a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k sudo_exec -a always,exit -F arch=b64 -S setuid -S setgid -k priv_escalation -w /etc/sudoers -p wa -k sudoers_change -w /root/.ssh/authorized_keys -p wa -k ssh_persistence -w /etc/crontab -p wa -k cron_change -w /etc/systemd/system/ -p wa -k systemd_change 2. aureport for daily review # Daily anomaly summary — run as cron or review manually aureport --auth --summary # authentication events aureport --syscall --summary # system call anomalies aureport --file --summary # file access patterns 3. Process tree correlation When an alert fires, the first question is: what is the parent process? Context from /proc/ /status and ps--forest determines within seconds whether sudo was run by a legitimate admin session or by a web server process that shouldn't be executing shell commands. 4. Forward logs off the host Logs stored only locally can be modified or deleted by an attacker with root. Forward to a remote syslog server or centralized logging infrastructure as quickly as possible. If local logs are the only copy and the attacker gains root, your forensic evidence is at risk. Top 10 Linux Compromise Signals Worth Alerting On Immediately If resources are limited, prioritize these signals first. They consistently appear across real-world Linux intrusions and typically generate manageable alert volume. Priority Indicator Why It Matters 1 Web server spawning shell (apache2 → bash) Strong exploitation indicator 2 New authorized_keys entry Common persistence technique 3 Unexpected setuid transition Privilege escalation activity 4 Modification of /etc/sudoers Privilege manipulation 5 New systemd service created Persistence mechanism 6 Root cron modification Scheduled privileged execution 7 Outbound SSH scanning activity Lateral movement indicator 8 Large-scale file enumeration Automated reconnaissance 9 auditd service stopped Defense evasion — act immediately 10 External network connection from web app process Possible command execution Organizations attempting to monitor everything often end up monitoring nothing effectively. Starting with ten high-confidence signals and expanding gradually produces better results than deploying hundreds of low-confidence rules on day one. Limits and Bypass: What Detection Won't Catch Everydetection strategy has a ceiling. Understanding where yours ends is as important as building it. auditd can be disabled. An attacker with root can stop the auditd service, flush rules, or modify /etc/audit/audit.rules to remove specific watches. If your detection depends entirely on local auditd and an attacker achieves root before you get an alert, you've lost the evidence trail. Mitigation: ship logs to an immutable remote destination in real-time. Alert immediately if auditd stops on any monitored host. Local logs can be deleted or modified. Root can truncate /var/log/auth.log , remove bash history, clear wtmp and lastlog. An attacker who understands Linux forensics will do this. If your logs are only stored locally, a root-level compromise can erase the timeline. Forward to a remote syslog or centralized logging platform the moment events are generated. Rootkits hide activity. Kernel-level rootkits (LKM rootkits) can intercept system calls and hide processes, files, and network connections from standard tools. ps, ls, netstat , and top can all return clean results on a compromised host. /proc filesystem access is more reliable than userspace tools, but sophisticated rootkits can intercept procfs reads too. Runtime kernel integrity monitoring (eBPF-based sensors, AIDE for file integrity) catches anomalies that standard logging misses. Containers and cloud complicate the model. In containerized environments, auditd on the host may not capture activity inside containers depending on namespace configuration. Cloud instances may have additional logging layers (CloudTrail for AWS, Cloud Audit Logs for GCP) that provide visibility auditd doesn't. Container runtime security tools (Falco, Sysdig) monitor syscall behavior at a layer that survives container restarts and doesn't depend on configuration inside the container. In-memory attacks produce no file artifacts. CVE-2026-31431 ("Copy Fail") demonstrated this at scale — kernel LPE that leaves no file changes, no new processesbeyond the exploiting binary, no obvious log entries. Behavioral detection at the syscall level (setuid transitions, unexpected privilege changes) is more reliable than file-based detection for this class of attack. What to Do After Detection: Immediate Response Detection is only useful if it triggers an effective response before the attacker achieves their objectives. Immediate containment — within minutes: # Isolate the host from the network (if remote management allows) # Block outbound on all interfaces except your management channel iptables -I OUTPUT -j DROP iptables -I OUTPUT -d /32 -j ACCEPT # Kill suspicious sessions identified during detection who -a # list active sessions pkill -9 -t pts/1 # kill specific terminal session # Preserve a snapshot of current process state before killing anything ps auxf > /tmp/process_snapshot_$(date +%s).txt ss -tnp > /tmp/network_snapshot_$(date +%s).txt Evidence collection — before touching anything: # Memory is volatile — capture what you can before isolation or reboot # List loaded kernel modules (LKM rootkit check) lsmod > /tmp/modules_$(date +%s).txt # Active network connections ss -tnp > /tmp/connections_$(date +%s).txt # Scheduled tasks and cron crontab -l -u root > /tmp/root_cron.txt cat /etc/crontab > /tmp/system_cron.txt # Recently modified files find / -newer /tmp/reference_file -type f 2> /dev/null > /tmp/recent_files.txt # Export auditd events before they cycle out ausearch --start today > /tmp/audit_today.txt Credential rotation priorities: Root password and all sudo users immediately Any SSH keys that existed on the system at time of compromise — assume all are burned Service account passwords for any service running on the host Application database credentials stored in config files on the system Persistence verification before declaring clean: # Check everypersistence mechanism attackers use crontab -l -u root; crontab -l ls -la /etc/cron.d/ /etc/cron.hourly/ /etc/cron.daily/ cat /etc/rc.local systemctl list-units --type=service | grep -v "loaded active" find /root /home -name ".bashrc" -o -name ".bash_profile" | xargs grep -l "curl\|wget\|bash\|nc\|ncat" cat /root/.ssh/authorized_keys find /tmp /dev/shm -type f 2> /dev/null A system is not clean until every persistence mechanism has been verified, not just the one that triggered the initial alert. Detection on Linux isn't about having the most data — it's about having the right data, at the right granularity, in a place the attacker can't erase. The gaps in default logging are predictable and closable. What's less predictable is whether the rules are in place before the compromise happens. . Learn how to effectively monitor Linux systems for compromises with tailored logging strategies and behavioral detection techniques.. Linux detection, log monitoring, behavioral analysis, security strategy, system compromise. . Andrew Kowal

Calendar%202 Jul 12, 2026 User Avatar Andrew Kowal Network Security
74

Linux Privilege Escalation from a Defensive Perspective: Sudoers and SUID Misconfigurations

Root access on a Linux system rarely arrives through a zero-day. . Honestly, it usually doesn't even arrive through something you'd consider clever. More often — and this shows up in post-incident report after post-incident report — an attacker gets a low-privilege foothold through a misconfigured web app or a reused credential, and then just... looks around. What they find is a sudoers entry that's been sitting untouched since the last sysadmin handed off the server. Or a SUID binary a developer set during a late-night deployment and forgot to mention. Neither makes it into a CVE database. Neither gets a patch advisory. They're just there, waiting for someone to notice them. The Sudoers File Doesn't Clean Itself The design intent behind sudoers is reasonable — give specific users specific elevated permissions without distributing actual root credentials. The gap between intent and reality is that entries get written fast, during deployments, when nobody has time to get the scope exactly right, and then they stay. Sysadmins change. The documentation doesn't. Nobody ever schedules an audit. The worst version is also probably the most common one to find in the wild: developer ALL=(ALL) NOPASSWD: ALL One line. Whoever gets that user account gets the system. No second factor, no password prompt, nothing: sudo bash The subtle version — the one that trips up more environments — is when an admin adds something like vim to sudoers thinking it's scoped and safe. It isn't: sudo vim -c '!bash' Root shell, three keystrokes. GTFOBins catalogs this exact escalation technique for hundreds of binaries — find, less, python, perl, awk, tar, nmap with --interactive , and on and on. Same pattern across all of them: the binary gets NOPASSWD access, nobody checks whether it can spawn a shell, and the entry stays in place indefinitely because nothing breaks and nobody touches it. The cp case is less intuitive but just as damaging, maybe more so because it feelsinnocuous. Copy access to /usr/bin/cp with elevated permissions means an attacker can overwrite /etc/sudoers directly, inject their own NOPASSWD entry, then run bash: cp /etc/sudoers /tmp/sudoers.bak echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" > > /tmp/sudoers.bak cp /tmp/sudoers.bak /etc/sudoers sudo bash No exploit code. No CVE required. A misconfigured permissions entry and roughly two minutes. Two Sudo Vulnerabilities That Got Less Attention Than They Deserved In mid-2025 two vulnerabilities in sudo itself were disclosed — CVE-2025-32462 and CVE-2025-32463 — that made even correctly written sudoers configurations exploitable. Worth knowing about, because sudo doesn't get treated with the same patch urgency as web application CVEs, and production systems tend to lag on it for exactly that reason. CVE-2025-32463, the more severe of the two at CVSS 9.3, abused sudo's --chroot option: place a malicious nsswitch.conf in any user-controlled directory and sudo loads an attacker's shared library as root — before it gets around to checking permissions. The flaw was introduced in sudo 1.9.14 (June 2023) and went undetected for about two years before Stratascale's research team found it. CISA added it to the Known Exploited Vulnerabilities catalog in September 2025, months after the patch was already available. Both vulnerabilities were patched in sudo 1.9.17p1, released June 2025. The gap between "patch available" and "patch deployed" in production Ubuntu 22.04 environments stretched well into the second half of the year, because nobody was treating sudo updates as urgent. The lesson here isn't just "patch sudo" — though that's obviously necessary. It's that a correctly written sudoers file isn't sufficient protection when the underlying binary has an elevation flaw. Defense has to go deeper than configuration. SUID Binaries: Persistent, Overlooked, and Reliable SUID is a permission bit — makes a binary execute as its owner regardless of who actually invokes it. Ping,passwd, su, a handful of others all legitimately need it. The problem is when it ends up on things it shouldn't: internal scripts, test binaries, standard utilities that picked up the bit during a misconfigured install and never lost it because nobody was looking. Every attacker who lands a shell runs this immediately: find / -perm -4000 -type f 2> /dev/null Output goes straight to GTFOBins. The non-standard entries — anything outside the expected set of system binaries — are where the actual findings are. Custom internal binaries with SUID set are the first things to dig into. PATH hijacking is clean and reliable when a custom SUID binary calls system utilities without specifying absolute paths. A script that runs system("service restart") instead of system("/usr/sbin/service restart") is exploitable by anyone who can write to an earlier PATH directory: cd /tmp echo "/bin/bash" > service chmod +x service export PATH=/tmp:$PATH ./vulnerable-suid-binary Shell resolves service to the malicious binary, executes it with the SUID binary owner's effective UID. If that's root, escalation is complete — simple as that. Editors with SUID set are a separate category, not just escalation but immediate persistence. If /usr/bin/nano carries the bit, the attacker edits /etc/passwd directly: adds a root-level account with no password, change survives reboots, nothing suspicious in logs beyond a file modification timestamp. Tools like LinPEAS automate all of this — SUID binaries, sudoers entries, writable cron jobs, kernel version against known CVE databases — in a single run, under sixty seconds. What used to take an experienced attacker thirty minutes of manual enumeration is now a script. Defenders need to understand what that output surfaces and what order it prioritizes findings, because that's the actual methodology being applied on the other side. Fixing It Open /etc/sudoers with visudo and actually read through every entry. Any line granting NOPASSWD: ALL to a non-system user either has a documented justification or it gets removed — those are the only two acceptable outcomes. For every binary with NOPASSWD access, look it up on GTFOBins by name. If there's a documented escalation path, that entry is an open door and should be treated as such. Replace broad grants with precise ones. A user who needs to restart nginx gets exactly that: # Scoped to one service, one action — nothing broader username ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx Not /usr/bin/systemctl . Definitely not ALL . For SUID, the approach that actually works is establishing a baseline on a known-good system and comparing against it: find / -perm -4000 -type f 2> /dev/null > /root/suid-baseline.txt Store that file somewhere reliable and run comparisons after deployments and package updates. Any new SUID binary outside a planned package install gets investigated. Anything that shouldn't carry the bit gets stripped: chmod u-s /path/to/binary Internal scripts should never have SUID set. Development environments sometimes add it for convenience — that needs to come off before anything reaches production, full stop. Monitoring matters too, and it's worth doing properly rather than just adding a single auditd rule and calling it covered. A useful starting set watches for sudo execution, SUID-related syscalls, and writes to sensitive files that privilege escalation techniques commonly target: # Flag all sudo invocations auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k sudo_exec # Flag setuid/setgid syscalls — catches SUID abuse attempts auditctl -a always,exit -F arch=b64 -S setuid -S setgid -k priv_escalation # Flag writes to sudoers and sensitive auth files auditctl -w /etc/sudoers -p wa -k sudoers_change auditctl -w /etc/sudoers.d/ -p wa -k sudoers_change auditctl -w /etc/passwd -p wa -k passwd_change auditctl -w /etc/shadow -p wa -k shadow_change Once you have events, ausearch and aureport are how you actually work with the data rather than grepping raw logs: # Show all sudo-related events in the last hour ausearch -k sudo_exec --start recent # Show all sudoers file modifications ausearch -k sudoers_change # Summary report of privilege-related events by user aureport --auth --summary Parent-child process relationships are the real signal to watch. apache2 → sudo → bash is not a logging anomaly — it's a kill chain in progress. The SUID baseline comparison mentioned above pairs naturally with inotifywait for real-time alerting on new SUID files: inotifywait -m -r -e attrib /usr/bin /usr/local/bin /usr/sbin 2> /dev/null | \ grep --line-buffered "ATTRIB" | while read line; do echo "[ALERT] Attribute change detected: $line" | logger -t suid_monitor done Run that as a service, and any new SUID bit set outside of a package manager operation generates a log entry immediately. SELinux and AppArmor work alongside all of this — they constrain what a process can do even after it reaches root, containing the blast radius of a successful escalation even when prevention fails. And keep sudo patched — CVE-2025-32463 was in CISA's KEV catalog months after the patch was available, which tells you exactly how many production systems were sitting exposed throughout 2025. The kernel headlines this year — Copy Fail, Fragnesia, Dirty Frag — have most security teams focused on patches and module blacklists. That's reasonable. But those same teams often have sudoers entries that predate everyone currently on staff, and SUID binaries in /usr/local/bin that nobody can account for. Kernel CVEs get CVE numbers and CISA advisories. Misconfigured sudoers entries don't. That asymmetry in attention is precisely why they keep working year after year. Enumeration tools don't organize findings by category. LinPEAS flags the NOPASSWD entry and the unpatched kernel in the same output, same color coding, same priority. One of them usuallycomes first. . Explore misconfigurations in sudoers and SUID handling that lead to privilege escalation risks in Ubuntu systems.. Sudo Configurations, SUID Permissions, Privilege Escalation. . Andrew Kowal

Calendar%202 Jul 10, 2026 User Avatar Andrew Kowal Network Security
News Add Esm H340

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200