https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

If it's the former, what are some of the things sudo protects your server from if say, a sudo account is compromised/hacked?

https://www.bleepingcomputer.com/news/security/have-i-been-pwned-adds-441k-accounts-stolen-by-redline-malware/amp/

TLP: WHITE
MS-ISAC CYBERSECURITY ADVISORY

MS-ISAC ADVISORY NUMBER: 2021-068

DATE(S) ISSUED: 05/12/2021

SUBJECT: Multiple Vulnerabilities in Wi-Fi Enabled Devices Could Allow for Data Exfiltration

OVERVIEW:

Multiple vulnerabilities have been discovered in Wi-Fi enabled devices, the most severe of which could allow for data exfiltration. IEEE 802.11 is part of the IEEE 802 set of local area network technical standards, and specifies the set of medium access control and physical layer protocols for implementing wireless local area network communication. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to exfiltrate user data.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild. A proof of concept exists for various vulnerabilities mentioned within this advisory.

SYSTEMS AFFECTED:

Any Wi-Fi enabled device could be vulnerable, please check with the manufacturer of your device(s)
RISK:

Government:

Large and medium government entities: High
Small government entities: High
Businesses:

Large and medium business entities: High
Small business entities: High
Home users: High

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Wi-Fi enabled devices, the most severe of which could allow for data exfiltration. These vulnerabilities can be exploited if a user connects to a rogue access point and is then redirected to or visits a malicious server. Details of the vulnerabilities are as follows:

A vulnerability exists in the 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) that could allow an attacker to inject arbitrary network packets (CVE-2020-24588)
A vulnerability exists in the 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) that could allow an attacker to decrypt selected fragments when another device sends fragmented frames. (CVE-2020-24587)
A vulnerability exists in the 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) that could allow an attacker to inject arbitrary network packets and/or exfiltrate user data. (CVE-2020-24586)
A vulnerability exists in Samsung Galaxy S3 i9305 4.4.4 devices that could allow an attacker to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)
A vulnerability exists in Samsung Galaxy S3 i9305 4.4.4 devices that could allow an attacker to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)
A vulnerability exists in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H that could allow an attacker to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)
A vulnerability exists in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH could allow an attacker to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)
A vulnerability exists in the kernel in NetBSD 7.1 that could allow an attacker to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)
A vulnerability exists in Samsung Galaxy S3 i9305 4.4.4 devices that could allow an attacker to exfiltrate selected fragments. (CVE-2020-26146)
A vulnerability exists in the Linux kernel 5.8.9 that could allow an attacker to inject packets and/or exfiltrate selected fragments (CVE-2020-26147)
A vulnerability exists in the kernel in OpenBSD 6.6 that could allow an attacker to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)
A vulnerability exists in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H that could allow an attacker to inject and possibly decrypt packets. (CVE-2020-26141)
Successful exploitation of the most severe of these vulnerabilities could allow an attacker to exfiltrate of user data.

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply the stable channel update provided by the vendor to vulnerable systems immediately after appropriate testing.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
REFERENCES:

Wi-Fi Alliance:

https://www.wi-fi.org/security-update-fragmentation

FragAttack:

https://www.fragattacks.com/#beingexploit

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24586

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26145

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26144

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26140

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26143

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26139

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26146

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26142

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26141

If you use/have used their tool, please be sure to revoke/rotate your (relevant, affected) credentials immediately.

More information:

https://about.codecov.io/security-update/

Ars Technica has coverage here: https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/

DISCLAIMER: Do not attempt to apply anything in this article if you do not know exactly what you are doing. This guide is focused purely on security and privacy, not performance, usability, or anything else.

https://madaidans-insecurities.github.io/guides/linux-hardening.html

With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processor's power consumption to infer data and extract cryptographic keys.

[...]

On Linux, the powercap framework provides unprivileged access to the Intel RAPL counters. With a recent security update, this access is revoked, and an unprivileged attacker can not retrieve power measurements anymore.

However, this update does not protect against a privileged attacker, e.g., a compromised operating system targeting Intel SGX. To mitigate attacks in this scenario, Intel released microcode updates to affected processors. These updates ensure that the reported energy consumption hinders the ability to distinguish the same instructions with different data or operands if Intel SGX is enabled on the system.

Please make sure to get the latest updates for your operating system and BIOS.

List of Intel CPUs affected: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html

AMD and ARM processors may also be affected, though untested.

Source: https://platypusattack.com/

Ain't no more your password was weak excuse this time

I am running PowerDNS authoritative, the latest version, for my master + all 4 slaves. I think that I am doing ok security-wise on my side (master is "hidden", AXFR is only allowed for the slaves' IP addresses, ufw enforces IP access to port 53).

But what about protecting other servers? My servers are not recursive, so they deal with my zones only. openresolver.com says, as expected, that my IPs are not vulnerable to DNS Amplification attacks.

Do I still have to impose any rate limits? If yes, can anyone with experience with PowerDNS help me find out how? I have seen dnsdist, but it seems it is more to load balance queries, which is not my use case.

Anything else I should think about? Thanks for your help!

LVI is a new class of transient-execution attacks exploiting microarchitectural flaws in modern processors to inject attacker data into a victim program and steal sensitive data and keys from Intel SGX, a secure vault in Intel processors for your personal data.

LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords.

[...]

LVI in 4 simple steps:
1. Poison a hidden processor buffer with attacker values.
2. Induce a faulting or assisted load in the victim program.
3. The attacker's value is transiently injected into code gadgets following the faulting load in the victim program.
4. Side channels may leave secret-dependent traces, before the processor detects the mistake and rolls back all operations.

Source: https://lviattack.eu/

If there are any users here I have these questions for them:

What distro(s) do you use it with? I believe it is installed and configured automatically on Fedora/Redhat.

Do you use built-in settings, or customize for own use?

What admin tools come with it, what additional tools do you use?

Is it for own personal use, workplace computer or server administration?

Which aspects of your system do you mostly use it for?

Found this article on LET but it's from 2016 and commenters did not have a high opinion of author's skill.

So just want to check what if that's still roughly state-of-the-art?

Not looking to defend against sophisticated attackers (RAM dump etc) and I'm fine with OS partition being unencrypted. Database / docker / home should be though.

A solution compatible with ansible deployment would be a bonus since that's the next thing I'm tackling.

Since many use / offer WP hosting thought it might be relevant to post here.
Adding the 'raw' source - removed all UTM information
https://www.bleepingcomputer.com/news/security/millions-of-sites-exposed-by-flaw-in-jetpack-wordpress-plugin/