Audience and Prerequisites
This is intended for Linux users who have experience working with the command line.
You should be running any Red Hat-based distributions such as Rocky Linux, AlmaLinux,
or Oracle Linux. CentOS Stream is not a candidate for taking the RHCSA (Red Hat
Certified System Administrator) exam. A lot of people in the Linux community are not
happy about Red Hat discontinuing support for CentOS 8 and now Red Hat does not want
source code to be available for everyone, including Rocky Linux and AlmaLinux. Enough
with wordy paragraphs! We don't want anyone to scroll down too much in order to get
to the most important part! Let's get into the command line, shall we?
Oh, please pardon me for boring you with this, but I almost forgot. This article
assumes that you are logged in as a root user. This is bad security practice in the
production environment, but in the exam, it's okay to be root. If you break it, you
fix it and that will count against your time in the exam. But the important thing is
that you must come up with solutions as fast as possible. Of course, don't be in a
hurry in such a way that you will fail the exam. Okay, enough already! Let's get in
with it! *grinning face*
Type: File Contexts
The command for listing all available SELinux type contexts is:
seinfo -t
The command for listing only the type contexts that relate to the web server:
seinfo -t | grep httpd
So, you searched for anything related to httpd and you came across
httpd_sys_content_t. You need to specify a directory to host your
content other than in /var/www. To add the type context to a directory,
the command will be as follows:
semanage fcontext -a -t httpd_sys_content_t "/data/nas/www(/.*)?"
restorecon /data/nas/www
Longer version:
semanage fcontext --add --type httpd_sys_content_t "/data/nas/www(/.*)?"
The seinfo command is the SELinux policy information tool, semanage
is a SELinux policy management tool, and restorecon is for restoring default
SELinux security contexts to files and directories. The "type" contexts is the only one to be
to be concerned about when studying for any Linux exams, such as RHCSA (Red Hat Certified
System Administrator).
As for (/.*)?, that's called a regular expression. This is for setting any
subdirectories and files with the same context as the main directory. Try to remember this in
the RHCSA exam: open parenthesis, forward slash, period, asterisk, close parenthesis, question
mark, and that's about it. The only thing to remember is to have the entire path along with
the symbols in double quotes. In the RHCSA exam, you have access to the man pages, so take
advantage of that whenever possible.
For users of NVDA screen reader (Non-Visual Desktop
Access), NVDA does not speak a question mark such as CTRL+? (control plus question mark). I
do not know if this is a bug in the screen reader or if this is intentional, but at least
it's all I can do to help out if screen readers ignore question marks. That symbol is an
important part of a regular expression, so it needs to be translated to words. Hopefully I
can be of help.
Type: Contexts for Ports
What about ports? If you modify the port number in SSH configuration file
(/etc/ssh/sshd_config) and you restart the service
(systemctl restart sshd), even if you configure the firewall to allow a different
port number (example: firewall-cmd --add-port 12345 --permanent), you won't be
able to SSH into your server because SELinux gets in the way! It's easy to disable SELinux if
you do not mind exposing your server to outside security risks, but when studying for the exam,
it's important to never disable SELinux. Instead, let's search for port-related contexts.
Let's search for any services that have a phrase "port" for any type contexts:
seinfo -t | grep port
You should get a list of services. Let's narrow it down to SSH:
seinfo -t | grep port | grep ssh
Ah ha! There it is. It's ssh_port_t. Of course, I could also type the
following:
seinfo -t | grep ssh_port
And that should give me the same output. So, let's configure SELinux to allow TCP
port 12345 so that we can SSH into our Linux server.
semanage port -a -t ssh_port_t -p tcp 12345
And there you have it! You should now login to your server using SSH.
ssh -p 12345 username@servernameoripaddress
Of course, if you want to search for other services, such as Postfix:
seinfo -t | grep postfix
Oh, wow! So many contexts to choose from! But aren't we looking for
port-related contexts?
seinfo -t | grep port | grep postfix
Hmm... There are no port-related contexts related to Postfix. Of course,
what we do want is SMTP, which is port 25 by default, so let's narrow it
down to just "port" and "SMTP" (all lowercase, of course).
seinfo -t | grep port | grep smtp
# or "seinfo -t | grep smtp_port" (without quotes)
And you should get smtp_port_t. However, configuring an SMTP
server is beyond the scope of this tutorial about viewing the list of
available contexts. Plus, configuring firewalls and enabling/starting
services in a Linux server is also beyond the scope as well.
What Packages Provides seinfo and semanage?
dnf whatprovides */seinfo
The asterisk represents a wildcard, so this would assume that we do not
know the full path to seinfo command. That dnf
command, when executed, reveals a package called setools-console.
So, so install setools-console, just use the dnf install
command as follows:
dnf install setools-console
The same is for semanage:
dnf whatprovides */semanage
dnf install policycoreutils-python-utils
That package policycoreutils-python-utils is so wordy, isn't it?
*smile*
Don't stress over trying to remember that package name in the exam and in the
real world.
Conclusion
I hope I can be of help to anyone studying for RHCSA exam. Hopefully
you should be able to know how to set SELinux type contexts for directories
and ports. If you are not taking an exam (you should if you want to
further your career in Linux and Information Technology), I hope I can be
of help as well! Have fun administrating your Linux servers!
And yes, I could have used emojis, but screen readers come first! *smile*
Article published: 2023-08-12 13:10
Categories: The World of Computers, Computers, Information Technology, Security
Instructions
- From your smartphone (not your desktop or laptop computer), open the Uber application.
- Tap Account. The Account button is located at the bottom right of your smartphone's screen.
- Tap your avatar to the right of your name.
- Tap your email address to change your email address. Skip to step 6 if you do not make use of unique email addresses for every account that you signed up for.
- Once you change your email address, tap Update. Go into your email account and look for an email from Uber. Enter the verification code that Uber gave you.
- Tap your password. You will need to verify your password first before you generate your new password from a password manager.
And you are done! Congratulations! You have successfully changed your unique email address and password! Stay safe!
Cannot Change Email Address and Password in Uber's Website
If you are like me, you watched a video about Uber Has Been Hacked and you have a unique email address and unique password assigned to your Uber account. If you make use of a password manager such as Bitwarden or KeePassXC but do not have more than one email address, that's okay and unique passwords are important anyway. Password managers saved me from re-using passwords and I cannot remember hundreds of passwords.
So you learned about Uber that got hacked and we all know that we should change our passwords, correct? For no reason, Uber won't let me change my email address and password in their website. I have to change that in an Uber app in my smartphone. And yes, I went into my profile after I sign into Uber's website and there is no way to change both my email address and password!
The Only Way To Change Important and Sensitive Information?
That's right! Your smartphone! If you need to change your email address and password, you must open the Uber app in order to change what you need to change. And you know what? My computer is a lot more convenient than my smartphone. Why? Physical keyboard, a mouse, and a large monitor. I have to have my smartphone very close to me due to my visual impairment and the use of my smartphone can hurt my back. It would be nice if I could connect my smartphone to a dock and use my computer monitor, mouse, and keyboard to control my smartphone. That reminds me of Purism's Librem 5 smartphone. I found a video called Desktop and Phone Convergence. Purism Librem 5 is not only a smartphone, but it is more of a general-purpose computer. The smartphone runs PureOS, a Linux distribution made for Librem laptops and Librem 5 smartphone. If Android could do convergence right out of the box, I could turn off my Mac Mini that I currently have in order to save power and just use my smartphone like a computer. That way, I could pull up an Uber application using my mouse and keyboard and I can change my email address and password from there! I do not have to worry about visiting Uber's website.
Surely, we should be able to change our email address and password right from Uber's website, right? At the end of the day, I think we are living in a smartphone-first world where smartphones are all the rage these days. And all the smartphone manufacturers are all copying Apple's designs with the exception of Planet Computer Astro Slide 5G. That smartphone has a built-in physical keyboard and I would love to get my hands on one when it ships. Oh, and you can thank me for providing instructions at the very beginning of my article. Far too many blogging websites make it seem so wordy that their articles provide lots of reasons for changing the password that I would have to scroll down the article in order to view the instructions. Simply read the instructions from the beginning of this article and you can change your email address and password in no time!
And people will always fall for social engineering problems. 🙂
Article published: 2022-09-17 12:16
Categories: The World of Computers, Information Technology, Security
I watched the video about whether the ransomware can be stopped and I scrolled down through the comment section. While reading comments, some people are suggesting that we switch to Linux because Linux is more secure compared to Windows. That is true that Linux is inherently secure compared to Windows and Mac; however, what if I were to tell you that if you are running Arch Linux, Fedora, Ubuntu, Solaris, FreeBSD, OpenBSD, Haiku OS, or just about any other operating systems in our planet that you can still fall victim to phishing attacks? If we all switch to a different operating system on a basis that one is more secure compared to other operating systems, then we are forgetting about our weakest link.
Let me ask you again. Who or what is the weakest link in the cybersecurity chain? It's not Windows; we are the ones that need education so we can protect ourselves online.
No anti-malware, anti-virus, and anti-ransomware programs will protect you against ransomware attacks. And Linux and BSD operating systems won't protect you from phishing emails either. What we need is cybersecurity awareness training. Businesses should establish cybersecurity awareness training. Here's one example that shows a video about cybersecurity awareness training from Burgi Technologies. The video starts with email, which talks about safeguarding your email such as phishing, email attachments, and spam. Do note though that an email address can be spoofed, so if you receive a phishing email and the email address in the From field ends in @paypal.com and the email claims to be from PayPal, you should simply go to PayPal's website and check what is going on in your PayPal account. Plus, the security awareness training talks about passwords, malware (don't forget that malware can target Linux computers as well), public Wi-Fi, and even IoT, such as thermostats, Google Nest cameras, and even light bulbs. Even a router needs to be protected as well. And don't forget about social engineering as well.
Remember what I mentioned about PayPal? Phishing attacks is one of them. They can even call you over the phone by impersonating that someone is your employer. They might say it's urgent and they need access to the username and password so they can access the network resources so they can do harm. In other words, they can manipulate you into disclosing confidential or sensitive information.
Regarding security question and answers, it's convenient if you forget your password, but put in your correct information and once an attacker can scour the Internet tin order to look for information, they can click the "reset password" link, fill in the answers to questions, and once everything is correct, they can then reset the password so you cannot access your account any longer. This is where a password manager comes in. Your password manager of choice can remember gibberish answers to questions. For example:
Question: What is your boyfriend's name?
Answer: I would like to say thank you to my friend 68dagbbzpTmR5.
Question: What is your first car you owned?
Answer: My beautiful-looking car is my bicycle and I love jverw89.TmZr
Question: What is your mother's maiden name?
Answer: oi9574bn8tTv8rBz0qpM.,[23w489hZm
A lack of honesty can safeguard your account against information gathering so they can do harm to your account. That's why a password manager such as Bitwarden can come in handy so that a password manager can help remember your gibberish answers to security questions. And no, security questions is not a security feature. If I know so much about you and I know your email address, I can gather information about you and reset your password by answering security questions without your knowledge. I know this is scary, but don't let that scare you if you are using a password manager.
To take it a step further, I also make use of unique email addresses as aliases. I do not use plus addressing or catchall because I can create email addresses for my own domain name. I use different email addresses for different sites that I sign up for. For example, I gave pizzahut(at)example(dot)com to Pizza Hut, uber(at)example(dot)com for Uber, walmart(at)example(dot)com for Wal-Mart, bestbuy(at)example(dot)com, and so on and so forth. Not only is this good for security, unique email addresses enhances my privacy. Sure, this is not part of cybersecurity awareness training as employees may not have the luxury of having more than 1 email addresses, but I did this in order to take security into my own hands so that I won't become a weakest link in the cybersecurity chain. Even if businesses said that they took security seriously, if one of my unique email addresses have been compromised in a breach and ends up in Have I Been Pwned, not only should I change the password using my password manager, I can change my email address right away. Why? I did this in order to dodge spam and phishing emails. Because I make use of unique email addresses, I get very little to no spam each month. If I do get spam email messages that lands in my spam or inbox folder and one of my unique email addresses were listed in the To field, I can consider my email address compromised and can track who sold or give away my email address and change my email address or stop doing business with them at any time, immediately delete my compromised email address, and move on with my life.
Don't let Linux users tell you that you should switch to Linux no matter how inherently secure Linux is. At the end of the day, no matter how much we need to keep our operating systems and software up to date, we still are the weakest link in the cybersecurity chain. We still need to educate everyone in order to stay safe online. Linux is not a be-all-end-all solution to our security problems.
Article published: 2022-04-17 15:56
Categories: The World of Computers, Security
(For my blog post, I want to focus on the audience regarding people who use Internet every single day and knows a lot about cybersecurity. Myself included.)
Imagine a scenario: you went to get your haircut and the place you went to requires you to enter an email address before you get your haircut. Why? Even if I do have a smartphone and I use Internet every single day, why must I put in my email address? For what purpose? To send spam? For businesses, they might say "we respect your privacy and take security seriously," but in my mind, I would say that if an email gets compromised in a data breach, it's more likely that those who are not tech-savvy are more likely to receive spam and phishing emails. Not thinking about security when using the Internet can lead to ransomware and identity theft. They might stop using the computer altogether because of fear of feeling unsafe online.
Okay, so I can imagine people asking...
What is ransomware?
So anyone who have not used the Internet before would then ask...
Okay, so what is malware? Oh, maybe I should click in the link. Oh, and what is a file?
Okay, I can imagine tech-savvy folks asking "what do you mean, 'what is a file?' Do you ever know how to use a computer before?" How can we guide people who does not use Internet every single day, let alone not knowing "what is an Internet?"
What is an operating system? Windows? Mac? Linux? What is an email address? What is a "file?" See where I'm going with? What is Android? iPhone? iOS? How do I manage files and folders in my computer? How do I check my email? I hope you get my point.
So back to the topic about email address requirement, people who have no plans to educate themselves regarding security and privacy should not have an email address and should not be using the Internet. Even a smartphone can be very complex compared to a cell phone that only make and receive phone calls and nothing else. Let alone how to send and read text messages. And yes, I'm talking about people who use cell phones with no capability for browsing the Internet. Not even Firefox, Chrome, or Safari.
Okay, so you say that your 90-year-old family member knows how to use the Internet, takes care of security themselves, and I should not overly-generalize myself. Well, that's great, but we should not force everyone to have a smartphone just so they can face dangers lingering in the Internet.. People should be educated regarding the implications regarding cyber attacks and how to protect themselves; however, as long as people out there (Demographics of Cybercrime Report) do not take their time to educate and protect themselves, businesses should not require them to have an email address when they check in. Even dentists should make email address requirement optional as well. Even though I have close to 200 email addresses at the time of writing (one email address per site with no plus addressing and no catchall for my domain), I do not want to enter my email address if I do not want to for privacy and security reasons.
Businesses say "we take security and privacy seriously," yet businesses do not take their time to harden and patch their systems over time. Of course, training employees regarding how to protect themselves against phishing emails is a very important part of having a security culture for businesses. But then again, an email address would be a requirement for businesses for getting your customers to setup an account online, but in a physical world where people simply walk in, as long as people do not use the Internet and do not plan to educate themselves, an email address should not be a requirement. At all.
Article published: 2021-10-06 12:00
Categories: The World of Computers, Computers, Security
