Security on Amit Agarwal Linux Blog

Ollama Security Hardening: Practical Guide for Cloud Deployments

Sun, 22 Mar 2026 00:00:00 +0530

A no-nonsense, actionable guide to securing Ollama for cloud deployments. Covers network lockdown, reverse proxy setup, OS hardening, prompt filtering, supply chain control, and advanced strategies.

Don’t Enter Your Password Into That Website: A Rant You Need to Hear

Thu, 01 May 2025 00:00:00 +0530

Don’t Enter Your Password Into That Website: A Rant You Need to Hear

Let me set the stage.

I came across a YouTube video the other day where the creator casually suggested that you can “check if your password has been leaked” by typing it directly into a website or tool. It was not a very popular content creator, none the less, I think we need to talk about this.

Understanding Login Types in Windows

Sun, 03 Nov 2024 00:00:00 +0530

Introduction

Windows operating systems offer various login types that define how users authenticate themselves and gain access to the system. Understanding these login types is crucial for both users and system administrators, as they impact security, access levels, and overall user experience in a Windows environment. In this blog post, we’ll explore the different types of logins in Windows, how to check which login type you are using, and how these types influence your permissions and capabilities within the operating system.

HTTPSorHTTP

Sun, 08 Sep 2024 00:00:00 +0530

The Illusion of Web Security: A Cautionary Tale

Alex was a bright developer. Fresh out of college and eager to make a mark, he landed a job at a promising tech startup. His first major project: build a new web application for the company’s clients. As Alex dove into the world of code, he kept hearing the same advice from his peers and mentors: “Make sure the site uses HTTPS. It’s the gold standard for web security.”

ssh trick – ssh to remote host with bastion host

Mon, 16 Sep 2019 00:55:20 +0000

Lot of times, you have to ssh to a server with bastion host. If you dont know what is bastion host then see this:

Now, in such cases, either you add an entry in “~/.ssh/config” to route the ssh through the bastion host or do ssh to bastion host and then ssh from there to the actual host. But wait, there is always a better way:

https site available now with cert from cacert.org

Sat, 30 May 2015 00:59:13 +0000

More about cacert.org :

CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.

CAcert’s goal is to promote awareness and education on computer security through the use of encryption, specifically by providing cryptographic certificates. These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the internet. Any application that supports the Secure Socket Layer Protocol (SSL or TLS) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.

ssh authorized keys – limit ssh session to custom command

Wed, 04 Mar 2015 00:34:21 +0000

If you want a ssh key to be able to run a custom command only and nothing beyond that, then you can use the “command” option in the authorized_keys file of ssh.

For example, to limit user to run only top command with a key, you can add the key like this:

echo 'command="/usr/bin/top" ssh-rsa ' >>~/.ssh/authorized_keys

shell script for some quick tests on Linux

Thu, 22 Jan 2015 00:43:31 +0000

Head over to the link and grab the script. Just run it and make yourself a little bit more safe 🙂

https://github.com/rebootuser/LinEnum

Search CVE – web interface with php

Mon, 03 Nov 2014 01:23:03 +0000

So, last few weeks have been very busy with lot of security issues, so I thought of having a local CVE Search app. But all I could find on google and github.com were on python and nothing that I could use quickly. So here is link to one that I wrote quickly:

CVE Search PHP

It’s in php. So just download in some folder and access from a web-server and you are done.

Sandbox apache (httpd) for better security.

Wed, 26 Mar 2014 13:37:40 +0000

Apache/httpd is something which you would like to have contained. And now fedora provides a native way/mechanism to to so with virt-sandbox-service. With this, you can create a virtualized sanbox service and then connect/list/manage such with virsh.

We will be using LXC.

Basically its couple of commands and you have a contained service running.

# List all the containers
virsh -c lxc:/// list

# Create the sandbox, all default parameters. Will take dhcp address.
virt-sandbox-service create -C  --username amitag -u httpd.service httpd_conta

# Create the container with static IP.
virt-sandbox-service create -C  --username amitag -u httpd.service -N \
address=192.168.122.11/24%192.168.122.255  httpd_conta#Enable and start the service.
virt-sandbox-service start httpd_conta
virt-sandbox-service enable httpd_conta#Delete the container if not required any more.
virt-sandbox-service delete  httpd_conta

Sandbox Firefox – First step to security

Wed, 19 Mar 2014 01:21:04 +0000

First we will setup cgroup to limit cpu and memory usage, so here we go:

Add the configuration in /etc/cgconfig.conf

#------start cgconfig----------------
#new group
group firefox {
    perm {
        task {
#user your login id and group here, so that you can control this group
        uid = amitag;
        gid = amitag;
        }
        admin {
# same as above, set to your login id and group.
           uid = amitag;
           gid = amitag;
        }
    }
# set the limits for cpu.. by default there are 1024 shares of cpu with no other groups,
# so share of 102 would be around 10% .
    cpu{
        cpu.shares="102";
    }
# limit the cpus to be used to only 0-1
    cpuset{
        cpuset.cpus=0-1;
        cpuset.mems=0;
    }
# limit the maximum memory to 700Mb.
    memory {
        memory.limit_in_bytes="700M";
        memory.max_usage_in_bytes="0";
    }
}
#------end cgconfig----------------

configure firewall – the easy way.

Wed, 24 Apr 2013 00:50:17 +0000

It is good practice to keep iptables/firewall enabled. But configuring it is difficult, do you agree. Not any more 🙂

Install firewall-config

sudo yum install firewall-config

This will install a GUI application, which you can run with “Firewall” application in the dash or with “firewall-config” in terminal. It is pretty straight forward to use this tool, even if you don’t have much knowledge on Firewall/iptables.

Allow incoming/outgoing ports on iptables

Tue, 27 Nov 2012 00:22:23 +0000

Schematic for the packet flow paths through Linux networking and Xtables (Photo credit: Wikipedia)

Last couple of years, I just used to disable iptables on my system, this time I decided not to disable it and keep it enabled.

So far so good, now comes the tricky part, I have http server enabled on my system and since this is on local network with already firewall and other security in place so I can allow all incoming to my system and similarly I need to enable XDMCP outgoing. So, I can add the rules like this :

mysql output to an array for easy parsing.

Wed, 11 May 2011 16:51:25 +0000

Today I was looking for some way to put the output of the mysql output in an array in a bash script. Quick google search yeilded to results something like this:

  <td>
    <div class="text codecolorer">
      output=$(mysql -e "select * from table")
    </div>
  </td>
</tr>

The problem with the above approach is that all the words go into separate index. So if you have a line that has space then that is split into multiple index’s. Not good…

Security — Installing and monitoring snort logs.

Fri, 04 Jun 2010 02:06:49 +0000

Snort is a very good security tool to install if you are concerned about the security of your system. I find it really useful but the problem is I keep forgetting to monitor the logs so what did I do, I installed snort and configured cron to send to logs everyday, here’s how.

On fedora, snort is available in the repository but the rules are not. So to install snort just type in the following in a terminal:

How to write a Linux virus – well or a trojan.

Tue, 18 May 2010 16:35:20 +0000

<a href="http://www.geekzone.co.nz/foobar/6229" target="_blank">How to write a Linux virus

and the folloup thereof

<a href="http://www.geekzone.co.nz/foobar/6236" target="_blank">Follow up: How to write a Linux virus

Thats quite a lot of discussion and an interesting one too. I too liked the point that the authour is trying to make, that is Linux too is not completely safe. I would rather like to put it as not ”Fool Proof”.

But no one is fool. Its just the matter of time when you do something foolish. People do keep thinking about various things and keep working. That being the case, it is not too difficult that someone would actually run the program. But the caveat is that the program/virus/trojan would still show up at some places. So you need to do few more things for this to work. If you are keen on doing this, then you need to atleast add these:

Damn Vulnerable Linux – DVL review

Thu, 04 Feb 2010 15:58:32 +0000

Today morning I got a chance to look at one of the other less commonly known Linux Distribution and out of the line distribution, very good for Learning purposes. The distribution is known as DVL (Damn Vulnerable Linux). As the name suggest this is for people looking at developing their skills in Security and Penetration testing. Quite a lot of good and interesting tools are included. More is left for users to experiment but I definately liked the distribution. Here is the <a href="http://www.damnvulnerablelinux.org/" target="_blank">homepage.

Metasploit Project Sold To Rapid7

Thu, 29 Oct 2009 03:08:01 +0000

[ad]

ancientribe writes ”The wildly popular, open-source Metasploit penetration testing tool project has been sold to Rapid7, a vulnerability management vendor, paving the way for a commercial version of Metasploit to eventually hit the market. HD Moore, creator of Metasploit, was hired by Rapid7 and will continue heading up the project. This is big news for the indie Metasploit Project, which now gets full-time resources. Moore says this will translate into faster turnaround for new features. Just what a commercial Metasploit product will look like is still in the works, but Rapid7 expects to keep the Metasploit penetration testing tool as a separate product with ’high integration’ into Rapid7’s vulnerability management products.”

Database of vulnurability at milw0rm.com – udpate and makeindex with cron.

Tue, 08 Sep 2009 16:06:53 +0000

I am quite regular visitor of milw0rm and generally try to keep up with the vul’s. For doing this I wrote a small scripts rather set of scripts to keep myself update. Here’s what we are going to do:

Get the latest tar from the site.
Extract it.
Make the index
Have a shortcut to search the index.

Download the attached files for the first 2 points. <a href="http://blog.amit-agarwal.co.in/wp-content/uploads/2009/09/makeindex-milw0rm.sh">makeindex-milw0rm and <a href="http://blog.amit-agarwal.co.in/wp-content/uploads/2009/09/udpate-milw0rm.sh">udpate-milw0rm

Consider your account to be for you then use Linux

Wed, 12 Aug 2009 15:58:11 +0000

Found <a href="http://www.esecurityplanet.com/features/article.php/51671_3834031_1/Consider-Linux-for-Secure-Online-Banking.htm" target="_blank">this nice article today, may be it will save someone his lifetime earning.

[[danscartoon]]