AlmaLinux Errata: What It Is, How It Works, and How to Use It
The contract between the AlmaLinux OS Foundation and every server, container, and appliance pulling from its mirrors, documented end to end: ALSA, ALBA, and ALEA advisory semantics, the CSAF/VEX pipeline that feeds updateinfo.xml and OVAL, the four GPG fingerprints (including the AlmaLinux 10 key), DNF4 and DNF5 command syntax, dnf-automatic timer traps, kpatch live-patching boundaries, ELevate migration advisories, air-gapped reposync, and the out-of-band ALSA precedent set by CVE-2024-1086. Every command, URL, and fingerprint verified against primary sources — the AlmaLinux wiki, the security portal, the OVAL index, and the DNF reference.
MCPwn: CVE-2026-33032 nginx-ui Authentication Bypass Explained
CVE-2026-33032 is a CVSS 9.8 authentication bypass actively exploited in the wild. nginx-ui's Model Context Protocol implementation registers two HTTP endpoints for AI agent access -- one authenticated, one not -- and every destructive operation runs through the unprotected one. The result: unauthenticated remote write access to nginx configuration with automatic reload, exposing approximately 2,600 publicly reachable instances to instant server takeover. Covers the vulnerable mcp/router.go source, the fail-open ip_whitelist.go middleware, the full two-CVE attack chain, nine MITRE ATT&CK techniques from T1190 to T1557, and hardening steps including the exact app.ini IPWhiteList syntax and nftables rules that restrict port 9000 to management hosts only.
Security — AlmaLinux SpecificAlmaLinux Cybersecurity: What Is Specific to AlmaLinux and Why It Matters
The AlmaLinux-specific security landscape that sits on top of the inherited RHEL baseline: Codenotary immudb supply chain provenance with per-package SBOMs in a cryptographically chained append-only database, FIPS 140-3 validated modules (CMVP #4750 kernel, #4823 OpenSSL) delivered only through TuxCare ESU, the DISA STIG officially published under the "CloudLinux AlmaLinux OS 9" name (NIST NCP checklist 1264, V1R6 Final, 443 controls), Secure Boot keys generated on permanently air-gapped hardware with shim 16.1-4 dual-signing for the 2011 and 2023 Microsoft UEFI CAs, ABI compatibility tradeoffs that let Zenbleed patches ship before RHEL, SBAT revocation mechanics, IMA per-file signing, and post-quantum cryptography enabled in all OpenSSL 3.5 policies by default. Five interactive widgets: compliance framework reading path, FIPS deployment decision tree, STIG ID to CCI/SRG/NIST 800-53 lookup, CMVP timeline, and errata advisory taxonomy.
Security — Enterprise HardeningHow to Configure AlmaLinux for Enterprise Security: SELinux, FIPS Mode, and CIS Benchmarks
SELinux enforces process isolation at the kernel using type enforcement labels that override root privileges. FIPS 140-3 constrains every cryptographic operation to NIST-validated algorithms through modules certified by atsec (CMVP #4750, #4823). CIS Benchmark v2.0.0 remediates the 100+ configuration gaps that neither covers -- partitioning, audit immutability, SSH cipher restrictions, PAM faillock, and sysctl hardening. Covers the Bell-LaPadula-to-container-isolation pipeline, the game-theoretic design behind FIPS Known-Answer Tests, and the asymmetric cost argument for keeping security controls enabled when they cause operational friction. Four interactive widgets let you simulate access control decisions, decode SELinux context labels, filter FIPS algorithm status, and walk through a multi-phase attack scenario.
Security — Network ScanningNmap: The Complete Guide to Network Scanning and Reconnaissance
All six port states, every major scan type, IPv6 scanning, firewall and IDS evasion, verbosity and debugging, 612 NSE scripts across 14 categories, and a six-phase professional assessment workflow. Commands verified against Nmap 7.98.
Security — Threat IntelligenceKadNap's Broken Kademlia: The Two Nodes That Gave Away a Botnet
KadNap hid its command-and-control infrastructure inside BitTorrent DHT traffic using a custom Kademlia implementation. Then it hardcoded two fixed relay nodes that never changed. Black Lotus Labs followed them straight to the infrastructure — and to the Doppelganger proxy service monetising 14,000 compromised ASUS routers.
Linux SecurityCSV Tooling on Linux: awk, csvkit, qsv, xan, and More
From coreutils primitives to Rust-powered pipelines -- a practical guide to processing CSV files on Linux using awk, cut, csvkit, q, qsv, and xan, including security considerations for CSV data from external sources.
Linux SecurityCommercial Surveillance Vendors on Linux: Exploit Chains, Kernel Escalation, and Browser Delivery
How CSVs like NSO Group and Intellexa build three-stage exploit chains targeting Linux -- V8 renderer RCE, seccomp-bpf sandbox escape, and kernel privilege escalation via nf_tables, vsock, and OverlayFS -- with detection rules and hardening guidance.
Security — Threat IntelligenceNew Linux Malware in 2026: What's Targeting Your Servers Right Now
PUMAKIT, perfctl, KadNap, SSHStalker, Goldoon, NerbianRAT, GTPdoor, and KrustyLoader -- eight active families with MITRE ATT&CK TTP mappings, container security implications, attribution analysis, incident response guidance, and a prioritized defensive action list.
Security — SSH / CryptographyGenerate an Ed25519 SSH Key Pair with a Passphrase
Why Ed25519 replaced RSA, how bcrypt KDF protects private keys at rest, the -a flag for hardened KDF rounds, OpenSSH 10.0's post-quantum default, hardware-backed keys, sshd_config lockdown, and full key lifecycle management.
Security — SSH / HardeningHow to Disable Root Login for SSH on Ubuntu
One directive in sshd_config closes one of the commonly exploited SSH attack vectors. Covers PermitRootLogin, drop-in config gotchas, cryptographic algorithm hardening, Match blocks, ForceCommand, SSH key setup, FIDO2 and TOTP MFA, authorized_keys hygiene, fail2ban, and lockout recovery -- with MITRE ATT&CK mappings throughout.
Security — CVSS 7.8CVE-2026-3888: How Ubuntu's systemd Cleanup Timer Became a Root Escalation Path
A timing gap between snap-confine and systemd-tmpfiles hands any local user a path to full root on Ubuntu Desktop 24.04 and later. Neither component is broken in isolation -- the vulnerability lives in how they interact. Exact mechanism, CVSS vector, patched versions, auditd detection rules, and the architectural reason code review cannot catch this class of bug.
Security — Linux GamingDo Not Run Your Game Server as Root on Linux
Running a game server as root on Linux is not a configuration choice -- it is a security decision with concrete consequences. Covers the real attack surface of game server plugins, the Fractureiser supply chain incident, CVE-2024-1086, dedicated service accounts, hardened systemd unit files, Linux capabilities, and exactly how to verify you are protected.
Security — CVSS 9.8CVE-2026-27944: How a Missing Middleware Line in Nginx UI Turned Your Backups Into a Free Download
One unregistered route and one HTTP response header that shouldn't exist handed any unauthenticated attacker a fully decryptable backup of your Nginx server. Root cause analysis, exploitation mechanics, forensic indicators, and full remediation for Linux sysadmins.
Security / Linux GamingWhy Security-Conscious Gamers Play Minecraft on Linux
A technical look at telemetry architecture, kernel security primitives, JVM sandboxing changes, and network controls that make Linux the more defensible platform for running Minecraft — from the Snooper's removal and return to Fractureiser's real-world blast radius and what the loss of the JVM SecurityManager actually means for mod safety.
Security / Linux GamingBlocking Cheaters on Your DayZ Server Running Linux
BattlEye configuration, RCON integration, firewall hardening, log analysis, spoofer threat modeling, DDoS resilience, automated crash recovery, mod supply chain risk, VPN detection, player reporting infrastructure, ban data privacy, community anti-cheat mods, and community ban strategy -- a technical guide for DayZ dedicated server administrators running Ubuntu 22.04 or 24.04 LTS that goes further than anything else you will find.
SecurityRecovering X-Forwarded-For Pivot Chains from Linux Web Server Process Memory
How to extract and validate multi-hop XFF chains from Apache, Nginx, and PHP-FPM heap artifacts on Linux -- using gcore, LiME, and process-aware scanning to reconstruct attacker pivot paths after disk logs are gone.
SecurityWireGuard on Linux: Setting Up a Minimal, Modern VPN
On modern Linux systems, WireGuard runs as an in-kernel module, spans roughly 4,000 lines of C, and is built on the formally analyzed Noise protocol framework. Learn how it actually works -- and how to deploy it correctly.
NetworkingExample nftables Rules: Filtering, NAT, Rate Limiting, and Sets
Build a hardened nftables firewall from the ground up: default-deny input policy, early blocklist drops, per-source SSH rate limiting with dynamic sets, ICMP flood protection, hairpin NAT, and a production ruleset that combines counters, structured logging, and reject-with-icmpx for clean failure signaling.
SecurityZero-Trust Security on Linux: A Practical Implementation Guide
Translate NIST SP 800-207 into concrete Linux configurations -- from SSH hardening and SELinux enforcement to nftables microsegmentation, systemd sandboxing, kernel sysctl tuning, and continuous audit logging.
SecurityWireshark with a Remote Linux Capture: tcpdump + SSH Piping
How to pipe a live kernel-resident packet stream from any headless Linux server directly into Wireshark's dissector engine -- using nothing but tcpdump, SSH, and BPF. Covers the libpcap wire format, mandatory flags, three capture methods, SSH performance tuning, and privilege hardening.
SecurityHow to Audit Linux User Permissions and Find Security Gaps
A comprehensive methodology for auditing Linux user permissions -- covering the tools available, the specific checks to run, what to look for, and how to document and remediate what you find.
SecurityHardening SSH: Beyond the Basics
Certificate-based authentication, jump hosts, port knocking, and fail2ban configurations that actually make a difference in production.
SecurityParamiko: A Deep Technical Reference for Python SSH Automation
From the SSH handshake to SFTP internals, port forwarding to connection pooling -- everything you need to master Python's most powerful SSH library.
SecurityLinux Trojans: How Attackers Compromise the OS the World Trusts
BPFDoor, Symbiote, XorDDoS, OrBit, Syslogk -- how Linux trojans get in, how they hide, how they persist, and how to find them. Includes a defense coverage matrix, detection commands, and a live incident classification quiz.
Security — Network ScanningNmap with Linux: Network Scanning from the Command Line
How to install and operate Nmap 7.99 on Linux for network discovery and security auditing. Covers every scan type from SYN and TCP connect to UDP and SCTP INIT, the four-phase scanning process, service and version detection with version intensity tuning, OS fingerprinting mechanics, the Nmap Scripting Engine with 600+ scripts across 14 categories, timing templates, output formats, firewall and IDS evasion techniques, IPv6 scanning, Ndiff for tracking network changes over time, and what filtered, open|filtered, and unfiltered actually mean at the packet level.
Security — MITRE T1053.003Unauthorized Crontab Modification: How Attackers Abuse Linux Scheduling for Persistence
MITRE ATT&CK T1053.003 covers cron as an Execution, Persistence, and Privilege Escalation technique simultaneously. This guide maps every attacker behavior to its technique ID -- direct entry injection, impossible-date evasion (CronRAT), trojanized binary replacement (perfctl), PATH hijacking via /etc/profile, and AI-assisted layered persistence (Koske 2025) -- with auditd rules, binary integrity checks, a NIST SP 800-53 control mapping, and a detection coverage matrix showing exactly where each method evades standard tooling.