Had to happen someday:
http://computerworld.co.nz/news.nsf/scrt/CD0B9D97EE6FE411CC25736A000E4723
I for one am rather pleased, not due to user's boxes being taken over, because that's sad. What does make me happy is that noone can really say Linux is more secure than Windows and still believe they have half a brain.
Like I always believed, if Linux had a 90% worldwide usage, they would be the ones hotfixing daily.
Hooray for a level OS playing field, exploits included. 
-
ixdatul
Missed it by that much...
-
PerfectPhase
"This is not war, this is pest control!" - Dalek to Cyberman
Hum someone saying that Linux is at risk at a Microsoft-sponsored security symposium, whatever next
With all those racks of identically configured Linux servers in many hosting companies, must make a tempting targets to control your legions on windows bots. -
ixdatul wrote:Had to happen someday:
http://computerworld.co.nz/news.nsf/scrt/CD0B9D97EE6FE411CC25736A000E4723
I for one am rather pleased, not due to user's boxes being taken over, because that's sad. What does make me happy is that noone can really say Linux is more secure than Windows and still believe they have half a brain.
Like I always believed, if Linux had a 90% worldwide usage, they would be the ones hotfixing daily.
Hooray for a level OS playing field, exploits included.
Point taken, but I don't think the article was actually talking about the 'hackability' of Linux.
It pointed out that many phishing scams and botnet launches begin on Linux boxes, which makes sense because they're a lot cheaper to send malware from than Windows machines.
I don't think that criminals use Linux to scam people, is really a reflection on how secure it is. The article also pointed out that most of these attacks are still directed at Windows, which also makes sense for your professional malware writer.
-
This still isn't possible with a default Ubuntu install which has no ports open.
I'm guessing the boxes getting rooted are run by greenhorn sysadmins who run SSH (it's SSH, that means it's totally secure and nothing bad can happen, right???) with no sort of protection against brute force login attempts and weak passwords. It's nothing to see thousands of login attempts every day. You either need to use something like public key authentication and deny interactive logins, or run something like denyhosts which will lock out zombie machines.
So the summarize, the point of failure is the sysadmin, not the operating system. -
Massif
aim stupidly high, expect to fail often.
PerfectPhase wrote:Hum someone saying that Linux is at risk at a Microsoft-sponsored security symposium, whatever next
With all those racks of identically configured Linux servers in many hosting companies, must make a tempting targets to control your legions on windows bots.
Except all those racks of professionally maintained identically configured linux servers are very tightly locked down, and don't have users installing things on them on a daily basis.
Which is where the desktop windows box really gets vulnerable... Damn users.
Still, no-one with any common sense has ever said Linux is immune to security threats. -
Massif wrote:
Except all those racks of professionally maintained identically configured linux servers are very tightly locked down, and don't have users installing things on them on a daily basis.
Ah .. my mistake; I thought the article was talking about these organised phishers getting their own Linux boxes - not just hacking someone else's.
In that case
... bugger ....
-
ixdatul
Missed it by that much...
TimP wrote:
So the summarize, the point of failure is the sysadmin, not the operating system.
The same could be said for the hundreds of thousands of windows users affected by rootkits, worms, trojans, etc. Read USERS, not sysadmins. The point I was making was that ANY OS is vulnerable at a user level. The article inferred that the users they spoke to were run of the mill desktop client users. In that user environment I find it hard to believe that any OS is unbreakable.
Now if we are talking networking professionals, then yes, they should know better, but an end user....I think not.
Read Joe User: "SSH? is that a place I can get a home loan?"
All in all, Microsoft does a pretty good job securing a end user environment while still making it accessible, providing an ease of use, and supporting the majority of end user required software.
-
Xaero_Vincent
Sexy me
This really isnt news. All this will do is propogate FUD by the uneducated folks.
As I've said before... 90% of LInux distributions have about the same security innovations as Windows XP in a restricted user account mode. This is because people believe that Linux is ultimately secure by default--that isn't true and never has been.
The only distributions that have a full security implementation are those based on RHEL and Fedora. But even then all of it is useless if not enabled by the user, fined tuned, and software kept up-to-date. Security is far more than blocking applications from listening to outside ports by default. -
ixdatul
Missed it by that much...
Xaero_Vincent wrote:This really isnt news. All this will do is propogate FUD by the uneducated folks.
As I've said before... 90% of LInux distributions have about the same security innovations as Windows XP in a restricted user account mode. This is because people believe that Linux is ultimately secure by default--that isn't true and never has been.
The only distributions that have a full security implementation are those based on RHEL and Fedora. But even then all of it is useless if not enabled by the user, fined tuned, and software kept up-to-date. Security is far more than blocking applications from listening to outside ports by default.
++
I couldn't have said it better if I tried....and I did
-
SlackmasterK
This Space Intentionally Left Blank
Hah! Now I shall comprimise your thread with an inordinately large image!
-
Xaero_Vincent wrote:Security is far more than blocking applications from listening to outside ports by default.
I would bet that 90%+ of vulnerabilities comes from:
1. Bad passwords and a system running telnet, SSH, or FTP on an open port.
2. Web server serving up vulnerable web apps.
All the "AppArmor, stack smashing protection, etc." won't get you jack. -
Xaero_Vincent
Sexy me
TimP wrote:I would bet that 90%+ of vulnerabilities comes from:
1. Bad passwords and a system running telnet, SSH, or FTP on an open port.
2. Web server serving up vulnerable web apps.
All the "AppArmor, stack smashing protection, etc." won't get you jack.
Bad passwords is a user security flaw. Telnet, SSH, Sendmail, FTP, etc are all covered by SELinux targetted policy by default. SELinux also features to protect network interfaces, sockets, and ports. Using a port scanner and configuring the firewall to close unused ports helps too.
RHEL and Fedora have several features that help prevent buffer overflow exploits and rootkits. I cannot speak much for vulnerable web apps, except that if a hacker tries to exploit a secure RHEL/Fedora system via Apache, they will have quite alot of trouble. Apache webserver is covered by Exec-Shield (ASLR, etc.), an SELinux policy, and binary file tamper protection (ELF DH). The amount of damage a hacker could do in that context (assuming Apache had an unpatched security hole on the system) would be miniscule at best.
-
Xaero_Vincent
Sexy me
Here are some useful tips a guy on slashdot posted to help protect your Linux severs in addition to the things I've mentioned:
- Run a hardware NAT firewall/router. Any ol' Linksys, Dlink or Netgear thang will do. Just remember it's not the be all and end all to security problems.
- Open as few ports as absolutely possible. I have nothing open on my router except port 22 and BitTorrent, and I don't leave BitTorrent running all the time
- Check your logs at least once a day. Look for any suspicious signs -- missing log entries, ssh connects you weren't expecting, services running that you don't normally have running, NICs going into promiscuous mode unexpectedly, excessive mail being pumped through any MTAs, etc.
- When running OpenSSH, I disallow password authentication. This prevents problems with users due to the use of stupid passwords. My sshd only accepts a valid RSA key exchange as acceptable authorization.
- Regularly update and run rootkit checkers. These are not be all end all, but they help spot obvious rootkits
- Make cron jobs that regularly scan your system for unusual permissions -- world writeable, binaries that are setuid, etc. and for suspicious files. There are programs and scripts that will do this for you. STFW or check with your distro.
- Perform MD5 checking on your files and executables, espcially.
- Regularly check your
- Don't run NIS -- it's inherently insecure. You should be using OpenLDAP if you need directory authorization on your network.
-
Xaero_Vincent wrote:
TimP wrote:
I would bet that 90%+ of vulnerabilities comes from:
1. Bad passwords and a system running telnet, SSH, or FTP on an open port.
2. Web server serving up vulnerable web apps.
All the "AppArmor, stack smashing protection, etc." won't get you jack.
Bad passwords is a user security flaw. Telnet, SSH, Sendmail, FTP, etc are all covered by SELinux targetted policy by default. SELinux also features to protect network interfaces, sockets, and ports. Using a port scanner and configuring the firewall to close unused ports helps too. There's more to compromising a system than just rootkits and replacing system executables.
RHEL and Fedora have several features that help prevent buffer overflow exploits and rootkits. I cannot speak much for vulnerable web apps, except that if a hacker tries to exploit a secure RHEL/Fedora system via Apache, they will have quite alot of trouble. Apache webserver is covered by Exec-Shield (ASLR, etc.), an SELinux policy, and binary file tamper protection (ELF DH). The amount of damage a hacker could do in that context (assuming Apache had an unpatched security hole on the system) would be miniscule at best.
Say a PHP web app has write access to a web accessible folder. If there's any way to inject PHP code (I think Wordpress has had this in the past), you can have the server serving up whatever content you want in a matter of minutes. In this case, no combination of SELinux, Exec-Shield, etc. will help you.
I see SELinux, AppArmor, etc. as being useful to protect a machine where other users have accounts that you're aware of, but that you don't trust to not root your machine if they could.
I guess what I'm trying to get at is if you're going to try to compromise a remote machine, it'll be through a weak password or probably a weak web application, not an exploit in Apache, SSH, or an FTP server. -
ScanIAm
Edgar Allen Potato.
Xaero_Vincent wrote:Here are some useful tips a guy on slashdot posted to help protect your Linux severs in addition to the things I've mentioned:
- Run a hardware NAT firewall/router. Any ol' Linksys, Dlink or Netgear thang will do. Just remember it's not the be all and end all to security problems.
- Open as few ports as absolutely possible. I have nothing open on my router except port 22 and BitTorrent, and I don't leave BitTorrent running all the time
- Check your logs at least once a day. Look for any suspicious signs -- missing log entries, ssh connects you weren't expecting, services running that you don't normally have running, NICs going into promiscuous mode unexpectedly, excessive mail being pumped through any MTAs, etc.
- When running OpenSSH, I disallow password authentication. This prevents problems with users due to the use of stupid passwords. My sshd only accepts a valid RSA key exchange as acceptable authorization.
- Regularly update and run rootkit checkers. These are not be all end all, but they help spot obvious rootkits
- Make cron jobs that regularly scan your system for unusual permissions -- world writeable, binaries that are setuid, etc. and for suspicious files. There are programs and scripts that will do this for you. STFW or check with your distro.
- Perform MD5 checking on your files and executables, espcially.
- Regularly check your
- Don't run NIS -- it's inherently insecure. You should be using OpenLDAP if you need directory authorization on your network.
I was hoping you could simplify that so I could explain it to my mom.
She heard it was the year of the linux desktop and so, you know, she installed it. -
ScanIAm wrote:
Xaero_Vincent wrote:
Here are some useful tips a guy on slashdot posted to help protect your Linux severs in addition to the things I've mentioned:
- Run a hardware NAT firewall/router. Any ol' Linksys, Dlink or Netgear thang will do. Just remember it's not the be all and end all to security problems.
- Open as few ports as absolutely possible. I have nothing open on my router except port 22 and BitTorrent, and I don't leave BitTorrent running all the time
- Check your logs at least once a day. Look for any suspicious signs -- missing log entries, ssh connects you weren't expecting, services running that you don't normally have running, NICs going into promiscuous mode unexpectedly, excessive mail being pumped through any MTAs, etc.
- When running OpenSSH, I disallow password authentication. This prevents problems with users due to the use of stupid passwords. My sshd only accepts a valid RSA key exchange as acceptable authorization.
- Regularly update and run rootkit checkers. These are not be all end all, but they help spot obvious rootkits
- Make cron jobs that regularly scan your system for unusual permissions -- world writeable, binaries that are setuid, etc. and for suspicious files. There are programs and scripts that will do this for you. STFW or check with your distro.
- Perform MD5 checking on your files and executables, espcially.
- Regularly check your
- Don't run NIS -- it's inherently insecure. You should be using OpenLDAP if you need directory authorization on your network.
I was hoping you could simplify that so I could explain it to my mom.
She heard it was the year of the linux desktop and so, you know, she installed it.
Well, at least your mom has access to someone who knows computers well (read: you), and who can explain the above list to her. Can you imagine those moms that don't even have access to someone that knows anything about computers?
I wonder why these lists of how to protect your system is never trotted out when it is a story about a vulnerable Windows system. -
Xaero_Vincent
Sexy me
TimP wrote:Say a PHP web app has write access to a web accessible folder. If there's any way to inject PHP code (I think Wordpress has had this in the past), you can have the server serving up whatever content you want in a matter of minutes. In this case, no combination of SELinux, Exec-Shield, etc. will help you.
I see SELinux, AppArmor, etc. as being useful to protect a machine where other users have accounts that you're aware of, but that you don't trust to not root your machine if they could.
I guess what I'm trying to get at is if you're going to try to compromise a remote machine, it'll be through a weak password or probably a weak web application, not an exploit in Apache, SSH, or an FTP server.
SELinux, AppArmor are like a confining barrier for progarms and with written policy modules, define the exact files, libaries and services that can interact/interface these programs and how. Web applications hosted on servers are no exception .
Take a look at this article:
http://www.usefulsecurity.com/?p=6
It describes basic methods for creating an SELinux security policy that prevents file uploads to a web application from executing by command of a remote system.
The article mentions a SELinux IDE called SLIDE (really a plugin for Eclipse) that may aid in the policy creation process.
-
ixdatul
Missed it by that much...
BitFlipper wrote:
I wonder why these lists of how to protect your system is never trotted out when it is a story about a vulnerable Windows system.
Because Windows is the essence of source oppression...
When RMS was in Microsoft Land...."Let My Sources Go..."
But the real reason is that defenders/zealots/crazies can't say a positive thing about the other side, because they're arguements are so poorly formulated any reasonable question can crush they're current crusade.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.